Wireless Access

Hello,

 

I'm trying to set up a CAP to use 802.1x to an external radius server with the CAP forwarding mode set to bridge.  I've also created a wired AP profile where the forwarding mode is set to bridge as well.  I've been told by the local Aruba SE that this "should" work if you make the AP management subnet a radius client on the radius server.  I've also been told that it "will" work using clearpass.  Is it possible to make this work without clearpass?  With forwarding mode set to bridge, I never get the prompt to enter my credentials and the radius requests never even hit the radius server but if I set it back to tunnel mode on both the vap and AP wired profiles, I can authenticate successfully with no problems.  Any info would be much appreciated.

The forwarding mode of a CAP does not change how 802.1X authentication takes place.  The controller is always the RADIUS client in this case, not the AP.

Even if I remove the AP subnet from the radius client, it still never hits the radius server. Its like the controller and/or the AP can't forward the request off to the radius server.

Thanks,

[Description: DeltaLogo (2)]
Josh Grzelakowski
Network Engineer / Delta Network Services
O: 248.409.0070 / C: 586.872.9017 / F: 248.409.2723 / E: josh.grzelakowski@delta-ns.com
420 Enterprise Court Bloomfield Township, MI 48302
www.delta-ns.com

I assume you have cpsec enabled, since this is required for Campus APs in bridge-forwarding mode?

 

Is there anything showing in the auth-tracebuf for the particular clients?  Try to enable debugging for those clients as well while you are testing?

Can you confirm the AAA profile you are using for your bridged mode VAP?   Make sure you have the proper RADIUS server group defined.   All 802.1X authentication in a campus/controller based environment is done by the controller, regardless of forwarding mode; tunnel, split-tunnel, bridge; CAP or RAP; etc. 

 

 

Yes I do. As soon as I switch everything to normal trunk mode, it works instantly. I can authenticate and I get put in the role I have defined on the controller and radius server.

Thanks,

[Description: DeltaLogo (2)]
Josh Grzelakowski
Network Engineer / Delta Network Services
O: 248.409.0070 / C: 586.872.9017 / F: 248.409.2723 / E: josh.grzelakowski@delta-ns.com
420 Enterprise Court Bloomfield Township, MI 48302
www.delta-ns.com

---

@josh.grzelakowski@delta-ns.com wrote:
Yes I do. As soon as I switch everything to normal trunk mode, it works instantly. I can authenticate and I get put in the role I have defined on the controller and radius server.

Thanks,

---

Do you mean normal tunnel mode?

 

When in bridged mode, do you see the client authenticating in the logs on the controller?  Have you set the switchport for the AP to be trunked, with the user-vlan tagged?

Yes I have untagged on a mgmt. vlan and tagged on the 2 user vlans.

Thanks,

[Description: DeltaLogo (2)]
Josh Grzelakowski
Network Engineer / Delta Network Services
O: 248.409.0070 / C: 586.872.9017 / F: 248.409.2723 / E: josh.grzelakowski@delta-ns.com
420 Enterprise Court Bloomfield Township, MI 48302
www.delta-ns.com