Hi,
I am configuring AOS8.4 on a test system before we migrate from 6.5. I have an AP running and broadcasting a dot1x SSID. When a client connects to the SSID I can see on the RADIUS server that authentication is successful (ACCEPT), but the client never moves from the initial denyall role into the 802.1x Authentication Default Role.
It's more than likely that when I ported the config across from the 6.5 system I have managed to miss something, but tracking down what that is is proving difficult.
It would be helpful to know in detail how this should be working - eg at exactly what point should the role change? As soon as the client authenticates? After the client has authenticated *and* got an IP address? (At the moment the client does not get an IP, though the controller appears to be assigning it the right VLAN, and L2 connectivity for that VLAN appears to be fine).
# show aaa debug role user mac b4:9c:df:2c:f8:dd
Role Derivation History
=======================
0: l2 role->logon, mac user created
1: l2 role->denyall, Set AAA profile defaults
MAC Name Role Age(d:h:m) Auth AP name Essid Phy Remote Profile User Type
------------ ------ ---- ---------- ---- ------- ----- --- ------ ------- ---------
84:10:0d:f3:71:04 denyall 00:00:00 No c8:b5:ad:c6:d3:f0 testing g-HT No test_aaa WIRELESS
STA Table
---------
bssid auth assoc aid l-int essid vlan-id tunnel-id
----- ---- ----- --- ----- ----- ------- ---------
c8:b5:ad:ed:3f:00 y y 1 1 testing 1344 0x10010
State Hash Table
----------------
bssid state reason
----- ----- ------
c8:b5:ad:ed:3f:00 auth-assoc 0
#show aaa state station 84:10:0d:f3:71:04
Association count = 1, User count = 0
essid: testing, bssid: c8:b5:ad:ed:3f:00 AP name/group: c8:b5:ad:c6:d3:f0/test_aps PHY: g, ingress=0x10010 (tunnel 16)
vlan default: 1344, current: 1344 vlan-how: 0
name: , role: denyall (default:denyall, cached:n/a, dot1x:n/a), role-how: 1, acl:101/0, age: 00:00:00
Authentication: No, status: not started, method: 4[802.1x], protocol: , server:
dot1xctx:1 sap:1
Flags: mba=0
AAA prof: eduroam_aaa, Auth dot1x prof: default, AAA mac prof: , def role: denyall
ncfg flags udr 0, mac 0, dot1x 1, RADIUS interim accounting 1
Born: 1558108472 (Fri May 17 16:54:32 2019
)
This line: "role: denyall (default:denyall, cached:n/a, dot1x:n/a)" suggests there's no default dot1x role, but there is defintely one configured... unless this is to do with hierarchy and it being configured in the wrong place...
If anyone could help explain this it would be very useful, and some good troubleshooting commands to debug it would be great too.
Thanks