Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Server rule derivation - set vlan not working

This thread has been viewed 5 times

  • 1.  Server rule derivation - set vlan not working

    Posted Jul 02, 2013 04:54 AM

    I've setup vlan derivation using server rules.

     

    My NPS is configured to pass the filter-id Sales when the client is in the sales user group.

    I can see the filter-id sales in a wireshark sniff I took on the controller, so the NPS seems to be working correctly.

     

    However the user are not placed in this vlan and remain in vlan 1.

     

    The filter rules are pretty straight forward:

    1Filter-IdequalsSalesStringset vlan105Yes
    2Filter-IdequalsOperationsStringset vlan1Yes

     

    I've also tried "contains" instead of equals. But is just does not seem to work. 

     

    Any thoughts?



  • 2.  RE: Server rule derivation - set vlan not working

    EMPLOYEE
    Posted Jul 02, 2013 05:34 AM

    It is case sensitive, so make sure you are sending it back correctly.

     

    Turn on debugging to see what is being sent back:

     

    config t

    logging level debugging security process authmgr

    logging level debugging security subcat aaa

     

    show log security 50

     

     



  • 3.  RE: Server rule derivation - set vlan not working

    Posted Jul 02, 2013 05:51 AM

    I force a client to disconnect

    show log security 50

    Jul 2 11:49:51 :121031: <DBUG> |authmgr| |aaa| [rc_sequence.c:111] seq_num_timeout_handler: Freed 0 entries
    Jul 2 11:49:57 :124230: <DBUG> |authmgr| Rx message 14001/5221, length 231 from 127.0.0.1:8235
    Jul 2 11:49:57 :124172: <DBUG> |authmgr| Show user rows between 1 and 101.
    Jul 2 11:49:59 :124230: <DBUG> |authmgr| Rx message 14001/5221, length 234 from 127.0.0.1:8235
    Jul 2 11:49:59 :124162: <DBUG> |authmgr| Enforcing L2 check for mac 00:1e:65:73:36:ba.
    Jul 2 11:49:59 :124163: <DBUG> |authmgr| download-L3: ip=192.168.100.121 acl=55/0 role=authenticated, Ubwm=0, Dbwm=0 tunl=0x0x10018, PA=0, HA=1, RO=0, VPN=0, MAC=00:1e:65:73:36:ba.
    Jul 2 11:49:59 :124234: <DBUG> |authmgr| Tx message to Sibyte, blocking with ack, Opcode = 164, msglen = 396 3 user messages bundled, actions = 17, 18, 20
    Jul 2 11:49:59 :124105: <DBUG> |authmgr| MM: mac=00:1e:65:73:36:ba, state=3, name=DATAUNIT\edemeestere, role=authenticated, dev_type=Win 7, ipv4=192.168.100.121, ipv6=0.0.0.0, new_rec=1.
    Jul 2 11:49:59 :124004: <DBUG> |authmgr| AUTH GSM: USER uuid(0x14), mac(00:1e:65:73:36:ba), name(DATAUNIT\edemeestere), role(authenticated), devtype(Win 7), wired(0), auth_type(11), auth_subtype(0), encrypt_type(10), conn_port(4)
    Jul 2 11:49:59 :124004: <DBUG> |authmgr| AUTH GSM: user_ip_address(192.168.100.121), uuid(0x14)
    Jul 2 11:49:59 :124105: <DBUG> |authmgr| MM: mac=00:1e:65:73:36:ba, state=3, name=DATAUNIT\edemeestere, role=authenticated, dev_type=Win 7, ipv4=192.168.100.121, ipv6=0.0.0.0, new_rec=0.
    Jul 2 11:49:59 :124004: <DBUG> |authmgr| AUTH GSM: USER uuid(0x14), mac(00:1e:65:73:36:ba), name(DATAUNIT\edemeestere), role(authenticated), devtype(Win 7), wired(0), auth_type(11), auth_subtype(0), encrypt_type(10), conn_port(4)
    Jul 2 11:49:59 :124004: <DBUG> |authmgr| AUTH GSM: user_ip_address(192.168.100.121), uuid(0x14)
    Jul 2 11:49:59 :124234: <DBUG> |authmgr| Tx message to Sibyte, blocking with ack, Opcode = 17, msglen = 204 action = 5
    Jul 2 11:49:59 :124004: <DBUG> |authmgr| AUTH GSM: chan sta : DEL 00:1e:65:73:36:ba ageout 0
    Jul 2 11:49:59 :124004: <DBUG> |authmgr| vlan_alloc_update (vlan_alloc.c:140): Vlan Alloc usage ; usage=10 vlan 1
    Jul 2 11:49:59 :124004: <DBUG> |authmgr| AUTH GSM: DELETE MAC user 00:1e:65:73:36:ba
    Jul 2 11:49:59 :124230: <DBUG> |authmgr| Rx message 14001/5221, length 231 from 127.0.0.1:8235
    Jul 2 11:49:59 :124172: <DBUG> |authmgr| Show user rows between 1 and 101.
    Jul 2 11:50:01 :121031: <DBUG> |authmgr| |aaa| [rc_sequence.c:111] seq_num_timeout_handler: Freed 0 entries
    Jul 2 11:50:02 :124004: <DBUG> |authmgr| AUTH GSM: ADD STA channel event:0 for mac:00:1e:65:73:36:ba
    Jul 2 11:50:02 :124103: <DBUG> |authmgr| Setting user 00:1e:65:73:36:ba aaa profile to DU_Wireless8021x-aaa_prof, reason: ncfg_get_wireless_aaa_prof.
    Jul 2 11:50:02 :124103: <DBUG> |authmgr| Setting user 00:1e:65:73:36:ba aaa profile to DU_Wireless8021x-aaa_prof, reason: ncfg_set_aaa_profile_defaults.
    Jul 2 11:50:02 :124209: <DBUG> |authmgr| handle_sta_up_dn:2623 Updating vlan usage for MAC=00:1e:65:73:36:ba with vlan 1 apname DU-AP_Sales
    Jul 2 11:50:02 :124004: <DBUG> |authmgr| vlan_alloc_update (vlan_alloc.c:136): Vlan Alloc usage ; usage=9 vlan 1
    Jul 2 11:50:02 :124004: <DBUG> |authmgr| AUTH GSM PUBLISH MAC user: BSS:24:de:c6:ca:57:49 MAC:00:1e:65:73:36:ba VLAN:1 wired_or_wifi:1 data-ready:0
    Jul 2 11:50:02 :124234: <DBUG> |authmgr| Tx message to Sibyte, blocking with ack, Opcode = 164, msglen = 204 1 user messages bundled, actions = 17
    Jul 2 11:50:02 :124105: <DBUG> |authmgr| MM: mac=00:1e:65:73:36:ba, state=3, name=DATAUNIT\edemeestere, role=authenticated, dev_type=Win 7, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=1.
    Jul 2 11:50:02 :124004: <DBUG> |authmgr| AUTH GSM: USER uuid(0x14), mac(00:1e:65:73:36:ba), name(DATAUNIT\edemeestere), role(authenticated), devtype(Win 7), wired(0), auth_type(11), auth_subtype(0), encrypt_type(10), conn_port(4)
    Jul 2 11:50:02 :124105: <DBUG> |authmgr| MM: mac=00:1e:65:73:36:ba, state=3, name=DATAUNIT\edemeestere, role=authenticated, dev_type=Win 7, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=0.
    Jul 2 11:50:02 :124004: <DBUG> |authmgr| AUTH GSM: USER uuid(0x14), mac(00:1e:65:73:36:ba), name(DATAUNIT\edemeestere), role(authenticated), devtype(Win 7), wired(0), auth_type(11), auth_subtype(0), encrypt_type(10), conn_port(4)
    Jul 2 11:50:02 :133019: <ERRS> |localdb| User 00:1e:65:73:36:ba was not found in the database
    Jul 2 11:50:02 :133006: <ERRS> |localdb| User 00:1e:65:73:36:ba Failed Authentication
    Jul 2 11:50:02 :124105: <DBUG> |authmgr| MM: mac=00:1e:65:73:36:ba, state=3, name=DATAUNIT\edemeestere, role=authenticated, dev_type=Win 7, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=0.
    Jul 2 11:50:02 :124004: <DBUG> |authmgr| AUTH GSM: USER uuid(0x14), mac(00:1e:65:73:36:ba), name(DATAUNIT\edemeestere), role(authenticated), devtype(Win 7), wired(0), auth_type(11), auth_subtype(0), encrypt_type(10), conn_port(4)
    Jul 2 11:50:02 :124105: <DBUG> |authmgr| MM: mac=00:1e:65:73:36:ba, state=6, name=DATAUNIT\edemeestere, role=authenticated, dev_type=Win 7, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=1.
    Jul 2 11:50:02 :124004: <DBUG> |authmgr| AUTH GSM: USER uuid(0x14), mac(00:1e:65:73:36:ba), name(DATAUNIT\edemeestere), role(authenticated), devtype(Win 7), wired(0), auth_type(11), auth_subtype(0), encrypt_type(10), conn_port(4)
    Jul 2 11:50:02 :124230: <DBUG> |authmgr| Rx message 21/23, length 351 from 127.0.0.1:8344
    Jul 2 11:50:02 :124004: <DBUG> |authmgr| Local DB auth failed for user 00:1e:65:73:36:ba, error (User not found in UserDB)
    Jul 2 11:50:02 :132219: <INFO> |authmgr| MAC=00:1e:65:73:36:ba Local User DB lookup result for Machine auth=FAILURE Role=
    Jul 2 11:50:02 :132020: <INFO> |authmgr| Station DATAUNIT\edemeestere 00:1e:65:73:36:ba failed Machine authentication update role authenticated
    Jul 2 11:50:02 :124234: <DBUG> |authmgr| Tx message to Sibyte, blocking with ack, Opcode = 164, msglen = 204 1 user messages bundled, actions = 17
    Jul 2 11:50:02 :124105: <DBUG> |authmgr| MM: mac=00:1e:65:73:36:ba, state=3, name=DATAUNIT\edemeestere, role=authenticated, dev_type=Win 7, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=1.
    Jul 2 11:50:02 :124004: <DBUG> |authmgr| AUTH GSM: USER uuid(0x14), mac(00:1e:65:73:36:ba), name(DATAUNIT\edemeestere), role(authenticated), devtype(Win 7), wired(0), auth_type(11), auth_subtype(0), encrypt_type(10), conn_port(4)
    Jul 2 11:50:02 :124105: <DBUG> |authmgr| MM: mac=00:1e:65:73:36:ba, state=3, name=DATAUNIT\edemeestere, role=authenticated, dev_type=Win 7, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=0.
    Jul 2 11:50:02 :124004: <DBUG> |authmgr| AUTH GSM: USER uuid(0x14), mac(00:1e:65:73:36:ba), name(DATAUNIT\edemeestere), role(authenticated), devtype(Win 7), wired(0), auth_type(11), auth_subtype(0), encrypt_type(10), conn_port(4)
    Jul 2 11:50:03 :124230: <DBUG> |authmgr| Rx message 14001/5221, length 230 from 127.0.0.1:8235
    Jul 2 11:50:03 :124172: <DBUG> |authmgr| Show user rows between 1 and 11.
    Jul 2 11:50:06 :124230: <DBUG> |authmgr| Rx message 14001/5221, length 231 from 127.0.0.1:8235
    Jul 2 11:50:06 :124172: <DBUG> |authmgr| Show user rows between 1 and 101.



  • 4.  RE: Server rule derivation - set vlan not working
    Best Answer

    EMPLOYEE
    Posted Jul 02, 2013 05:54 AM

    In the 802.1x profile, you have "Enforce Machine Authentication".  That means no server derivation rules take place until machine authentication is successful.  Turn off Enforce Machine Authentication and server derivation will take place:

     

    ul 2 11:50:02 :132219: <INFO> |authmgr| MAC=00:1e:65:73:36:ba Local User DB lookup result for Machine auth=FAILURE Role=
Jul 2 11:50:02 :132020: <INFO> |authmgr| Station DATAUNIT\edemeestere 00:1e:65:73:36:ba failed Machine authentication update role authenticated

     

     

     

     



  • 5.  RE: Server rule derivation - set vlan not working

    Posted Jul 02, 2013 05:59 AM

    I was expecting something like that.

    Is there a way to use derivation and place the computer in the correct vlan when doing only machine level authentication?

     

    I do not want sales to get into vlan 1. Their computers are in a sepate AD group and there are policies in place that return filter-id's when doing the machine authenticaiton.



  • 6.  RE: Server rule derivation - set vlan not working

    EMPLOYEE
    Posted Jul 02, 2013 06:06 AM

    A machine only does machine authentication when it is at the ctrl-alt-delete screen.  It does NOT do machine authentication when a user is logging in, so you cannot change vlans when a user is logging in based on the AD group that a machine is a member of.

     

    A machine would have had to pass both user and machine authentication for server derivation rules to even be listened to.

     

    What are you trying to do, so that we can make suggestions..?



  • 7.  RE: Server rule derivation - set vlan not working

    Posted Jul 02, 2013 06:12 AM

    Right now all my clients are in one single vlan. However we are migrating to different ip ranges.

     

    I wanted to place the sales clients in a different vlan without having to change their wireless settings.

     

    At this moment clients can also use their smartphones to connect to the network. With AD credentials.


    But I also want domain computers to be able to use machine authentication. So that they can access the network before logging in.

     

    Edit

    ------
    I have a NPS policy in place that returns filter-id "Sales" for domain computers in the sales group and I have an NPS policy that return filter-id "Sales" for users in the sales group.



  • 8.  RE: Server rule derivation - set vlan not working

    EMPLOYEE
    Posted Jul 02, 2013 06:21 AM

    Okay.  Let's take this step by step:

     

    - Change the Machine Authentication Enforcement Cache from 24 hours to something like 100 hours in the 802.1x profile.  When you perform a successful machine authentication, that status will be cached for 100 hours.

    - Log off of the machine so that it is at the ctrl-alt-delete screen.  This will perform a successful machine authentication, and cache that status for 100 hours.  You should be able to see the machine's mac address in the local user database (show local-userdb)

     

    - Log into the machine after one minute and it will perform a successful user authentication.  Your server derivation rules should work now.

     

     



  • 9.  RE: Server rule derivation - set vlan not working

    Posted Jul 02, 2013 07:36 AM

    So in short, server derivation only works if the user is in the 8021x auth state and not in the 802.1x-machine or 802.1x-user state?

     

    When the clients connect with their smartphones, they will only do 802.1x-user authentication. Causing the server derivation to stop working.

     

    You solution would probably work for domain computers but not for the smartphones.

     

    I think I'll just create and extra VAP for the sales guys. Using nas-id's I can make sure that the sales guys can only authenticate with the sales policy and that specific VAP.



  • 10.  RE: Server rule derivation - set vlan not working

    EMPLOYEE
    Posted Jul 02, 2013 08:58 AM

    Here is what you need to do:

     

    Create a VLAN for smartphones/guests.

    Create a role for smartphones/guests and tie it to that VLAN.  Make sure you put enough firewall policies to allow traffic.

     

    Make the Enforce Machine Authentication User Role the role that you created above.

     

    What will happen is that devices who have only passed user authentication like smartphones will be placed into the VLAN/Role above and get internet/guest access

    Users who have passed both machine and user authentication will end up in a production VLAN and your derivation rules will work.

     

    So, non-domain devices that pass user authentication will end up in the guest authenticated role/vlan and domain devices will end up in the Virtual AP VLAN, but can be switched to whatever VLAN you want with server derivation rules after.

     

     



  • 11.  RE: Server rule derivation - set vlan not working

    Posted Jul 02, 2013 05:37 AM

    you mention sales and Sales, might it be a upper / lower case issue?

     

    there is graph somewhere that shows priority in assigning things like vlans, it might be it gets overwritten later on. try a user debug and see what the logs are saying.

     

    [edit] and of course cjoseph beats me :)