Wireless Access

We are using an Aruba 620, using 6.1.3.6 if I recall correctly. Will have to verify tomorrow when I'm at work again. I have whitelisted the RAP and it is able to connect to the controller from a home connection. The wifi is working and is connected to VLAN3. Now I'm trying to connect the E1 port to VLAN3 as well (layer 2 mode).

I tried enabling the AP mode in the AP-SYSTEM-PROFILE and I set the profile so that Ethernet1 is no longer shutdown, is in tunnel mode and connected to VLAN3.

For some reason, it doesn't seem to work. The ethernet ports keeps connecting to VLAN1 instead. Sometimes it connects to VLAN3 for a minute or so, right after I have set the profile settings. But it almost seems that as soon as I click anywhere else in the web interface, it goes back to VLAN1 again. Is the web interface buggy? Do I need to press the 'save configuration'-button for it to work properly?

What else could be going on? Is it even able to do BOTH wifi and an ethernet port? Also, does it matter how I configure Ethernet0? Since that's the port that's actually connecting the RAP to the internet. Or are provisioning settings for that port ignored?

In the wired AP profile, you need to Enable, Make it trusted and put the VLAN (3 in your case) in and click on Apply.

You do not need to configure ethernet0, just enet1

Aha, the trusted-part might be the thing that I have skipped. Will try tomorrow. Thanks. I still don't understand why an untrusted port would force it to VLAN1 instead of VLAN3 though. But it's certainly worth a try!

Awesome. Setting it to trusted makes it work. So that means that if you disable trusted, VLAN1 gets assigned to the port and if you enable trusted, the VLAN that you selected (in my case VLAN3) gets assigned to the port. Pretty strange behaviour, but it works.

Another thing I found: if I set the mode to split-tunnel, it works as well, without setting trusted (actually, setting split-tunnel forces Trusted to disabled).

Another thing I found: if I go to Monitoring and then click Clients, the wired client does not appear to show in the list if the port is Trusted. If I disable Trusted (and thus the port connects to VLAN1), then the wired client DOES show under clients. If I set the mode to 'split-tunnel' and the port connects to VLAN3, the client also DOES show in the list. So setting trusted makes it so that clients DO NOT show in the client list. Strange.

Is there any good documentation on all this behaviour? I can get it to work now, but I would like to understand why it does what it does.

PS: tnx for the help.

"Untrusted" will force clients to authenticate in some way.  It will put them in a role that typically triggers a captive portal.  The default role for making a client untrusted is the "logon" role.  If that role is assigned to VLAN 3, that is why your clients are probably ending up there.

Split tunneling would allow you to designate some traffic to tunnel back to corporate and some traffic to stay local to the site.  You would have to write rules to permit (tunnel back to corporate) and route (send local to the site) traffic to make this work how you would want it.  There are  resources on how to setup split tunneling if you search the knowledgebase here:  http://support.arubanetworks.com/KNOWLEDGEBASE/tabid/133/Default.aspx

Making a port just simply puts users on a VLAN without any restrictions and it is the easiest way to establish connectivity on a port.

I'm sorry, but I do not fully undertand (yet).

[quote] If that role is assigned to VLAN 3, that is why your clients are probably ending up there.[/quote]

Did you mean to say VLAN1 instead of VLAN3? And where can I see what roles are assigned to a VLAN? VLAN1 is our default vlan, might that be the reason it's choosing that?

[quote]Making a port just simply puts users on a VLAN without any restrictions and it is the easiest way to establish connectivity on a port.[/quote]

Do you mean to say 'Making a port trusted' ?

What I'm trying to achieve is putting a user at home in VLAN3 without any restrictions. So making the port trusted should be the way to go? We would like to whitelist a certain list of mac-adresses though and block the rest, for security. Is this possible? I know it can be done for WiFi, but this is ethernet.

Thanks again for your help.

Thank you.

Now I'll go to the next step and try and google and read manuals to find out how to do the mac-filter, so that only certain devices can succesfully connect to the wired rap port.

You prpbably just want to search the knowledgebase here http://support.arubanetworks.com/KNOWLEDGEBASE/tabid/133/Default.aspx for wired mac Authentication.

(had to change username because I had to re-signup to get customer access)

Thank you, I used https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1126 , which was very helpful.

It does not mention that I need to change the "inital role" in the AAAProfile from 'authenticated' to something less, like 'denyall', but it seems that you have to do if you want for mac-filtering.

Question1: what is the point of "MAC Authentication Default Role" if it gets overwritten by the role of the user in the internal-db?

Question2: if I create a user in the database with the mac-address as a username and password, would that allow VIA-clients to connect with that username/password combination as well? What if I don't want users to login with mac-address users? I only want that user to be used for mac-authentication.

Thanks again.

---

@eriknl2 wrote:

(had to change username because I had to re-signup to get customer access)

 

Thank you, I used https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1126 , which was very helpful.

 

It does not mention that I need to change the "inital role" in the AAAProfile from 'authenticated' to something less, like 'denyall', but it seems that you have to do if you want for mac-filtering.

 

Question1: what is the point of "MAC Authentication Default Role" if it gets overwritten by the role of the user in the internal-db?

 

Question2: if I create a user in the database with the mac-address as a username and password, would that allow VIA-clients to connect with that username/password combination as well? What if I don't want users to login with mac-address users? I only want that user to be used for mac-authentication.

 

Thanks again.

---

1.  MAC authentication default role is if the user in the internal db does not have a role

2.  You would authenticate VIA clients pointing to a radius database,  not the internal database to avoid that.

1: okay. It's not possible to create a user without a role (through the GUI), that's why I suspected maybe something else was going on.

2: so if I wanted to use the internal DB for VIA, that's not possible to combine with mac-authentication without creating the possibility for people to authenticate with a mac-address, right?

1.  The server group for the internal database as a "role value-of" derivation rule.  If that is removed, the user will get the mac authentication default role

2.  The mac authentication profile can submit the mac authentication in a number of formats with or without delimeter, capitals, so you can determine a format that people would not guess if you were forced to use the internal database for both.