Security

Reply
Guru Elite

Re: MAC authentication


@Will-I-am wrote:

Okay,  I had created a new USER ROLE and added ALLOW ALL firewall policy to the user.

 

00:80:9f:5f:2b:56           ********  Wired-VOIP-Auth                              Yes                      Active                0.0.0.0    admin

 

user-role Wired-VOIP-Auth
 session-acl allowall ap-group rap-ap-ethvoip

 

aaa profile "Voip-AAA-Mauth"
   initial-role "denied-personal-device"
   authentication-mac "VOIP-MAC"
   mac-default-role "Wired-VOIP-Auth"
   mac-server-group "Internal-voip-mac"
   dot1x-default-role "Wired-VOIP-Auth"

 

ap wired-ap-profile "voip-sec-connection"
   wired-ap-enable
   switchport access vlan 800

 

ap wired-port-profile "voip-connection_sec-connection"
   wired-ap-profile "voip-sec-connection"
   enet-link-profile "voip-connection"
   aaa-profile "Voip-AAA-Mauth"

 

ap-group "RAP-AP-EthVoip"
   virtual-ap "Corp-VAP"
   enet1-port-profile "voip-connection_sec-connection"

 


That looks about right.  Is it working?

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: MAC authentication

No..  I am running back through the config and checking everything through again.  Yesterday, when I ran the >logging level debbuging I saw the VOIP set trying to connect, and now today it doesn't even get that far.  I'll give you an update. Later

Guru Elite

Re: MAC authentication

What role does the authenticated device end up in?

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: MAC authentication

No..  I am running back through the config and checking everything through again. I have changed the entry in the Internal DB to point at the RAP-profile ROLE.  Now, when I do that the phnoe get virtually all the way and comes back with bad TFTP.

((That's why I created my own User-Role with an Allow All FW policy)) 

When the Int. DB is set to  RAP-Profile I get the following Debug:-

 

522004:  <DBUG> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238 Send mobility delete message, flags=0x0
522015:  <INFO> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238 Remove Bridge Entry
522004:  <DBUG> |authmgr|  Deleting RAP Wired User (tunnel) 00:80:9f:5f:2b:56/10.150.50.238 from STM stats tree
522005:  <INFO> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238 User entry deleted: reason=unknown
522004:  <DBUG> |authmgr|  MAC=00:80:9f:5f:2b:56 Send Station delete message to mobility
522004:  <DBUG> |authmgr|  00:80:9f:5f:2b:56: station datapath entry deleted
522004:  <DBUG> |authmgr|  Deleting RAP Wired User (0) 00:80:9f:5f:2b:56 from STM stats tree
522026:  <INFO> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238 User miss: ingress=0x10bd, VLAN=800
522006:  <INFO> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238 User entry added: reason=Sibtye
522004:  <DBUG> |authmgr|  Adding RAP Wired User (tunnel) 00:80:9f:5f:2b:56 to STM stats tree
522004:  <DBUG> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238:  MAC auth start: entry-type=L3, bssid=00:00:00:00:00:00, essid= sg=Internal-voip-mac
522004:  <DBUG> |authmgr|  {10.150.50.238} autTable ("00:80:9f:5f:2b:56 Unauthenticated  voice   ")
522038:  <INFO> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238 Authentication result=Authentication Successful method=MAC server=Internal
522004:  <DBUG> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238: MAC auth success: entry-type=L3, bssid=00:00:00:00:00:00
522017:  <INFO> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238 Derived role 'RAP-Role' from server rules: server-group=Internal-voip-mac, authentication=MAC
522008:  <NOTI> |authmgr|  User authenticated: Name=00:80:9f:5f:2b:56 MAC=00:80:9f:5f:2b:56 IP=10.150.50.238 method=MAC server=Internal role=RAP-Role
522004:  <DBUG> |authmgr|  {10.150.50.238} autTable ("00:80:9f:5f:2b:56 Authenticated MAC RAP-Role ")]

 

Which looks fine to me, (But as stated before not the phone)

If I change the internal DB to point to my new ROLE (As show in the earlier config snapshot) the phone doent even attempt to authenticate.  I never see it in the Debug logging and the set continues to re-boot.

 

 

 

Guru Elite

Re: MAC authentication

Looks like it is ending up in the RAP role.  Does the RAP-role have any ACLS?

 

type "show rights RAP-role" to see.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: MAC authentication

Colin when I type "show rights RAP-role"  it comes back with "Unknown Role RAP-Role"

If I do "Show rights"  I get this:-

 

Name                    ACL  Bandwidth                  ACL List
----                    ---  ---------                  --------
Corp-Access-Role            50   Up: No Limit,Dn: No Limit  allowall/,tftp-acl/voip-rap/voip-rap,tftp-acl/
RAP-Role                        54   Up: No Limit,Dn: No Limit  Rap-policy/

 

 

Guru Elite

Re: MAC authentication

It is case sensitive.  It looks like you have an acl, "rap policy" attached to that.  Re-run the command with the correct case.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: MAC authentication

(Aruba-Master) (config) #exit
(Aruba-Master) #show rights RAP-Role

Derived Role = 'RAP-Role'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 54/0
 Max Sessions = 65535


access-list List
----------------
Position  Name        Location
--------  ----        --------
1         Rap-policy

Rap-policy
----------
Priority  Source  Destination  Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan
--------  ------  -----------  -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------
1         any     any             svc-papi  permit                           Low
2         any     any             svc-gre   permit                           Low
3         any     any             svc-l2tp  permit                           Low
4         any     mswitch      svc-tftp  permit                           Low
5         any     mswitch      svc-ftp   permit                           Low

Expired Policies (due to time constraints) = 0

 

You appear to be onto something.   I assume that I need another entry in the RAP Policy to enable svc-tftp to our PBX.  My question is where do I do that?  I have set up a destination within Firewall pointint to our PBX but I'm not sure how to add that to my policy. (And how high up in that policy it should sit)

Guru Elite

Re: MAC authentication

According to the debug, you are getting the role from a server rule in the "internal-voip-mac" server group.  What rule do you have in that server group that is putting your phone in the Rap-role?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: MAC authentication

aaa server-group "Internal-voip-mac"
   allow-fail-through
 auth-server Internal
 set role condition Role value-of

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: