Controller-less WLANs

 View Only
last person joined: one year ago 

Articles relating to existing and legacy HPE Aruba Networking products and solutions including IAP, Central / HPE Aruba Networking Central, MSR, and Outdoor Mesh
Back to Library

Why Windows 7/8 wired clients can't pass traffic when passing MAC auth only? 

Aug 06, 2014 11:43 AM

Wired Windows 7/8 clients connect to Aruba Instant running 6.2.0.0-3.3.0.0 or above with wired MAC authentication + 802.1x Authentication enabled. Client passes MAC authentication but fails 802.1x Authentication

 Relevant Sample Configuration ::

Wired Profile 

 

wired-port-profile wired-user
switchport-mode access
allowed-vlan all
native-vlan 1
no shutdown
access-rule-name wired-user
speed auto
duplex auto
poe
type employee
auth-server InternalServer
captive-portal disable
mac-authentication
dot1x
set-role-mac-auth MacAuthOnly

 

Roles

 

wlan access-rule wired-user
 rule any any match any any any permit

 

wlan access-rule MacAuthOnly
rule any any match tcp 443 443 permit
rule any any match tcp 80 80 permit
rule any any match icmp any any permit
rule any any match udp 53 53 permit
rule any any match udp 67 68 permit
rule any any match udp 67 69 permit

 

Profile Mapping

 

enet1-port-profile wired-user

 

User Entry for MAC Auth

 

user 3c970e6b9abe 26975f5e946110ae1ff3e5829bd2590104e9e4236d3bdc57 radius

 

 

From 6.2.0.0-3.2.0.0 release; Aruba Instant allows 802.1X + MAC  authentication  for wired clients and 6.2.1.0-3.3.0.0 allows role assignment for users who pass only MAC authentication. Even with configuration right on Aruba Instant; there maybe instances where Windows 7 & 8 clients wouldn’t get IP address after being placed in the right role on Instant. 

From Aruba Instant CLI ::


6c:f3:7f:c4:0b:6a# show clients wired

Wired Client List
-----------------
Name  IP Address  MAC Address        OS  Network  Access Point       Role         Speed (mbps)
----  ----------  -----------        --  -------  ------------       ----         ------------
      0.0.0.0     3c:97:0e:6b:9a:be      eth1     6c:f3:7f:c4:0b:6a  MacAuthOnly  -

 

Starting from Windows 7; windows wired supplicant has an option called “Fallback to unauthorized network access”. Default setting for the option is “Disabled”. With the option disabled; client wouldn’t be able to connect if 802.1x authentication fails.  

 

rtaImage.jpg

 

ipconfig would show the state as “Media Unauthenticated” with no IP address.
 

From Client Machine ::

 

C:\Users\test>ipconfig


Windows IP Configuration


Ethernet adapter Local Area Connection:


   Media State . . . . . . . . . . . : Media unauthenticated

 

 

Enable the option to have client work with MAC auth only.

 

rtaImage (1).jpg

 

 

From Instant :


6c:f3:7f:c4:0b:6a# show clients wired
 
Wired Client List
-----------------
Name          IP Address     MAC Address        OS     Network  Access Point       Role         Speed (mbps)
----          ----------     -----------        --     -------  ------------       ----         ------------
3c970e6b9abe  10.17.225.122  3c:97:0e:6b:9a:be  Win 7  eth1     6c:f3:7f:c4:0b:6a  MacAuthOnly  -

From Client :

 

C:\Users\test>ipconfig


Windows IP Configuration


Ethernet adapter Local Area Connection:


   Connection-specific DNS Suffix  . : arubatac.local

   Link-local IPv6 Address . . . . . : fe80::7561:4e08:183f:c71c%11

   IPv4 Address. . . . . . . . . . . : 10.17.225.122

   Subnet Mask . . . . . . . . . . . : 255.255.255.224

   Default Gateway . . . . . . . . . : 10.17.225.100

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.