Security

Dear Airheads,

I've got a problem with a 3200 controller after upgrading from a 6.4.2.5 to a 6.4.3.6 version.

I'm using the Palo Alto integration, and after the upgrade, I've imported the certificates into the Aruba WLC and the connector state is up and running. Everything works fine, I see the users properly authenticated against a RADIUS server, with username, IP and so on.

I've also several RAP, and here is the problem: the mobile devices authenticating on RAP are correctly seen by the WLC but NOT in the Palo Alto, while other devices such as windows machines do.

In short:

CAP with PC: Ok

CAP with mobile: Ok

RAP with PC: Ok

RAP with mobile: not working, correctly seen by WLC but the user is not forwarded to Palo Alto.

Any idea?

Kindest regards,

Luca

Yes absolutely, in example. I've got these two users

(sede-mc3200) #show user-table

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- ---------

192.168.50.116 90:00:db:6d:42:e4 CBRBO\irenemanzi office-role 00:00:55 802.1x RAP-SAIARINO Associated(Remote) renana_office/18:64:72:7a:5a:60/g-HT office-aaa split tunnel Android
192.168.50.119 f4:b7:e2:51:65:6f CBRBO\mauriziobrunazzi office-role 00:04:50 802.1x RAP-SAIARINO Associated(Remote) renana_office/18:64:72:7a:5a:60/g-HT office-aaa split tunnel Win 8

They are the same but in the PA I see only the second IP associated with the user, that is a Windows machine. For the first, I see the IP but not the user, in the PA, so it goes in the wrong policy.

Thank you for your prompt response,

Luca