Wireless Access

Reply
Contributor II

802.1x roaming

Hello All,

 

Im just trying to understand the following:

 

When roaming on an 802.1x authenticated SSID, you have to go through a re-authentication process.

 

When you do this i was under the impression, that although you do not need an IP address to authenticating using 802.1x as its layer 2, that the controller would keep a record of your IP address and so would the client.

 

example logs below show that the controller isnt aware of the IP address of the client. This may be normal and it does make sense, however i am currently having an issue where when roaming, for a very short period of time the users get "no internet connection". Again this is probably unrelated however if the client does truely loose its IP during the re-auth process they wouldnt be able to get to the internet.

 

Aug 12 13:47:36 authmgr[3614]: <522158> <3614> <DBUG> |authmgr| Role Derivation for user N/A-a4:d9:31:69:5d:f5-[removed] N/A station Authenticated with auth type: Unknown auth type.
Aug 12 13:47:36 authmgr[3614]: <522142> <3614> <DBUG> |authmgr| Setting cached role to NULL for user a4:d9:31:69:5d:f5".
Aug 12 13:47:36 authmgr[3614]: <522266> <3614> <DBUG> |authmgr| Calling derive_role2 for user a4:d9:31:69:5d:f5
Aug 12 13:47:36 authmgr[3614]: <522016> <3614> <INFO> |authmgr| MAC=a4:d9:31:69:5d:f5 IP=?? Derived role 'visitors-nocorp' from Aruba VSA
Aug 12 13:47:36 authmgr[3614]: <522127> <3614> <DBUG> |authmgr| {L2} Update role from visitors-nocorp to visitors-nocorp for IP=N/A, MAC=a4:d9:31:69:5d:f5.

 

As you can see "IP=N/A". I am sure this is normal behaviour i am just trying to understand why the controller is not still aware as i was thinking this is part of 802.11r and roaming.

 

Any clarification would be helpful.

 

Thanks,

Ben Casey
Guru Elite

Re: 802.1x roaming

If the role is being derived, it almost seems like this is the initial authentication.  On the initial authentication for 802.1x, authentication happens before the ip address is obtained, so it is not known.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Highlighted
Frequent Contributor II

Re: 802.1x roaming

What do you see in the authentication buffer for your client?

 

show auth-tracebuf mac <mac address> 

 

Also what is their association status and mobility status when you think they lose internet connectivity while roaming?

 

show ap association client-mac <mac address of client>   //association status

 

show ap client trail-info <mac address of client>     //mobility status

 

Note: The IP being NA is expected behaviour for a first time authentication as the client is not allowed DHCP in the initial role of 802.1x.

 

 

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: