Security

Hi,

 

We are using a SSID for BYOD clients. Also, 802.1x authentication is in place. Users are required to enter thier active directory username and password to login to wireless network. We are using EAP-PEAP. The issue we are facing is follows:

 

(1) A client logs in to wireless network and gets a vlan which is set default in VAP profile. However we are using server rules on the controller. 

 

(2) The user must be put in to a vlan according to the rules specified. I have read on a aruba support forum that if machine authentication fails the user has been put in default vlan specified under vap profile. Because machine information for BYOD devices are not present on our active directory thus most of the clients are put in default vlan though they should be assigned vlan according to server rules based on radius attribute. This does not happen with all the clients but initial login always puts a client in defualt vlan in result of which a user shows up twice on the controller having IP addresses from both the vlans such as 172.16.0.3 and 192.168.100.3.

 

Any ideas what might be causing it? It appears that clients are later put into the respective vlans but at initial login they get IP from default vlan.

Following is the link which talks about default VLAN:

 

http://www.arubanetworks.com/techdocs/ArubaOS_60/UserGuide/802.1x.php

Please post your server rules.

Attached.

It looks like you have "Enforce Machine Authentication" enabled in your 802.1x profile.  When "Enforce Machine Authentication" is enabled, the server rules are ignored unless a device passes BOTH user AND machine authentication.  That means BYOD devices will never have those server derivation rules executed, because they will never pass machine authentication.  Users who do not pass machine authentication will get the 802.1x enforce machine authentication user role.  If there is a VLAN defined in the Virtual AP, they will get that VLAN.

 

Hi,

Thanks for your response.

Machine authentication enforcement is not enabled. I have double checked
it. Also the rules are working properly because I can see in logs users are
put in role according to the rule specified however this is not the case
for vlan assignment. Correct vlan assignment works but not for all users.
Actually it may be working correctly but it creates two user entries on the
controller. For an example. User is authenticated and then on the
controller I see that same user has an IP from vlan10 subnet and from
vlan20 subnet.

Any further ideas please?

Farzan Qureshi
------------------
Network Administrator & Helpdesk support
Rosmini College

--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin@rosmini.school.nz). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.

Looking at your server derivation rules again, I see that you are trying to assign a VLAN and a Role at the same time.  Only the first server derivation rule is evaluated and enforced, so only your Role server derivation rule is being evaluated.  As a test, if you swap the order of the rules, you will see that only the VLAN would be enforced.  If you want to have both the VLAN and the Role changed, the best thing to do is to return an Aruba VSA from the Radius Server.  With a VSA on the radius server you can send multiple attributes like a role and a VLAN at the same time.  With server derivation rules, it only evaluates the first rule.   A VSA would completely replace server derivation rules on the controller.

 

Which radius server do you have?

 

That must be the case!

We are running NPS server on Windows Server 2008 R2. How I can add VSA to
NPS server?

--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530

--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin@rosmini.school.nz). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.

Sir,

 

Please take a look at the Article here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-i-go-about-in-doing-Vlan-derivation-against-Microsoft/ta-p/184848

Hi,

If you check the server rules, there are two rules which puts the client in
Authenticated role in vlan 117. This rule is working without any issues.
There are two rules. One rule puts the client in Authenticated role and the
other puts the authenticated user to 117 vlan. This makes me think that
rules are working alright. It is not like that it matches only first rule
(I am having a feeling of it) that it matches all available rules.
Otherwise the user will get the authenticated role and the vlan would be 2.
Because vlan 2 is the default vlan assigned in vap profile.

Any further ideas?

--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530

--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin@rosmini.school.nz). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.

Thanks for sharing the link. I have sorted the issue by getting an idea from the link. It appears that it is working now and override server rules if attributes are provided from RADIUS server.

 

Thanks for your help.

Only the first rule is processed. It is possible that in the AAA profile the default 802.1x role is authenticated, so unless a VSA or server rule changes it, that is what it will always be.

If the 802.1x default role is authenticated, that is what it will always be unless a VSA or server derivation rule changes it. Only a single server derivation rule is applied (first match).

It didn't solve the problem. I can still see two IPs from different vlan on the controller. I suspect that there is a bug in code version?

Did you turn on user debugging to see why that is happening?

Sorry no. Would you please guide me how to enable user debugging?

--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530

--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin@rosmini.school.nz). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.

You would do this:

 

config t
logging level debugging user-debug <mac address of device>

 You would then connect and when you are done, type:

show log user-debug all

 To reset a device's session so that you start from scratch, disconnect the device, then type:

aaa user delete mac <mac address>

 

Thanks for the information. I will try this and will get back to you.

--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530

--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin@rosmini.school.nz). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.