Wired Intelligent Edge (Campus Switching and Routing)

Unable to authenticate multiple clients on switch port to get different untagged vlan with putn

MVP
MVP
Problem:

Daisy chain setup on switch port with PC connected behind IP phone as below

 

Aruba switch ------------> IP phone (untagged vlan 10) ----------> PC (untagged vlan 20)

 

Both clients are to perform MAC authentication and have different Downloadable user roles (DUR) assigned through radius server with different vlan assignment for each client



Diagnostics:

Observed that only one client at a time can authenticate and form tunnel with the controller

Second client attempts to authenticate, however, fails in authentication

 

Debug log suggests that client (IP Phone) was authenticated but got “Received Client Add Failure Response” at time when adding client into tunnel.

A145# show debug buffer A8
0001:01:20:53.77 MAC mWebAuth:Port: A8 MAC: 0014a8-d49bbf new client detected
on vid: 16.
0001:01:20:53.77 MAC mWebAuth:Port: A8 MAC: 0014a8-d49bbf RADIUS CHAP
authentication started, session: 189756.
0001:01:21:00.37 MAC mWebAuth:Port: A8 MAC: 0014a8-d49bbf RADIUS Attributes,
vid: 20.
0001:01:21:00.37 TLOG mWebAuth:Sending User tunnel Add request for the client
0014a8-d49bbf for port A8
0001:01:21:00.37 MAC mWebAuth:Port: A8 MAC: 0014a8-d49bbf [189756] client
accepted with role 'Wired_Voice_Enf_Pro-3018-5_7Z4q'.
0001:01:21:00.37 MAC mWebAuth:Port: A8 MAC: 0014a8-d49bbf client successfully
placed into vid: 20.
0001:01:21:00.37 TLOG mdcaCtrl:Received Client Add Failure Response with cause
UBSTRAP_NACK_RECEIVED for dca client 0014a8-d49bbf for port A8
0001:01:21:00.37 TLOG mdcaCtrl:Initiating deauthentication for the client
0014a8-d49bbf for port A8
0001:01:21:00.37 MAC mWebAuth:Port: A8 MAC: 0014a8-d49bbf logoff period
expired, deauthenticating.
0001:01:21:00.37 MAC mWebAuth:Port: A8 MAC: 0014a8-d49bbf client
deauthenticated from all.
0001:01:21:00.37 MAC mWebAuth:Port: A8 MAC: 0014a8-d49bbf client
deauthenticated.

 

Both DUR's are to assign different untagged vlan to both the connected clients.

Switch uplink capture suggests that switch did initiate to add client though has not found any response and on controller looks like there is no packet received for the client

Removing tunnel redirect from DUR for one of the client as workaround helped IP Phone to authenticate normal and workstation authenticate with PUTN.

 

Issue lies when switch initiates PAPI with controller for second client to receive untagged vlan using existing tunnel.



Solution

The switch cannot honor multiple untagged vlans on a single port tunnel towards the controller.

 

Based on configuration pushed from the user role one untagged VLAN is passed though the PUTN tunnel. Now when we try to have the second client to pass the traffic from a different untagged VLAN is when the traffic is getting dropped.

 

This is as per design and the workaround would be to connect two clients intending to have untagged vlan assigned through DUR with tunnel node redirect enabled on two different ports or to pass one of the vlans as tagged within the DUR

 

 

Version history
Revision #:
1 of 1
Last update:
‎04-16-2020 06:50 AM
Updated by:
 
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: