Wireless Access

Hello all!

We have success experience with wireless user 802.1x autch (mob. controller - ClearPass).

But wired user 802.1x autch with the same aaa profile as wireless - dont work...  And with a new aaa profile (802.1x) dont works too...

Wired user get "auth server not respond".

MAC auth wired user with internal DB - works good too.

Config wired user in VLAN40 this way :

interface gigabitethernet 0/0/0
description "GE0/0/0"
trusted
trusted vlan 1-39,41-4094
switchport mode trunk
switchport trunk allowed vlan 1,10,20,30,40,50,60,100

vlan 40 wired aaa-profile "aaa profile"   *same wireless or another 

******************************************************
Wired user gets into aaa profile, obtain initial role (from aaa profile), but on the clearpass there are no auth attempts. Wireless user using same aaa profile - all work good.
Wireless and wired users are in the same vlan (vlan40).  They have same network parametrs.

Does the controller support 802.1x auth with external servers?
What else should I set up foк wired user?  
Thanks!

You should look in the access tracker to see if there is a service classification error.  

There are no entries about wired user in Access Tracker on CPPM.   
AT has only wireless entries. 


user-debug on controller ends with strings: 

Jan 18 15:23:48 :522026: <3894> <INFO> |authmgr| MAC=48:65:ee:13:95:86 IP=192.168.40.8 User miss: ingress=0x2100, VLAN=40 flags=0x40000040
Jan 18 15:23:48 :522122: <3894> <DBUG> |authmgr| Reset BWM contract: IP=0.0.0.0 role=employers, contract= (0/0), type=Per role.
Jan 18 15:23:48 :522125: <3894> <DBUG> |authmgr| Could not create/find bandwidth-contract for user, return code (-11).
Jan 18 15:23:48 :522122: <3894> <DBUG> |authmgr| Reset BWM contract: IP=0.0.0.0 role=employers, contract= (0/0), type=Per role.
Jan 18 15:23:48 :522125: <3894> <DBUG> |authmgr| Could not create/find bandwidth-contract for user, return code (-11).
Jan 18 15:23:48 :522006: <3894> <INFO> |authmgr| MAC=48:65:ee:13:95:86 IP=192.168.40.8 User entry added: reason=Sibtye
Jan 18 15:23:48 :522270: <3894> <DBUG> |authmgr| During User miss marking the user 48:65:ee:13:95:86 with ingress 0x2100, connection-type 5 as wired, muxtunnel = no
Jan 18 15:23:48 :522169: <3894> <DBUG> |authmgr| Station inherit: IP=192.168.40.8 start bssid:01:80:c2:00:00:03 essid: port:0x0x2100 (0x0x2100).
Jan 18 15:23:48 :522322: <3894> <DBUG> |authmgr| Client 48:65:ee:13:95:86 idle timeout 300 profile global
Jan 18 15:23:48 :522171: <3894> <DBUG> |authmgr| station inherit IP=192.168.40.8 bssid:01:80:c2:00:00:03 essid: auth:0 type: role:employers port:0x0x2100.
Jan 18 15:23:48 :522322: <3894> <DBUG> |authmgr| Client 48:65:ee:13:95:86 idle timeout 300 profile global
Jan 18 15:23:48 :522128: <3894> <DBUG> |authmgr| download-L2: acl=93/0 role=employers, tunl=0x0x2100, PA=0, HA=1, RO=0, VPN=0 L3MOB=0.
Jan 18 15:23:48 :522050: <3894> <INFO> |authmgr| MAC=48:65:ee:13:95:86,IP=192.168.40.8 User data downloaded to datapath, new Role=employers/93, bw Contract=0/0, reason=New user IP processing, idle-timeout=300
Jan 18 15:23:48 :522301: <3894> <DBUG> |authmgr| Auth GSM : USER publish for uuid 0x9827f914f7dc021b mac 48:65:ee:13:95:86 name role employers devtype OS X wired 1 authtype 0 subtype 0 encrypt-type 0 conn-port 8448 fwd-mode 0
Jan 18 15:23:48 :527004: <4119> <INFO> |mdns| mdns_parse_auth_useradd_message 226 Auth User ADD: MAC:48:65:ee:13:95:86, IP:192.168.40.8, VLAN:40, Role:employers Name: APName:0/0/0 Type:2. Groups:
Jan 18 15:23:48 :527000: <4119> <DBUG> |mdns| mdns_client_create 228 MDNS Client created - ip:192.168.40.8 mac:48:65:ee:13:95:86. AP-name: 0/0/0
Jan 18 15:23:48 :527000: <4119> <DBUG> |mdns| mdns_auth_userinfo_req_message 345 mac(48:65:ee:13:95:86), ip(192.168.40.8)
Jan 18 15:23:48 :527000: <4119> <DBUG> |mdns| mdns_parse_userinfo 376 UserInfo resp=2 ip=192.168.40.8, mac=48:65:ee:13:95:86, apname=0/0/0, role=employers, username=, vlan=40
Jan 18 15:23:48 :527000: <4119> <DBUG> |mdns| ag_mdns_get_token_list_for_mac 665 AirGroup user exists but token_list does not: mac=48:65:ee:13:95:86
Jan 18 15:23:48 :527000: <4119> <DBUG> |mdns| ag_ssdp_get_token_list_for_mac 364 AirGroup user exists but ssdp_token_list does not: mac=48:65:ee:13:95:86
Jan 18 15:23:48 :527000: <4119> <DBUG> |mdns| mdns_client_update 399 MDNS Client exists - flag untrusted-wired ap_name 0/0/0 client role - employers
Jan 18 15:23:48 :527000: <4119> <DBUG> |mdns| mdns_parse_auth_userinfo_resp_message 401 UserInfo response completed for ip=192.168.40.8 mac=48:65:ee:13:95:86

Is the wired device plugged directly into a wired port of the controller?  Unless the wired device is plugged directly into the controller wired port,  the 802.1x (eapol) packet will not make it to the controller.  EAPOL is link local and the first switch that encounters an eapol frame either has to handle it, or drop it.

Wired device is not plugged directly into controller.  It is plugged in HP-2530-48 switch.
Do I need to set up 802.1x eapol support on switch?

Yes, and point it at ClearPass.  The HP switch is dropping your 802.1x packets if it is not configured.

In this way 802.1x will work without a controller? Directly between switch and CPPM?

is it possible to configure that the switch simply did not cut 802.1x packets, and all worked through the controller as well as wired?

If you configure 802.1x on the HP switch, it does not require the controller.

I dont know if there is a way for the HP switch to pass on the 802.1x authentication to the controller...  There is something called stateful 802.1x where the Aruba Controller can "see" a 802.1x authentication at the HP switchport and assign a role to a client once it sees a positive radius authentication.  You would still have to configure 802.1x on the HP switch, however... 

Thank you very much, Colin Joseph!