Controllerless Networks

Hello,

We have a swarm of AP-303 with RADIUS authentication on one SSID. Authentication works as expected, but dynamic VLAN assignments sent by the RADIUS Server are ignored; all clients are being placed within the default VLAN.

example user on the FreeRADIUS Server:

testuser         Cleartext-Password              :=      "somepassword"
        aruba-named-user-vlan   =  2,
        aruba-user-vlan         = 2,
        Tunnel-Type                             = "VLAN",
        Tunnel-Medium-Type              = "IEEE-802",
        Tunnel-Private-Group-ID = "2"

Assigned vlan/filter rules on the controller:

 vlan 21
 set-vlan Aruba-Named-User-Vlan value-of
 set-vlan Tunnel-Private-Group-Id value-of
 set-vlan Aruba-User-Vlan value-of

the user "testuser" can authenticate, the RADIUS-Server is sending all 3 attributes, but the controller ignores any of them and places the user in VLAN 21...

Authentication Method is PEAP/MSCHAPv2, the attributes are sent with the EAP reply of the outer tunnel (not MSCHAP reply that is sent to the endpoint). From my understanding this should be the correct behaviour?

This setup already worked - but as that SSID was mainly unused until recently I can't tell when it broke (e.g. update of the controller and/or RADIUS). Were there any changes to the VLAN assignment logic?

I can provide relevant debug logs and/or controller configuration if needed, I just didn't want to completely spam the initial post with hundrets of lines of debugging/config. I still have the feeling I just missed some small config detail...

Thanks,

Sebastian

You ONLY need to return the 

(Babarella) #show aaa radius-attributes | include Aruba-User-Vlan
Aruba-User-Vlan 2 Integer Aruba 14823

"Aruba-User-Vlan" attribute.  You don't need any rules or anything else.

EDIT:  Forgot the link here:  https://www.arubanetworks.com/techdocs/Instant_85_WebHelp/Content/instant-ug/roles-and-pol/vlan-assignm.htm?Highlight=aruba-user-vlan

Thanks for your reply.

I removed all rules (which changes the VLAN assignment to "static" in
the web GUI) and reduced the "user" entry at the RADIUS Server to
username/password and the "Aruba-User-Vlan" attribute.
Now all users are put in the static VLAN, which is the behaviour i'd
expect with this configuration (static).

If I add a single rule for Aruba-User-Vlan (set-vlan Aruba-User-Vlan
value-of) the VLAN assignment switches back to "dynamic" in the web
GUI, but still all users are being assigned the default VLAN.

Heres the full config of the SSID:

wlan ssid-profile gassner
 enable
 index 1
 type employee
 essid gassner
 opmode wpa2-aes
 max-authentication-failures 0
 vlan 21
 auth-server radius1
 set-vlan Aruba-User-Vlan value-of
 set-vlan User-Name equals agassner 2
 set-vlan User-Name equals mut3 1
 set-vlan User-Name equals sgj-laptop 3
 set-vlan User-Name equals bb-sko 2
 rf-band all
 captive-portal disable
 dtim-period 1
 broadcast-filter none
 radius-reauth-interval 180
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64
 okc
 dot11k
 dot11v

Here's some of the debug output of the RADIUS Server during user login (for a user with all initial attributes still set):

[...]
(9) Login OK: [bb-sko] (from client h-ap1 port 0 via TLS tunnel)
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) Aruba-Named-User-Vlan = "2"
(9) Aruba-User-Vlan = 2
(9) Tunnel-Type = VLAN
(9) Tunnel-Medium-Type = IEEE-802
(9) Tunnel-Private-Group-Id = "2"
(9) MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) MS-MPPE-Send-Key = 0xf0170ad2946e26033af23a66e90b1ccb
(9) MS-MPPE-Recv-Key = 0xeaed3b33048e1576f60538c6bde18c39
(9) EAP-Message = 0x030a0004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name = "bb-sko"
(9) eap_peap: Got tunneled reply code 2
(9) eap_peap: Aruba-Named-User-Vlan = "2"
(9) eap_peap: Aruba-User-Vlan = 2
(9) eap_peap: Tunnel-Type = VLAN
(9) eap_peap: Tunnel-Medium-Type = IEEE-802
(9) eap_peap: Tunnel-Private-Group-Id = "2"
(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) eap_peap: MS-MPPE-Send-Key = 0xf0170ad2946e26033af23a66e90b1ccb
(9) eap_peap: MS-MPPE-Recv-Key = 0xeaed3b33048e1576f60538c6bde18c39
(9) eap_peap: EAP-Message = 0x030a0004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: User-Name = "bb-sko"
(9) eap_peap: Got tunneled reply RADIUS code 2
(9) eap_peap: Aruba-Named-User-Vlan = "2"
(9) eap_peap: Aruba-User-Vlan = 2
(9) eap_peap: Tunnel-Type = VLAN
(9) eap_peap: Tunnel-Medium-Type = IEEE-802
(9) eap_peap: Tunnel-Private-Group-Id = "2"
(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) eap_peap: MS-MPPE-Send-Key = 0xf0170ad2946e26033af23a66e90b1ccb
(9) eap_peap: MS-MPPE-Recv-Key = 0xeaed3b33048e1576f60538c6bde18c39
(9) eap_peap: EAP-Message = 0x030a0004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: User-Name = "bb-sko"
(9) eap_peap: Tunneled authentication was successful
(9) eap_peap: SUCCESS
[...]
(10) Login OK: [bb-sko] (from client h-ap1 port 0 cli a4e4b82dd8cf)
(10) Sent Access-Accept Id 165 from 10.50.50.6:1812 to
10.50.50.22:60227 length 0 
(10) MS-MPPE-Recv-Key = 0x2a8ef374052be0562cb5c4eb5fe318cffe6332fc5f8bb7f9b7b433b143fee8d5
(10) MS-MPPE-Send-Key = 0x0b4e744eda592e2959094bc1584329b167a01db33d4b1aa8c9a97c0229e9c397
(10) EAP-Message = 0x030b0004 
(10) Message-Authenticator = 0x00000000000000000000000000000000 
(10) User-Name = "bb-sko" 
(10) Finished request

---

@sko wrote:

Thanks for your reply.

I removed all rules (which changes the VLAN assignment to "static" in
the web GUI) and reduced the "user" entry at the RADIUS Server to
username/password and the "Aruba-User-Vlan" attribute.
Now all users are put in the static VLAN, which is the behaviour i'd
expect with this configuration (static).

If I add a single rule for Aruba-User-Vlan (set-vlan Aruba-User-Vlan
value-of) the VLAN assignment switches back to "dynamic" in the web
GUI, but still all users are being assigned the default VLAN.

Heres the full config of the SSID:

wlan ssid-profile gassner
[snip]
 set-vlan Aruba-User-Vlan value-of
 set-vlan User-Name equals agassner 2
 set-vlan User-Name equals mut3 1
 set-vlan User-Name equals sgj-laptop 3
 set-vlan User-Name equals bb-sko 2

Here's some of the debug output of the RADIUS Server during user login (for a user with all initial attributes still set):

[...]
(9) Aruba-Named-User-Vlan = "2"
(9) Aruba-User-Vlan = 2

---

Too many return attributes are likely confusion things.

The Aruba VSAs do not require rules in order to take affect. In this case, two conflicting VSAs are being returned ... Aruba-Named-User-Vlan and Aruba-User-Vlan. The Named VLAN might point to the same VLAN as the Aruba-User-Vlan, but because it could also point to something different it's in conflict. Only the Aruba-User-Vlan attribute should be required to accomplish the assignment.

As said in my previous post: I removed all other entries except the "Aruba-User-Vlan" from the FreeRADIUS Server for that user and the VLAN rules on the VC. I also tried removing all rules (which again switches the VLAN assignment to static). The log was from another user with all attributes still set, not the one I was testing with. Sorry, I should have made that clearer.

So as long as I don't set explicit rules for usernames or mac addresses on the Virtual Controller, _all_ users are being assigned the default VLAN of the SSID, no matter what attributes FreeRADIUS is sending during login.

How do we know that you have the attribute setup correctly in freeradius?

I have had similar cases where Aruba-User-Role was implemented in "RADIUS" server, however the packet was arriving with Filter-Id.

I would suggest to take traces with wireshark and check the logs. If possible, share it with us here and we can then check it from there and give comments.