Wireless Access

 View Only
last person joined: 16 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.

AP wired port profiles -- why doesn't the right info arrive at CPPM?

This thread has been viewed 4 times
  • 1.  AP wired port profiles -- why doesn't the right info arrive at CPPM?

    Posted May 18, 2023 04:56 PM
      |   view attached

    I am attempting to attach my wireless onboarding workflow to the wired convenience ports on the 205H APs that are in our student's dorm rooms. I actually had it working for about 6 weeks in March/April, but then I changed something on the AAA profile that they share and solved a longstanding problem on the wireless side, but the wired side stopped working. But even when I changed it back it remained broken, which is a puzzler.

    My test setup is that I have an AP on my desk in group "Cleland" which has a cable plugged into port E3 on the bottom of the AP. (I get a great wireless signal that way, LOL.) This, like all my APs, lets wireless clients into SSID mcUsers. I then plug my laptop in with a wired ethernet dongle, and I get an IP address from DHCP, and my laptop acts like it's in the captive portal. I can connect to my cpg manage devices and add the MAC of my ethernet port, and in CPPM Access Tracker I can see the successful Application login when I do that. But then I can see the REJECT in CPPM Access Tracker when I try to shift over to full internet access. The Alerts on the REJECT are 

    Error Code:
    204
    Error Category:
    Authentication failure
    Error Message:
    Failed to classify request to service
     Alerts for this Request 
    RADIUS Service Categorization failed


    If I go to my mcUsers MAC service and look at it,

    Service:
    Name:
    MC - mcUsers MAC
    Description:
    MAC-based Authentication Service
    Type:
    MAC Authentication
    Status:
    Enabled
    Monitor Mode:
    Disabled
    More Options:
    Authorization
    Service Rule
    Match ANY of the following conditions:
      Type Name Operator Value
    1. Radius:Aruba Aruba-Essid-Name EQUALS mcUsers
    Authentication:
    Authentication Methods:
    [Allow All MAC AUTH]
    Authentication Sources:
    [Guest Device Repository] [Local SQL DB]
    Strip Username Rules:
    -
    Authorization:
    Authorization Details:
    [Guest Device Repository] [Local SQL DB]
    Roles:
    Role Mapping Policy:
    mcUsers Role Mapping
    Enforcement:
    Use Cached Results:
    Disabled
    Enforcement Policy:
    MC - MAC Auth


    I know that the problem with the request is that my setup isn't setting Aruba-Essid-Name to the Value of mcUsers. (I can throw in a quick hack and add a rule that says that if the NAS IP Address is one of my two addresses -- a condition that these sessions DO satisfy -- then the connection request is accepted. So I know that I'm getting to this ruleset.)

    So how do I configure my AP wired port connections so that the connection requests arrive here with the Aruba-Essid-Name having the Value of mcUsers?

    This is the definition of the mcUsers AAA profile:


    The change that I made that fixed the longstanding problem was that I swapped the first two roles. Before the swap, the Initial role was mcUsers and the MAC Authentication Default Role was mcUsers-logon.
    And these are the definitions of the 3 roles used in the profile:


    Ok -- this is a digression here, not really related to my main problem. I was totally surprised that in the editor window for an AP Group, in the assignment of the AAA value inside the Ethernet interface 3 port configuration, that in this window I had the ability to CHANGE the definition of the mcUsers AAA profile. I thought that I was editing some details in the port config, and was blindsided that some changes I made were to the mcUsers AAA Profile. As soon as I realized that I had changed some big important thing I scrambled to put it back, using my memory of what it looked like. I found the audit trail, and it shows me the changes that I made, but I have no idea how to be sure that I REALLY got it back. My wireless clients all seemed to be connecting successfully just as before, so maybe I did. This happened on March 22nd -- is there anywhere that exists now that would show me what the state was BEFORE I changed it? A backup or log file?

    I'm really vague as to what those roles are and what they should be -- looking at the definitions that I screenshotted, does this look right? Does anyone think that some other role in the list might be a better choice?
    (I came very late to the game, as I started working here after the Aruba partner who set all of this up and then exited the business of doing configuration consulting, and all of the college employees who would have worked with the Partner at this time have departed. I have no notes or other documentation, and I don't even know which objects are part of the default Aruba install and which would have been created custom for the college, other than "mc" means Monmouth College so those must be custom.)

    So far that AAA profile is the mcUsers that is used successfully tens of thousands of times per day for my wireless clients to connect. The next two things are the objects that I created. First is the AP wired port profile named mcUsersWired which I created and assigned as the Ethernet interface 3 port configuration.
    I don't really know what a "Bridge Role" is, so that's basically a guess. I've tried putting both mcUser-logon and mcUsers there, and the behavior is the same. Anybody have any comments?

    Finally, here is the setting which I created and called mcUsersOnWire that I created to assign to Ethernet interface 3 port configuration --> Wired AP. My wireless clients all travel on vlans 1010, 1012, 1014, & 1016, so I set the Access mode VLAN to 1012. My infrastructure runs on vlan 1 (yes, I know that running the infrastructure on vlan 1 is wrong -- heck running ANYTHING on vlan 1 is wrong! -- but I didn't set it up that way and it's a giant job to fix it, which I am in the process of designing.) so that's why I set the Trunk mode native VLAN to 1. I think that the Forward mode would need to be tunnel because 1012 needs to tunnel through 1, right?
    Can anybody tell me what I'm doing wrong?