How do I make stateful dot1x work in the ArubaOS 3.x code?

Aruba Employee
Aruba Employee
Product and Software: This article applies to all Aruba controllers and ArubaOS 3.0 and later. 

Stateful dot1x is the authentication type that allows the Aruba controller to apply firewall rules to the wireless users that are associated with non-Aruba APs and are doing dot1x authentication. 


To make stateful dot1x work in ArubaOS 3.x code: 
•     The physical port of the controller, which is the ingress port of the third-party APs' traffic, needs to be configured as an "untrusted" port. 
•     Wired authentication is not mandatory for stateful dot1x authentication. However, if "aaa authentication wired" is enabled, the "initial role" of the aaa profile applied to wired authentication as "logon" role must be configured for stateful dot1x to work. Any other name of initial role breaks stateful dot1x. When stateful dot1x authentication is enabled and a RADUIS-server group has been applied to "stateful-dot1x" profile, the controller automatically generates the "stateful-dot1x" ACL and applies it to the end of the user-role "logon" as shown in this sample configuration: 

user-role logon 
session-acl logon-control 
session-acl captiveportal                         
session-acl vpnlogon 
session-acl stateful-dot1x   ====>automatically added 
aaa server-group "test-server-group" 
auth-server test 
aaa authentication-server radius "test" 
   key 80ecd0c91e076c92e94ecdf51cd5b5aa 
   authport 1812 
   acctport 1813 
aaa authentication stateful-dot1x 
           default-role authenticated 
           server-group test-server-group 
# show ip access-list stateful-dot1x 
1 any     any          svc-dns   permit 
2 any     any          svc-dhcp  permit 
3 any  udp 1812  redirect opcode 52 

•     Make sure the dot1x authentication traffic is going through the controller, otherwise the controller will not be able to monitor the authentication transaction and apply the right user role to the user when the authentication process is finished. 


1)  logging level debug security process authmgr 
2)  show acl hits role logon 

"show log security" in a working case: 
Oct 17 14:09:37 :124004:  <DBUG> |authmgr|  Forwarding the Radius packet after 
stateful dot1x processing code:1/smac:00:0d:bd:bb:d2:a3/sport:1645/dport:1812 
Oct 17 14:09:37 :124004:  <DBUG> |authmgr|  Received Valid Radius Reponse 
Oct 17 14:09:37 :124007:  <INFO> |authmgr|  USER_NAME 
Oct 17 14:09:37 :124007:  <INFO> |authmgr|  EAP MESSAGE 
Oct 17 14:09:37 :124004:  <DBUG> |authmgr|   {L2} Authenticating Server is test 
Oct 17 14:09:37 :199802:  <ERRS> |authmgr|  user.c, derive_role2:3707: 
{00:1d:e0:12:f4:a1-} Missing server group in attribute list, 
auth=Stateful-802.1x, utype=L2 
Oct 17 14:09:37 :124004:  <DBUG> |authmgr|  Tx message to Sibyte. Opcode = 17, 
msglen = 132 
Oct 17 14:09:37 :124007:  <INFO> |authmgr|  Forwarding the Radius Response to 
AP: len:0 
Oct 17 14:09:37 :124004:  <DBUG> |authmgr|  Forwarding the Radius packet after 
stateful dot1x processing code:2/smac:00:0b:86:40:3a:60/sport:1812/dport:1645 
Version history
Revision #:
1 of 1
Last update:
‎07-01-2014 02:45 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: