I am having issues where clients are able to automatically connect to a EAP-TLS enabled SSID using 8021x-Machine authentication without issue (usually first time in the morning) unless they disconnect then try to reconnect (during the day). SSO is not being used so the connection is not initiated until the user logs on.
The problem appears to be that the previously allocated DHCP address is not being re-applied to the client but rather an ip of 0.0.0.0 is somehow assigned. To me it looks like the controller already thinks that the client has the necessary IP. I am also confused by the log entry ("host/LT018450.ent.foxtel.com.au Authenticated 8021x-Machine Employe") missing an e.
To work around the issue, the client simply tries to connect to any other SSID and then all of a sudden the initial reconnect attempt to the desired SSID gets a valid IP address and all is good. This happens for both XP and Win7 clients. If I do "aaa user delete mac 00:21:6a:6b:53:ba" between attempts the PC can always reconnect without issue.
ArubaOS (MODEL: Aruba2400), Version 5.0.4.6
Encryption wpa2-aes
NPS used for Radius
Termination not performed on the controller
VLAN shared by multiple SSIDs
DHCP via controller built-in service
The following is from an attempted reconnect.
Oct 2 15:05:20 :522004: <DBUG> |authmgr| download: ip=0.0.0.0 acl=44/0 role=Employee, Ubwm=0, Dbwm=0 tunl=0x114d, PA=0, HA=1, RO=0, VPN=0
Oct 2 15:05:20 :522004: <DBUG> |authmgr| Station authenticate has l2 role :Employee default role logon logon role logon
Oct 2 15:05:20 :522004: <DBUG> |authmgr| Valid Dot1xct, remote:0, assigned:254, default:254,current:254,termstate:0, wired:0,dot1x enabled:1, psk:0 static:0 bssid=00:0b:86:5a:45:2f
Oct 2 15:05:20 :522004: <DBUG> |authmgr| MAC=00:21:6a:6b:53:ba def_vlan 254 derive vlan: 0 auth_type 10 auth_subtype 10
Oct 2 15:05:20 :522004: <DBUG> |authmgr| Vlan assignment is not needed during station authentication
Oct 2 15:05:20 :522029: <INFO> |authmgr| MAC=00:21:6a:6b:53:ba Station authenticate: method=8021x-Machine, role=Employee/Employee/, VLAN=254/254/0/0/0, Derivation=1/0, Value Pair=0
Oct 2 15:05:20 :522008: <NOTI> |authmgr| User authenticated: Name=host/LT018450.ent.foxtel.com.au MAC=00:21:6a:6b:53:ba IP=169.254.90.189 method=8021x-Machine server=gdcdc00.ent.foxtel.com.au role=Employee
Oct 2 15:05:20 :522004: <DBUG> |authmgr| {169.254.90.189} autTable ("host/LT018450.ent.foxtel.com.au Authenticated 8021x-Machine Employe")
Oct 2 15:05:20 :522008: <NOTI> |authmgr| User authenticated: Name=host/LT018450.ent.foxtel.com.au MAC=00:21:6a:6b:53:ba IP=172.22.254.166 method=8021x-Machine server=gdcdc00.ent.foxtel.com.au role=Employee
Oct 2 15:05:20 :522004: <DBUG> |authmgr| {172.22.254.166} autTable ("host/LT018450.ent.foxtel.com.au Authenticated 8021x-Machine Employe")
Oct 2 15:05:20 :522004: <DBUG> |authmgr| {0.0.0.0} autTable ("host/LT018450.ent.foxtel.com.au Authenticated 8021x-Machine Employe")
Upon connecting to any other SSID whether it be successful or otherwise, the initial attempt then succeeds and the previously allocated IP address is re-assigned but I still see the log entry Authenticated 8021x-Machine Employe with a missing e.
Oct 2 15:12:26 :522038: <INFO> |authmgr| username=host/LT018450.ent.foxtel.com.au MAC=00:21:6a:6b:53:ba IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=gdcdc00.ent.foxtel.com.au
Oct 2 15:12:26 :522004: <DBUG> |authmgr| Auth done called from Authenticated state
Oct 2 15:12:26 :522042: <INFO> |authmgr| MAC=00:21:6a:6b:53:ba Station authenticate(start): method=8021x-Machine, role=logon//, VLAN=254/254/0/0/0, Derivation=0/0, Value Pair=1
Oct 2 15:12:26 :522004: <DBUG> |authmgr| {L2} Employee from profile "Arctic_AAA"
Oct 2 15:12:26 :522004: <DBUG> |authmgr| {L2} Update role from logon to Employee for IP=0.0.0.0
Oct 2 15:12:26 :522004: <DBUG> |authmgr| download: ip=0.0.0.0 acl=44/0 role=Employee, Ubwm=0, Dbwm=0 tunl=0x114d, PA=0, HA=1, RO=0, VPN=0
Oct 2 15:12:26 :522004: <DBUG> |authmgr| Station authenticate has l2 role :Employee default role logon logon role logon
Oct 2 15:12:26 :522022: <INFO> |authmgr| MAC=00:21:6a:6b:53:ba IP=0.0.0.0 Derived VLAN 3 from Tunnel attributes
Oct 2 15:12:26 :522004: <DBUG> |authmgr| Station authenticate has derived a new vlan 254
Oct 2 15:12:26 :522004: <DBUG> |authmgr| Valid Dot1xct, remote:0, assigned:254, default:254,current:254,termstate:0, wired:0,dot1x enabled:1, psk:0 static:0 bssid=00:0b:86:5a:45:2f
Oct 2 15:12:26 :522004: <DBUG> |authmgr| MAC=00:21:6a:6b:53:ba def_vlan 254 derive vlan: 0 auth_type 10 auth_subtype 10
Oct 2 15:12:26 :522004: <DBUG> |authmgr| Vlan assignment is not needed during station authentication
Oct 2 15:12:26 :522029: <INFO> |authmgr| MAC=00:21:6a:6b:53:ba Station authenticate: method=8021x-Machine, role=Employee//, VLAN=254/254/0/254/0, Derivation=1/5, Value Pair=1
Oct 2 15:12:26 :522004: <DBUG> |authmgr| {0.0.0.0} autTable ("host/LT018450.ent.foxtel.com.au Authenticated 8021x-Machine Employe")
Oct 2 15:12:27 :522026: <INFO> |authmgr| MAC=00:21:6a:6b:53:ba IP=172.22.254.166 User miss: ingress=0x114d, VLAN=254
Oct 2 15:12:27 :522006: <INFO> |authmgr| MAC=00:21:6a:6b:53:ba IP=172.22.254.166 User entry added: reason=Sibtye
Oct 2 15:12:27 :522004: <DBUG> |authmgr| Station inherit: IP=172.22.254.166 start bssid:00:00:00:00:00:00 essid: port:0x114d (0x114d)
Oct 2 15:12:27 :522004: <DBUG> |authmgr| {L3} Update role from logon to Employee for IP=172.22.254.166
Oct 2 15:12:27 :522004: <DBUG> |authmgr| Reset BWM contract: IP=172.22.254.166 role=Employee, contract= (0), type=Per role
Oct 2 15:12:27 :522004: <DBUG> |authmgr| download: ip=172.22.254.166 acl=44/0 role=Employee, Ubwm=0, Dbwm=0 tunl=0x114d, PA=0, HA=1, RO=0, VPN=0
Oct 2 15:12:27 :522008: <NOTI> |authmgr| User authenticated: Name=host/LT018450.ent.foxtel.com.au MAC=00:21:6a:6b:53:ba IP=172.22.254.166 method=8021x-Machine server=gdcdc00.ent.foxtel.com.au role=Employee
Oct 2 15:12:27 :522004: <DBUG> |authmgr| station inherit IP=172.22.254.166 bssid:00:0b:86:5a:45:2f essid: Arctic auth:1 type:8021x-Machine role:Employee port:0x114d
Oct 2 15:12:27 :522004: <DBUG> |authmgr| {172.22.254.166} autTable ("host/LT018450.ent.foxtel.com.au Authenticated 8021x-Machine Employe")
Oct 2 15:12:27 :522004: <DBUG> |authmgr| download: ip=172.22.254.166 acl=44/0 role=Employee, Ubwm=0, Dbwm=0 tunl=0x114d, PA=0, HA=1, RO=0, VPN=0
Oct 2 15:12:27 :522038: <INFO> |authmgr| username=host/LT018450.ent.foxtel.com.au MAC=00:21:6a:6b:53:ba IP=172.22.254.166 Authentication result=Authentication Successful method=radius-accounting server=gdcdc00.ent.foxtel.com.au