Security

Reply
Highlighted
New Contributor

macAuth failing to assign vlan

My appologies if this is in the wrong forum but i'm having issues with macAuth on a 2530 where the switch fails to assign a vlan once the host passes authentication. ClearPass Access tracker shows that the host is using the correct service policy and the enforcement profile is assigning the correct vlan but then the accounting tab of access tracker shows NAS-Error for the termination clause.

 

I'm getting a log entry on the switch of:

W 04/17/19 14:22:54 02400 dca: macAuth client, RADIUS-assigned VID validation
error. MAC 00104932DB18 port 1 VLAN-Id 0 or unknown.

Thanks

Highlighted

Re: macAuth failing to assign vlan

 Hello if the Clearpass says a Auth success and returning the proper VLAN/Role, please check on the switch for this user if it has a VLAN or role post auth. If that is correct, we need to check the config on the switch related to that Vlan.

 

I would encourage you to open a Switch case, to solve it sooner.

-If you got what you need with my answer please give kudos and mark it as solution.
Highlighted
MVP Guru

Re: macAuth failing to assign vlan

What is the attribute that you return in ClearPass? For VLAN assignment on the switch, you should use the VLAN enforcement template that uses the IETF Tunnel-Private-Group-Id, Tunnel-Type, Tunnel-Media-Type, and Termination-Action attributes. Or the HPE-Egress-VLAN-ID would work as an alternative. The Aruba-User-VLAN attribute is supported by Instant, Controller and Branch Gateway only.

 

Screen Shot 2019-04-18 at 10.07.50.png

Screen Shot 2019-04-18 at 10.07.36.png

Screenshot at Apr 18 10-10-46.png

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Highlighted
New Contributor

Re: macAuth failing to assign vlan

I solved the issue with MacAuth failing to assign the correct vlan.

 

ClearPass had the vlan name as VoIP.  I had defined the vlan name on the switch as VOIP.  ClearPass was sending a command for a vlan that didn't exist.

Silly mistake that I blew past several times until let it sit for a bit and went back with fresh eyes.

Frequent Contributor II

Re: macAuth failing to assign vlan

 I solved similar case and it was all about conversion from hexa to decimal, 

My case was to assign tagged vlan ID = 3 

the mistake i was made: 

0x310003  ---> convert to decimal --> 3211267

 

and this is the right way to convert: 

0x31000003  --->  convert to decimal --> 822083587

 

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: