Security

Reply
Highlighted
Occasional Contributor I

Problems with MAC authentication + RADIUS on Aruba switch

I have configured a switch with MAC auth from a RADIUS server, with both an authorised and unauthorised VLAN. 

 

Unauthenticated clients work fine - the request hits RADIUS, is denied, and they end up in the unauth VID. Authorised clients don't work, and I cannot understand what is happening. 

 

The log displays the following:

 

W 01/02/90 04:13:19 02403 dca: macAuth client tagged VLANs arbitration error,
MAC 38EAA7880001 port 1.

 

The relevant config for the port is as follows:

 

aaa port-access mac-based 1-22
aaa port-access mac-based 1 auth-vid 100
aaa port-access mac-based 1 unauth-vid 200

 

vlan 100
name "VOICE VLAN"
untagged 24
tagged 1-23
ip address 172.2.1.2 255.255.255.0
exit
vlan 200
name "DATA VLAN"
untagged 1-23,25-28
ip address 192.168.1.220 255.255.255.0
exit

 

I've looked through the documentation but cannot see an explanation for this error message. Clearly the issue is to do with tagged VLAN assignment but cannot get what needs to change to make this work.

 

The desired behaviour is that clients not auth'd end up in VLAN 200 but auth'd clients end up in VLAN 100.

 

Thanks in advance! 


Accepted Solutions
Occasional Contributor I

Re: Problems with MAC authentication + RADIUS on Aruba switch

For anyone finding this from Google etc. I solved this myself.

 

The issue was that I had erroneously assigned the voice VLAN to the ports in the VLAN config. I removed the "tagged 1-23" statement from VLAN 100's definition and it works like a charm!

View solution in original post


All Replies
Highlighted
Frequent Contributor II

Re: Problems with MAC authentication + RADIUS on Aruba switch

Is 172.2.1.0/24 the correct subnet for VLAN 100. That would fall under a public IP range, and your routing may be trying to reach it externally instead of internally.

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX#509 | ACCP | ACSA | CCNP | CCDP | CCNA Wireless
Highlighted
Occasional Contributor I

Re: Problems with MAC authentication + RADIUS on Aruba switch

Fair point! No I changed it to protect the innocent. Good spot though.

Occasional Contributor I

Re: Problems with MAC authentication + RADIUS on Aruba switch

For anyone finding this from Google etc. I solved this myself.

 

The issue was that I had erroneously assigned the voice VLAN to the ports in the VLAN config. I removed the "tagged 1-23" statement from VLAN 100's definition and it works like a charm!

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: