Wireless Access

last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

What happens if I do not set VLAN ID at a Virtual AP?

This thread has been viewed 1 times

  • 1.  What happens if I do not set VLAN ID at a Virtual AP?

    Posted Feb 06, 2015 07:45 AM

    We have a VAP without VLAN ID configured.

    And we have this condition:

     

    aaa server-group "server_grp_auth_radius_vap_guest"
    auth-server radius_vap_guest_sbcdf046
    auth-server radius_vap_guest_sbcdf047
    set vlan condition Class equals "1112" set-value 1112

     

    They work at tunnel mode and work well until now, but at the switch core, a client mac address appears in double at MAC table, in vlan 1112 and vlan 2160 (controllers vlan).

     

    Is it a bad design?

     

     



  • 2.  RE: What happens if I do not set VLAN ID at a Virtual AP?

    Posted Feb 06, 2015 09:20 AM

    Is not a bad design , I have done similar setups like yours.

     

    Do you have any other SSIDs using that VLAN that the client might have connected before and that's why it is showing up in the ARP table ?

     

    What type of authentication are you using ?

    What's the default role that the user gets ?

     

    If you enable the following :

    logging level debugging security process authmgr

    logging level debugging security subcat aaa

     

    then do a show log security all | include <device mac>

     

    And this will allow you to see what VLANs the device is getting during the authentication process

     



  • 3.  RE: What happens if I do not set VLAN ID at a Virtual AP?

    Posted Feb 06, 2015 10:41 AM
    @victorfabian wrote:

    Is not a bad design , I have done similar setups like yours.

     

    Do you have any other SSIDs using that VLAN that the client might have connected before and that's why it is showing up in the ARP table ?

     

    What type of authentication are you using ?

    What's the default role that the user gets ?

     

    If you enable the following :

    logging level debugging security process authmgr

    logging level debugging security subcat aaa

     

    then do a show log security all | include <device mac>

     

    And this will allow you to see what VLANs the device is getting during the authentication process

     

     We don't have other SSID using the VLAN 1112.

    We use 802.1x PEAP

     

    Our config:

     

     

    user-role BCB_User_Vap_Guest
access-list session validuser
!
aaa authentication dot1x "l2_dot1x_bcb_vap_guest"
max-authentication-failures 5
machine-authentication machine-default-role "denyall"
machine-authentication user-default-role "denyall"
!
    aaa server-group "server_grp_auth_radius_vap_guest"
     auth-server radius_vap_guest_sbcdf046
     auth-server radius_vap_guest_sbcdf047
     set vlan condition Class equals "1112" set-value 1112
    !
aaa profile "aaa_dot1x_bcb_vap_guest"
initial-role "denyall"
mac-default-role "denyall"
authentication-dot1x "l2_dot1x_bcb_vap_guest"
dot1x-default-role "BCB_User_Vap_Guest"
dot1x-server-group "server_grp_auth_radius_vap_guest"
radius-accounting "server_grp_auth_radius_vap_guest"

     My log

    (WCTDF004) #show log security all | include 4c:b1:99:dc:a5:52
Feb 6 13:34:13 :124004:  <DBUG> |authmgr|  Setting user 4c:b1:99:dc:a5:52 aaa profile to aaa_dot1x_bcb_vap_guest, reason: ncfg_get_wireless_aaa_prof
Feb 6 13:34:13 :124004:  <DBUG> |authmgr|  Setting user 4c:b1:99:dc:a5:52 aaa profile to aaa_dot1x_bcb_vap_guest, reason: ncfg_set_aaa_profile_defaults
Feb 6 13:34:13 :124004:  <DBUG> |authmgr|  MM: mac=4c:b1:99:dc:a5:52, state=4, name=zemarcio, role=BCB_User_Vap_Guest, dev_type=iPhone, ip=172.16.113.24
Feb 6 13:34:14 :124004:  <DBUG> |authmgr|  Save Class in station for MAC 4c:b1:99:dc:a5:52
Feb 6 13:34:14 :124003:  <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=802.1x, server=radius_vap_guest_sbcdf046, user=4c:b1:99:dc:a5:52
Feb 6 13:34:14 :124004:  <DBUG> |authmgr|  Adding user: 2c33a60c (4c:b1:99:dc:a5:52:N/A:zemarcio) to ap group:WCTDF004_Acesso ap group id: 763 role:BCB_User_Vap_Guest
Feb 6 13:34:14 :124004:  <DBUG> |authmgr|  MM: mac=4c:b1:99:dc:a5:52, state=3, name=zemarcio, role=BCB_User_Vap_Guest, dev_type=iPhone, ip=172.16.113.24
Feb 6 13:34:14 :124004:  <DBUG> |authmgr|  MM: mac=4c:b1:99:dc:a5:52, state=3, name=zemarcio, role=BCB_User_Vap_Guest, dev_type=iPhone, ip=172.16.113.24
Feb 6 13:34:14 :132066:  <INFO> |authmgr|  Station4c:b1:99:dc:a5:52 00:1a:1e:63:df:c1 -2.Dired 1112 33552 VLAN has been updated

     



  • 4.  RE: What happens if I do not set VLAN ID at a Virtual AP?

    Posted Feb 06, 2015 11:03 AM

    Based on the logs your device is getting the right VLAN.

     

    My question was in regards to the Management VLAN 2160 is you have this VLAN assigned on another VAP or User-Role ?

     

     



  • 5.  RE: What happens if I do not set VLAN ID at a Virtual AP?

    Posted Feb 06, 2015 11:06 AM

    We don't have vlan 2160 assigned to VAP or user-role.



  • 6.  RE: What happens if I do not set VLAN ID at a Virtual AP?

    Posted Feb 06, 2015 09:36 AM

    Hi,

     

    If we do not map any VLAN to the VAP,client will get IP address from the subnet where AP is connected if it is a open SSID (without authentication).

     

    Always VLAN mapped by the role and VLAN mapped by the SDR/VSA will take precedence over the VLAN mapped to the VAP. hence we nee dnot much worry about the VLAN mapped to the VAP.

     

    If you can share the output of "show user mac <Client_ MAC>" and "show auth tracebuff", I can understand your issue and help you to fix.

     

    Please feel free for any further query on this.



  • 7.  RE: What happens if I do not set VLAN ID at a Virtual AP?

    Posted Feb 06, 2015 11:18 AM
    dhanraj_puduchery@yahoo.com wrote:

    Hi,

     

    If we do not map any VLAN to the VAP,client will get IP address from the subnet where AP is connected if it is a open SSID (without authentication).

     

    Always VLAN mapped by the role and VLAN mapped by the SDR/VSA will take precedence over the VLAN mapped to the VAP. hence we nee dnot much worry about the VLAN mapped to the VAP.

     

    If you can share the output of "show user mac <Client_ MAC>" and "show auth tracebuff", I can understand your issue and help you to fix.

     

    Please feel free for any further query on this.

    Hi,

    Our Radius (Microsoft NPS) returns the vlan based the authentication.

     

    (WCTDF004) #show user mac 4c:b1:99:dc:a5:52

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       u - User Index

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge UsrIdx UsrVer Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- ------ ------ -----



Name: zemarcio, IP: 172.16.113.24, MAC: 4c:b1:99:dc:a5:52, Role:BCB_User_Vap_Guest, ACL:52/0, Age: 00:00:23
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius_vap_guest_sbcdf046
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: default for authentication type 802.1x
VLAN Derivation: Aruba VSA
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=0
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g-HT, reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 1120, Assigned: 1112, Current: 1112 vlan-how: 4 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0x1041, Port=0x1126 (tunnel 166)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
    Current Role name: BCB_User_Vap_Guest, role-how: 1, L2-role: BCB_User_Vap_Guest, L3-role: BCB_User_Vap_Guest
Essid: BCB-Visitante, Bssid: 00:1a:1e:63:df:c1 AP name/group: -2.Dired/default Phy-type: g-HT
RadAcct sessionID:zem4CB199DCA552-13F1AF
RadAcct Traffic In 728/60670 Out 153/64037 (0:728/0:0:0:60670,0:153/0:0:0:64037)
Timers: ping_reply 0, spoof reply 0, reauth 0
Profiles AAA:aaa_dot1x_bcb_vap_guest, dot1x:l2_dot1x_bcb_vap_guest, mac: CP: def-role:'denyall' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 0, dot1x 1, RADIUS interim accounting 0
IP Born: 1423237687 (Fri Feb  6 13:48:07 2015)
Core User Born: 1423237686 (Fri Feb  6 13:48:06 2015)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 172.16.113.24, from DHCP server 0.0.0.0
Device Type: iPhone4,1/7.1.2 (11D257)


