User obtaining old role when switching SSID's with separate VLAN's and wired AAA profiles
07-23-2017 06:07 PM
Hi, we are currently experiencing a problem wherein we have 2 SSID's namely Free and Auto which runs on an external radius. The issue is when a client connect to the Free SSID or Auto SSID for the first time, the client will get redirected to the right portal (client gets assigned the correct logon role for free or auto). Our issue is when the client switches to the other SSID either from Free to Auto or from Auto to Free, whichever SSID the client first connected to, he will retain the role he obtained. For example, the client connects to Free and is assigned Free-logon and then connects to Auto even without finishing the authentication process on Free, the client will retain the Free-logon role even though the client should obtain the Auto-logon role. Same happens when the client connects to Auto and then transfers to Free after.
So the design is like this. We have a central controller and on a remote site we deployed an HP 8 port switch (N930F) which supports tunneled node. We have 2 VLAN interfaces on the controller which is for the two SSID's free and auto both of which has DHCP enabled. Each VLAN has its own wired AAA profile set and of course are different networks. Here is when things get a bit tricky, the SSID's are actually on a Cisco WLC and broadcasted by Cisco AP's. VLAN's are running through the cisco network via L2.
Basically the topology is like this:
Aruba 7240>HP 8 Port Switch>Cisco Catalyst Switch>Cisco WLC>Cisco AP
I enabled debugging on my device and from the logs I can see that I'm obtaining a different the proper IP each time I switch from an SSID and gets assigned a "new" role but the controller seems to assign the old role i obtained from whichever SSID i connected to first.
We have no issues when testing on a RAP when we created two test SSID's using the two VLAN's. The user role gets updated everytime and we are presented the right captive portal. The issue only occurs when we connect to the Cisco AP's.
Jul 10 17:11:05 :522050: <4125> <INFO> |authmgr| MAC=ec:1f:72:fa:b7:30,IP=100.92.95.66 User data downloaded to datapath, new Role=douglas-stlukes-free-logon/358, bw Contract=0/0, reason=New user IP processing, idle-timeout=120
Jul 10 17:16:16 :522050: <4125> <INFO> |authmgr| MAC=ec:1f:72:fa:b7:30,IP=100.92.79.239 User data downloaded to datapath, new Role=douglas-stlukes-free-logon/358, bw Contract=0/0, reason=New user IP processing, idle-timeout=120
So the issue seems to be that the controller somehow remembers the role of the client even though the client is switching between the two SSID's.
Anyone experienced something like this before?
Sorry if I posted in the wrong section, not quite sure where to put this
Re: User obtaining old role when switching SSID's with separate VLAN's and wired AAA profiles
07-23-2017 07:10 PM
Please open a TAC case in parallel with this post. There are so many places that this could run into trouble, it would be best to have TAC work on it. I have never configured things as you mention, and others who have might want to help, however..
*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars