We have acquired pefng licenses for our controller with arubaos 6.5.3.1 and installed it today. Everything was working fine before the installation of the licenses. After the installation, configuration was extended with standard roles etc. and everything looks the way it should be.
We use dot1x with radius authentication for the wireless connection. Clients can still authenticate successfully and are assigned the dot1x-default-role as set in the aaa profile. However, the only traffic passing through after authentication is the traffic allowed for user-role logon (ping, dns).
After much searching and testing I have added logging to the allowall access-list and added an additional access-list with logging to the logon role. To my big surprise I now can see that all client traffic is first permitted by the allowall and then denied by the logon role which is consistend with what I see on the client.
Here an extract of the configuration with a test aaa profile.
user-role logon
access-list session logon-control
access-list session captiveportal
access-list session vpnlogon
access-list session v6-logon-control
access-list session denyalllog
!
user-role authenticated
access-list session global-sacl
access-list session apprf-authenticated-sacl
access-list session ra-guard
access-list session allowall
access-list session v6-allowall
!
ip access-list session denyalllog
any any any deny log
!
ip access-list session allowall
any any any permit log
ipv6 any any any permit
!
aaa profile "Test-aaa_prof"
authentication-dot1x "dot1x_prof-sps67"
dot1x-default-role "authenticated"
dot1x-server-group "Test_srvgrp-bjd43"
!
Now the logs show this:
Aug 15 20:29:23 2017 neon1 authmgr[4117]: <124006> <4117> <WARN> <neon1 10.25.1.101> {94} TCP srcip=<client-ip> srcport=55645 dstip=17.253.55.206 dstport=80, action=permit, role=authenticated, policy=allowall
Aug 15 20:29:23 2017 neon1 authmgr[4117]: <124006> <4117> <WARN> <neon1 10.25.1.101> {95} TCP srcip=<client-ip> srcport=55645 dstip=17.253.55.206 dstport=80, action=deny, role=logon, policy=denyalllog
show user shows the client in authenticated role. The client can ping any ip address possible, even using dns host names, but nothing else.
I haven't found any documentation explaining what could be going on. Actually, everything I have read makes me think that a client can only have a single role at any given time, so those logs don't make any sense to me.
What am I missing here? Why is the logon role firewall policy applied to all traffic even for users in a different role?