Wireless Access

Hi all -

I know this is just a configuration issue - but I can't seem to find the right fix. I have 4 networks that I publish on the RAP5, internal, guest, tv and mac (messy I know - but it's the only way I've been able to make all of them work right)

So here's my problem - when I have a non corporate device that hooks to the internal network at the main office, it gets sent to the guest network automatically, giving that phone, ipad, kindle or what ever internet access, but no internal access.

currently at a remote office when this happens the device is thrown into the rpsplittunnel profile and unfortunately given full internal access.

So I'm at a loss here  - I have attempted to sanitize my config and am putting it here - please don't hurt yourself laughing at it - I know it's a mess. :)

Lirria

Attachment(s)

arubaclean.docx   20 KB 1 version

What role does that client end up in when it connect to your network?

type "show rights <that role>"

Paste the output into here.

RAP-Split-Tunneling ------------------- Priority  Source  Destination      Service   Action         TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6 --------  ------  -----------      -------   ------         ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------ 1         any     any              svc-dhcp  permit                                  Low                           Yes                             4 2         any     any              svc-dns   permit                                  Low                                                           4 3         any     Corp-Network  any       permit                                  Low                           Yes                             4 4         any     any              any       route src-nat                           Low                           Yes                             4

and i know it's the any corp-network that is causing the issue - I just have to get the silly systems to stop connecting as RAPSplitTunneling....

:)

Lirria

Is 'RAP-Split-Tunneling' the role that you expect the authenticated user to be placed in to for the Internal SSID? Look at the AAA profile for that Virtual AP. 

You said this isn't working for non corporate devices. Assuming it is working for corporate devices, what roles are the

corporate devices being placed into?

RAP

Corporate devices on the RAP are being placeds into the RAPSplitTunneling role.

Non coporate devices on the RAP are being placeds into the RAPSplitTunneling role.

APs

Corporate devices on the aps are being placeds into the authenicated role.

Non coporate devices on the RAP are being placeds into the GuestAccess role.

In theroy - the Rapsplittunneling role should = authenticated - but route internet traffic thru their local ISP not back thru the VPN tunnel home.

I'm sure it's just something I'm overlooking in the configuration - I'm just too close to the problem to see it.

Lirria

To connect to a WLAN, devices use a AAA profile which specifies a default 802.1x role, which is what clients get by default when they connect via 802.1x.  In that AAA profile, there is a 802.1x profile if "Enforce Machine Authentication" is enabled, will allow you to place domain devices in one role and other devices that attach in another role.

To make a long story short, you are probably using "Enforce Machine Authentication" on your regular WLAN and on your RAP WLAN, you are not.  To find out:

On the commandline, type "show user-table verbose" and find a user on a RAP.  In the "profile" column indicates the AAA profile of that user.  In the GUI, go to configruation> security> Authentication.  Under AAA profile, find the profile that you saw in the step above and click on the name of that profile.  In the right pane, you should see the 802.1x profile attached to that AAA profile.  Find that 802.1x profile by clicking on the Layer-2 Authentication Tab > 802.1x Profile> and look for that 802.1x profile you saw before.  Click on the profile and see if "Enforce Machine Authentication" is checked.  If not, that is why you have your issue at your remote site.

Hmm ok - I think that's kinda the issue - it doesn't actually have a 802.1x authentication profile associated with it (when you go to aaa profiles, click on profile to expand it, click on the 802.1x authentication profile and look on the right side) the field at the top for 802.1x Authentication Profile is N/A, but on all my others they have the the correct name - so here goes nothing - I changed it....

We'll see what breaks...

Lirria

Well isn't that just lovely - I can't change it..... (it does have the Enforce Machine Auth checked however) I just can't change the drop down a tthe top.

Lirria

Ok - that was weird - it removed the profile completely - not sure what happened there - I have added the rap profile that should be there and am waiting for it to be sent out to the RAPs -

thank you!

Lirria

cjoseph as always you are a big help - that did fix the issue and it's all working now as expected.

thank you!

Lirria