Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Device not receiving proper role

This thread has been viewed 0 times

  • 1.  Device not receiving proper role

    Posted Aug 24, 2017 10:27 AM

    Hello,

     

    We have some wireless printers that authenticate via MAC address but are not receiving the proper roles which I believe is causing them to constantly re-authenticate.  They have been added to the local-userdb and even if I attempt to manually add them with the proper role to the user-table, they still show as having a different role.

     

    Here is an example:

     

    7.18.3.40 00:02:78:21:ff:1b 00:02:78:21:FF:1B NASCA_Scanner 00:18:35 MAC US-MWN01-WAP007 Wireless gv-wlan-01/00:0b:86:0b:b0:a0/g gv-wlan-01-AAA
    7.18.3.47 00:02:78:21:ff:11 00:02:78:21:FF:11 NASCA_Scanner 21:00:02 MAC US-MWN01-WAP018 Wireless gv-wlan-01/00:0b:86:0b:9d:60/g gv-wlan-01-AAA
    7.18.3.67 00:1b:78:f7:2e:5a NASCA_Scanner_Logon 00:00:04 US-MWN01-WAP014 Wireless gv-wlan-01/00:0b:86:0b:a6:e0/g gv-wlan-01-AAA
    7.18.3.65 00:1b:78:f7:2e:7f NASCA_Scanner_Logon 00:00:03 US-MWN01-WAP018 Wireless gv-wlan-01/00:0b:86:0b:9d:60/g gv-wlan-01-AAA

     

    The first two devices have the proper role designation which is NASCA_Scanner.  The last two are not assigned the correct role which is the NASCA_Scanner_Logon.  Initially the devices land in the NASCA_Scanner_Logon role but should change to NASCA_Scanner after authentication.  All the other devices function correctly but there are about 5-6 that will not change the role association.  Nothing has changed from a configuration perspective aside from adding the devices to the local-userdb.

     

    Here is the AAA profile designated:

     

    aaa profile "gv-wlan-01-AAA"
    initial-role "NASCA_Scanner_Logon"
    authentication-mac "gv-wlan-01-MAC"
    mac-default-role "NASCA_Scanner_Logon"
    mac-server-group "internal"
    authentication-dot1x "gv-wlan-01-PSK"

     

    Here is the user-role for NASCA_Scanner_Logon:


    user-role NASCA_Scanner_Logon
    vlan 39
    session-acl gv-dhcp-acl

     

    Here is the user-role for NASCA_Scanner:

     

    user-role NASCA_Scanner
    vlan 39
    session-acl gv-dhcp-acl
    session-acl gv-dns-acl
    session-acl icmp-acl
    session-acl gv-citrix-NASCA-acl
    session-acl gv-citrix-NASCA-Farm-acl
    session-acl NASCA-Cirtix-Website
    session-acl gv-NASCA-Printing
    session-acl TEST-NASCA-LAPTOP
    session-acl allowall

     

    Thank you!

     

    Jason



  • 2.  RE: Device not receiving proper role
    Best Answer

    EMPLOYEE
    Posted Aug 24, 2017 10:33 AM

    The local user database is sensitive to case and delimiters.  I would double-check those.

     

    In addition, you need to disconnect a device in the client table in th GUI to get a fresh authentication if you make changes to the local user database.



  • 3.  RE: Device not receiving proper role

    Posted Aug 24, 2017 12:32 PM

    Thanks Colin!

     

    It was an issue with the password being lower case it seems.  Everything is now functioning as it should.  The majority of the devices worked right after the change since they hadn't associated with the controller yet and tried to authenticate.   One device I did have to disconnect through the GUI and allow it to re-authenticate.

     

    Jason