Wired Intelligent Edge

Hello All,

I configured a Captive Portal Profile within the MAS 2500 of which is associated to the Captive Portal AAA Profile.

Part of my configuration requires me to apply the AAA Profile to all Physical Interfaces and configure the Ports to "Untrusted".

Now, when I plug in my laptop and physically assign a static IP Address to it to match the VLAN ID Interface subnet, it fails to achieve connectivity to my Core Switch. I confirmed that the Trunk between the 2500 and my Core is working fine.

To be able to get my laptop to establish connectivity, I had to change the configuration of the Ports from "Untrusted" to "Trusted".

Now, I assume the purpose for setting my Ports to be in state of "Untrusted" is for the purpose of allowing for an authentication process to take place. However, this seems to be impacting connectivity to my Core.

Is this working as designed, whereby, the Ports need to be in an "Untrusted" state and will eventually allow traffic when the User connecting on that Port has been successfully authenticated?

Thanks!

Can you attach a copy of your configuration to review?

Best regards,

Madani

I have attached a Template of what I built.

Attachment(s)

Aruba-MAS Template.txt   7 KB 1 version

Can you attach the actual running config, the output of "show station-table" and "show user-table"? Thanks!

---

@madjali wrote:

Can you attach the actual running config, the output of "show station-table" and "show user-table"? Thanks!

---

Hi Madjali,

It seems that when I apply a AAA Profile to a Physical Port, I need to set the Port to be "Untrusted" in order for the ACLs associated to a User-Role to be applied. And if the authentication is successful, traffic will be allowed over that Port.

Is this an accurate assumption? If that is the case, then I believe I'm comfortable with the configuration I have in place.

Yes, for the AAA Profile to take effect, you must have the ports set to untrusted. I mis-understood your original post indicating you were un-expectedly loosing connectivity to your core.

Best regards,

Madani

Perfect! And is it true that one can apply only one AAA Profile to one Physical Port?

You can't have multiple AAA Profiles applied to one Physical Port?

Correct, however you can enable multiple authentication methods per profile (e.g. dot1x, mac-auth, UDR). Captive portal settings are linked to the user-role so depening on how a device is assigned a user-role (dot1x, mac-auth, initial role, udr), you could also have different captive portals but they are not governed by the AAA profile setting per say.

---

@madjali wrote:

Correct, however you can enable multiple authentication methods per profile (e.g. dot1x, mac-auth, UDR). Captive portal settings are linked to the user-role so depening on how a device is assigned a user-role (dot1x, mac-auth, initial role, udr), you could also have different captive portals but they are not governed by the AAA profile setting per say.

---

Thx Madjali!

But at the end of the day, whatever way this is done and whatever AAA Profile that is created, only one can be applied per Port.

Correct?

Yes, that is correct, only one AAA profile can be applied to an interface or group of interfaces. What is the use case where you would want multple AAA profiles on a given port?

Best regards,

Madani

---

@madjali wrote:

Yes, that is correct, only one AAA profile can be applied to an interface or group of interfaces. What is the use case where you would want multple AAA profiles on a given port?

 

It's a University and they are looking at a scenario where if Students and Staff cannot do 802.1x, then we need to create a Captive Portal for their authentication.

 

So I already have an AAA Profile associated to the 802.1x Profile and I have that applied to my Group of Interfaces. At this point, I obviously cannot apply the AAA Profile associated with the Captive Portal.