Wireless Access

I am having issues where clients are able to automatically connect to a EAP-TLS enabled SSID using 8021x-Machine authentication without issue (usually first time in the morning) unless they disconnect then try to reconnect (during the day).  SSO is not being used so the connection is not initiated until the user logs on.

The problem appears to be that the previously allocated DHCP address is not being re-applied to the client but rather an ip of 0.0.0.0 is somehow assigned.  To me it looks like the controller already thinks that the client has the necessary IP.  I am also confused by the log entry  ("host/LT018450.ent.foxtel.com.au Authenticated 8021x-Machine Employe") missing an e.

To work around the issue, the client simply tries to connect to any other SSID and then all of a sudden the initial reconnect attempt to the desired SSID gets a valid IP address and all is good.  This happens for both XP and Win7 clients.  If I do "aaa user delete mac 00:21:6a:6b:53:ba" between attempts the PC can always reconnect without issue.

ArubaOS (MODEL: Aruba2400), Version 5.0.4.6

Encryption wpa2-aes

NPS used for Radius

Termination not performed on the controller

VLAN shared by multiple SSIDs

DHCP via controller built-in service

The following is from an attempted reconnect.

Oct 2 15:05:20 :522004:  <DBUG> |authmgr|  download: ip=0.0.0.0 acl=44/0 role=Employee, Ubwm=0, Dbwm=0 tunl=0x114d, PA=0, HA=1, RO=0, VPN=0
Oct 2 15:05:20 :522004:  <DBUG> |authmgr|  Station authenticate has l2 role :Employee default role logon logon role logon
Oct 2 15:05:20 :522004:  <DBUG> |authmgr|   Valid Dot1xct, remote:0, assigned:254, default:254,current:254,termstate:0, wired:0,dot1x enabled:1, psk:0 static:0 bssid=00:0b:86:5a:45:2f
Oct 2 15:05:20 :522004:  <DBUG> |authmgr|  MAC=00:21:6a:6b:53:ba def_vlan 254 derive vlan: 0 auth_type 10 auth_subtype 10
Oct 2 15:05:20 :522004:  <DBUG> |authmgr|  Vlan assignment is not needed during station authentication
Oct 2 15:05:20 :522029:  <INFO> |authmgr|  MAC=00:21:6a:6b:53:ba Station authenticate: method=8021x-Machine, role=Employee/Employee/, VLAN=254/254/0/0/0, Derivation=1/0, Value Pair=0
Oct 2 15:05:20 :522008:  <NOTI> |authmgr|  User authenticated: Name=host/LT018450.ent.foxtel.com.au MAC=00:21:6a:6b:53:ba IP=169.254.90.189 method=8021x-Machine server=gdcdc00.ent.foxtel.com.au role=Employee
Oct 2 15:05:20 :522004:  <DBUG> |authmgr|  {169.254.90.189} autTable ("host/LT018450.ent.foxtel.com.au Authenticated 8021x-Machine Employe")
Oct 2 15:05:20 :522008:  <NOTI> |authmgr|  User authenticated: Name=host/LT018450.ent.foxtel.com.au MAC=00:21:6a:6b:53:ba IP=172.22.254.166 method=8021x-Machine server=gdcdc00.ent.foxtel.com.au role=Employee
Oct 2 15:05:20 :522004:  <DBUG> |authmgr|  {172.22.254.166} autTable ("host/LT018450.ent.foxtel.com.au Authenticated 8021x-Machine Employe")
Oct 2 15:05:20 :522004:  <DBUG> |authmgr|  {0.0.0.0} autTable ("host/LT018450.ent.foxtel.com.au Authenticated 8021x-Machine Employe")

Upon connecting to any other SSID whether it be successful or otherwise, the initial attempt then succeeds and the previously allocated IP address is re-assigned but I still see the log entry Authenticated 8021x-Machine Employe with a missing e.

Oct 2 15:12:26 :522038:  <INFO> |authmgr|  username=host/LT018450.ent.foxtel.com.au MAC=00:21:6a:6b:53:ba IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=gdcdc00.ent.foxtel.com.au
Oct 2 15:12:26 :522004:  <DBUG> |authmgr|  Auth done called from Authenticated state
Oct 2 15:12:26 :522042:  <INFO> |authmgr|  MAC=00:21:6a:6b:53:ba Station authenticate(start): method=8021x-Machine, role=logon//, VLAN=254/254/0/0/0, Derivation=0/0, Value Pair=1
Oct 2 15:12:26 :522004:  <DBUG> |authmgr|  {L2} Employee from profile "Arctic_AAA"
Oct 2 15:12:26 :522004:  <DBUG> |authmgr|  {L2} Update role from logon to Employee for IP=0.0.0.0
Oct 2 15:12:26 :522004:  <DBUG> |authmgr|  download: ip=0.0.0.0 acl=44/0 role=Employee, Ubwm=0, Dbwm=0 tunl=0x114d, PA=0, HA=1, RO=0, VPN=0
Oct 2 15:12:26 :522004:  <DBUG> |authmgr|  Station authenticate has l2 role :Employee default role logon logon role logon
Oct 2 15:12:26 :522022:  <INFO> |authmgr|  MAC=00:21:6a:6b:53:ba IP=0.0.0.0 Derived VLAN 3 from Tunnel attributes
Oct 2 15:12:26 :522004:  <DBUG> |authmgr|  Station authenticate has derived a new  vlan 254
Oct 2 15:12:26 :522004:  <DBUG> |authmgr|   Valid Dot1xct, remote:0, assigned:254, default:254,current:254,termstate:0, wired:0,dot1x enabled:1, psk:0 static:0 bssid=00:0b:86:5a:45:2f
Oct 2 15:12:26 :522004:  <DBUG> |authmgr|  MAC=00:21:6a:6b:53:ba def_vlan 254 derive vlan: 0 auth_type 10 auth_subtype 10
Oct 2 15:12:26 :522004:  <DBUG> |authmgr|  Vlan assignment is not needed during station authentication
Oct 2 15:12:26 :522029:  <INFO> |authmgr|  MAC=00:21:6a:6b:53:ba Station authenticate: method=8021x-Machine, role=Employee//, VLAN=254/254/0/254/0, Derivation=1/5, Value Pair=1

Oct 2 15:12:26 :522004:  <DBUG> |authmgr|  {0.0.0.0} autTable ("host/LT018450.ent.foxtel.com.au Authenticated 8021x-Machine Employe")
Oct 2 15:12:27 :522026:  <INFO> |authmgr|  MAC=00:21:6a:6b:53:ba IP=172.22.254.166 User miss: ingress=0x114d, VLAN=254
Oct 2 15:12:27 :522006:  <INFO> |authmgr|  MAC=00:21:6a:6b:53:ba IP=172.22.254.166 User entry added: reason=Sibtye
Oct 2 15:12:27 :522004:  <DBUG> |authmgr|  Station inherit: IP=172.22.254.166 start bssid:00:00:00:00:00:00 essid:  port:0x114d (0x114d)
Oct 2 15:12:27 :522004:  <DBUG> |authmgr|  {L3} Update role from logon to Employee for IP=172.22.254.166
Oct 2 15:12:27 :522004:  <DBUG> |authmgr|  Reset BWM contract: IP=172.22.254.166 role=Employee, contract= (0), type=Per role
Oct 2 15:12:27 :522004:  <DBUG> |authmgr|  download: ip=172.22.254.166 acl=44/0 role=Employee, Ubwm=0, Dbwm=0 tunl=0x114d, PA=0, HA=1, RO=0, VPN=0
Oct 2 15:12:27 :522008:  <NOTI> |authmgr|  User authenticated: Name=host/LT018450.ent.foxtel.com.au MAC=00:21:6a:6b:53:ba IP=172.22.254.166 method=8021x-Machine server=gdcdc00.ent.foxtel.com.au role=Employee
Oct 2 15:12:27 :522004:  <DBUG> |authmgr|  station inherit IP=172.22.254.166 bssid:00:0b:86:5a:45:2f essid: Arctic auth:1 type:8021x-Machine role:Employee port:0x114d
Oct 2 15:12:27 :522004:  <DBUG> |authmgr|  {172.22.254.166} autTable ("host/LT018450.ent.foxtel.com.au Authenticated 8021x-Machine Employe")
Oct 2 15:12:27 :522004:  <DBUG> |authmgr|  download: ip=172.22.254.166 acl=44/0 role=Employee, Ubwm=0, Dbwm=0 tunl=0x114d, PA=0, HA=1, RO=0, VPN=0
Oct 2 15:12:27 :522038:  <INFO> |authmgr|  username=host/LT018450.ent.foxtel.com.au MAC=00:21:6a:6b:53:ba IP=172.22.254.166 Authentication result=Authentication Successful method=radius-accounting server=gdcdc00.ent.foxtel.com.au

Why are you using enforce machine authentication?

Consider unchecking that to simplify things, because turning it on creates a whole set of possibilities that could be exacerbating your issue.

Thanks for the reply cjoseph, will do that now.  Btw how did you see from the log snippet I had that option checked?

After disabling "Enforce Machine Authentication" I was still experiencing the issue of subsequent reconnections not being given the previously allocated DHCP address.  However my concern over the log entry with the Employee role missing the last e appears to be directly in relation to "Enforce Machine Authentication" as these log entries did not re-occur.

 |authmgr|  {172.22.254.166} autTable ("host/LT018450.ent.foxtel.com.au Authenticated 8021x-Machine Employe")

After disabling the following 3 config items, clients can now connect and disconnect at will without issue (fingers crossed).  I have since re-enabled "Enforce Machine Authentication" and appears to OK still and no longer need to delete the aaa user mac entry.

By disabling the following I don't really know what I have achieved except the clients now get a DHCP address on subsequent reconnections.