Wireless Access


Aruba 3400 Role Derivation

Hi all,


We have (1) Aruba 7210 - Master, (1) Aruba 3400 - Local1, and (1) Aruba 3400 - Local2


We want to authenticate users via 802.1x to Windows NPS. Everything is working on Local2, but not on the Master or Local1 for some users.


We want our users to log into their machines, and those credentials then get sent to Windows NPS for authentication.


What we are seeing is the following:              60:67:20:98:f2:de  SCHOOL\john   dot1x-user-default-role  00:03:02    8021x-User            MAIN-ITS.2-AP       Wireless  S-802dot1x/00:24:6c:2e:55:d9/a-HT  gs-dot1x-aaa         tunnel              00:23:14:b4:e5:e4  SCHOOL\george  gs_admin_staff           00:00:41    802.1x                MAIN-ITS.1-AP       Wireless  S-802dot1x/00:24:6c:2f:41:c1/g-HT  gs-dot1x-aaa         tunnel              00:24:d7:d4:4a:48  GEORGESCHOOL\adam   dot1x-user-default-role  00:03:17    8021x-User            MAIN-ITS.1-AP       Wireless  S-802dot1x/00:24:6c:2f:41:c9/a-HT  gs-dot1x-aaa         tunnel

The users are being given the default role of "dot1x-user-default-role" when AUTH TYPE is "802.1x-User" but they are given the correct role when AUTH TYPE is "802.1x".


What is the difference? Is there a reason one machine is doing it differently then others?


Also, here is the RADIUS debug logs:


Jun 27 11:50:37 :522044:  <INFO> |authmgr|  MAC=00:24:d7:d4:4a:48 Station authenticate(start): method=8021x-User, role=dot1x-user-default-role//s_admin_staff/logon, VLAN=54/54, Derivation=1/1, Value Pair=1, flags=0x2
Jun 27 11:50:37 :522016:  <INFO> |authmgr|  MAC=00:24:d7:d4:4a:48 IP=?? Derived role 'S_ADMIN_STAFF' from Aruba VSA
Jun 27 11:50:37 :522017:  <INFO> |authmgr|  MAC=00:24:d7:d4:4a:48 IP=?? Derived role 's_admin_staff' from server rules: server-group=s-auth-dot1x, authentication=8021x-User
Jun 27 11:50:37 :522127:  <DBUG> |authmgr|  {L2} Update role from dot1x-user-default-role to dot1x-user-default-role for IP=
Jun 27 11:50:37 :522049:  <INFO> |authmgr|  MAC=00:24:d7:d4:4a:48,IP=N/A User role updated, existing Role=dot1x-user-default-role/dot1x-user-default-role, new Role=dot1x-user-default-role/dot1x-user-default-role, reason=Station Authenticated with auth type: 11



not sure why the two of their roles are not changing, while the other one is. I belive it's the auth type, but not sure.

Michael Haring
If my answer is helpful, a Kudos is always appreciated!

Re: Aruba 3400 Role Derivation

Those debug logs are from the local controller that authentication problems are happening. Both locals should have config from master, but 1 works and other is having issues. Master is also having these issues.

Michael Haring
If my answer is helpful, a Kudos is always appreciated!

Re: Aruba 3400 Role Derivation

The different roles are based on the fact that you have "enforce machine authentication" enabled in your dot1x profile.


The 802.1x-User entry is when the user authenticates successfully, but the computer did not.

The 802.1x-Computer entry would be for a computer that is online, not a user.

The 802.x entry would be for a user that is logged into a device that has also passed machine authentication

Systems Engineer, Northeast USA

Re: Aruba 3400 Role Derivation

Thank you for your response. We were able to determine the machines have been online for 3 weeks + and may be failing machine auth because the cache is not present. We rebooted the laptops and the issue has been resolved.

Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Search Airheads
Showing results for 
Search instead for 
Did you mean: