Wireless Access

Reply
Aruba

Re: Tunneled Node Configuration

And yes users in a given closet could have different IP address ranges.

Regular Contributor II

Re: Tunneled Node Configuration

Thx Madani.

 

Really appreciate this.

 

 

Regular Contributor II

Re: Tunneled Node Configuration

Hi Guys,

 

Was just testing out the Tunneled Node Configuration using VLAN Pool assigned to the User Role and it doesn't work.

 

For some reason, under the "user-table" of the Controller, I only see the MAS assigned a "logon" role which is my "initial-role" for the AAA Wired Profile.

 

However, if I don't assign a VLAN to the User Role, it works just fine.

 

Any ideas?

 

 

Aruba

Re: Tunneled Node Configuration

Can you send me the latest relevent AAA sections from the controller? Let me take a look.

Regular Contributor II

Re: Tunneled Node Configuration

user-role Student
vlan Tunnel-Node
access-list session allowall


vlan-name Tunnel-Node assignment even
vlan Tunnel-Node 200,300


aaa server-group "Trent-RADIUS"
allow-fail-through
auth-server Internal
auth-server RADIUS
!
aaa profile "Campus-WLAN-aaa_prof"
authentication-dot1x "Trent-dot1x"
dot1x-default-role "Student"
dot1x-server-group "Trent-RADIUS"

 

 

 

Please note that my MAS Switch of which the PC is connected to is acting as the DHCP Server on both VLANs (200 and 300).

 

 

Aruba

Re: Tunneled Node Configuration

So if you remove "vlan Tunnel-Node" from "user-role Student" then you see devices in your user-table being assigned "Student"? I'm trying to visualize the connection between the two. If you're passing authentication then the role should just be assigned. Alternatively, if you put "vlan 200", does that still work?

 

Being stuck in the initial role would indicate a AAA failure. What does the "show auth-tracebuf" show during the authentication process? We may also want to turn on some user-debugs to see what's going on.

Regular Contributor II

Re: Tunneled Node Configuration

One more thing I need to point out.

 

The Tunneled Node Port was assigned a Switching Profile which assigns it the Management VLAN and also configures it as an "access mode" Port and to be Untrusted.

 

However, my assumption is that the VLAN assigned by the User Role should take precedence. Right?

Regular Contributor II

Re: Tunneled Node Configuration

If I remove the VLAN Pool from the User Role, the Client doesn't get assigned an IP Address and I believe the Student role is still assigned to it.

 

The "logon" role assigned is to the MAS Switch.

 

Can you assist? Even TAC can't seem to figure it out. 

Aruba

Re: Tunneled Node Configuration

I'll have to set this up. I have enough of your config to emulate it I believe.

 

Regarding your other questions, If "tunneled-node-profile" is on the interface, "no trusted port" is ignored. The vlan in the switching profile on the other hand is used as the base VLAN prior to re-assignment at the controller. I haven't seen it be an issue in the past.

 

What's your case number by the way?

Regular Contributor II

Re: Tunneled Node Configuration

Thx for looking into this.

 

Will still be taking a crack at it. So if you need me to test anything at any time, do let me know.

 

Case #1445711 is the Ticket Number

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: