Wired Windows 7/8 clients connect to Aruba Instant running 6.2.0.0-3.3.0.0 or above with wired MAC authentication + 802.1x Authentication enabled. Client passes MAC authentication but fails 802.1x Authentication
Relevant Sample Configuration ::
Wired Profile
wired-port-profile wired-user
switchport-mode access
allowed-vlan all
native-vlan 1
no shutdown
access-rule-name wired-user
speed auto
duplex auto
poe
type employee
auth-server InternalServer
captive-portal disable
mac-authentication
dot1x
set-role-mac-auth MacAuthOnly
Roles
wlan access-rule wired-user
rule any any match any any any permit
wlan access-rule MacAuthOnly
rule any any match tcp 443 443 permit
rule any any match tcp 80 80 permit
rule any any match icmp any any permit
rule any any match udp 53 53 permit
rule any any match udp 67 68 permit
rule any any match udp 67 69 permit
Profile Mapping
enet1-port-profile wired-user
User Entry for MAC Auth
user 3c970e6b9abe 26975f5e946110ae1ff3e5829bd2590104e9e4236d3bdc57 radius
From 6.2.0.0-3.2.0.0 release; Aruba Instant allows 802.1X + MAC authentication for wired clients and 6.2.1.0-3.3.0.0 allows role assignment for users who pass only MAC authentication. Even with configuration right on Aruba Instant; there maybe instances where Windows 7 & 8 clients wouldn’t get IP address after being placed in the right role on Instant.
From Aruba Instant CLI ::
6c:f3:7f:c4:0b:6a# show clients wired
Wired Client List
-----------------
Name IP Address MAC Address OS Network Access Point Role Speed (mbps)
---- ---------- ----------- -- ------- ------------ ---- ------------
0.0.0.0 3c:97:0e:6b:9a:be eth1 6c:f3:7f:c4:0b:6a MacAuthOnly -
Starting from Windows 7; windows wired supplicant has an option called “Fallback to unauthorized network access”. Default setting for the option is “Disabled”. With the option disabled; client wouldn’t be able to connect if 802.1x authentication fails.
ipconfig would show the state as “Media Unauthenticated” with no IP address.
From Client Machine ::
C:\Users\test>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media unauthenticated
Enable the option to have client work with MAC auth only.
From Instant :
6c:f3:7f:c4:0b:6a# show clients wired
Wired Client List
-----------------
Name IP Address MAC Address OS Network Access Point Role Speed (mbps)
---- ---------- ----------- -- ------- ------------ ---- ------------
3c970e6b9abe 10.17.225.122 3c:97:0e:6b:9a:be Win 7 eth1 6c:f3:7f:c4:0b:6a MacAuthOnly -
From Client :
C:\Users\test>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : arubatac.local
Link-local IPv6 Address . . . . . : fe80::7561:4e08:183f:c71c%11
IPv4 Address. . . . . . . . . . . : 10.17.225.122
Subnet Mask . . . . . . . . . . . : 255.255.255.224
Default Gateway . . . . . . . . . : 10.17.225.100