Flags: W: WMM client, A: Active, K: 802.11K client, B: Band Steerable

PHY Details: HT: High throughput; 20: 20MHz; 40: 40MHz
             <n>ss: <n> spatial streams

Association Table
-----------------
Name  bssid  mac  auth  assoc  aid  l-int  essid  vlan-id  tunnel-id  phy  assoc. time  num assoc  Flags
----  -----  ---  ----  -----  ---  -----  -----  -------  ---------  ---  -----------  ---------  -----

     show auth

    Feb  6 14:15:04  station-up             *  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            -      -     wpa2 aes
Feb  6 14:15:04  eap-id-req            <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            1      5
Feb  6 14:15:04  eap-id-resp           ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            1      18    zemarcio
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            65420  206
Feb  6 14:15:04  rad-resp              <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  65420  90
Feb  6 14:15:04  eap-req               <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            2      6
Feb  6 14:15:04  eap-resp              ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            2      152
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  54     378
Feb  6 14:15:04  rad-resp              <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  54     1188
Feb  6 14:15:04  eap-req               <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            3      1096
Feb  6 14:15:04  eap-resp              ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            3      6
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  49     232
Feb  6 14:15:04  rad-resp              <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  49     589
Feb  6 14:15:04  eap-req               <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            4      503
Feb  6 14:15:04  eap-resp              ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            4      220
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  12     446
Feb  6 14:15:04  rad-resp              <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  12     153
Feb  6 14:15:04  eap-req               <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            5      69
Feb  6 14:15:04  eap-resp              ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            5      6
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  58     232
Feb  6 14:15:04  rad-resp              <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  58     127
Feb  6 14:15:04  eap-req               <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            6      43
Feb  6 14:15:04  eap-resp              ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            6      59
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  65494  285
Feb  6 14:15:04  rad-resp              <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  65494  143
Feb  6 14:15:04  eap-req               <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            7      59
Feb  6 14:15:04  eap-resp              ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            7      59
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  65501  285
Feb  6 14:15:04  rad-resp              <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  65501  159
Feb  6 14:15:04  eap-req               <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            8      75
Feb  6 14:15:04  eap-resp              ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            8      107
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  65432  333
Feb  6 14:15:04  rad-resp              <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  65432  175
Feb  6 14:15:04  eap-req               <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            9      91
Feb  6 14:15:04  eap-resp              ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            9      43
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  65436  269
Feb  6 14:15:04  rad-resp              <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  65436  191
Feb  6 14:15:04  eap-req               <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            11     107
Feb  6 14:15:04  eap-resp              ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            11     43
Feb  6 14:15:04  rad-req               ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  51     269
Feb  6 14:15:04  rad-accept            <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1/radius_vap_guest_sbcdf046  51     291
Feb  6 14:15:04  eap-success           <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            11     4
Feb  6 14:15:04  assg-vlan-req          *  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            1120   1112  assignment during station auth
Feb  6 14:15:04  assg-vlan-resp         *  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            -      1112
Feb  6 14:15:04  station-data-ready     *  4c:b1:99:dc:a5:52  00:00:00:00:00:00                            1120   1112
Feb  6 14:15:04  wpa2-key1             <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            -      117
Feb  6 14:15:04  station-data-ready_ack *  4c:b1:99:dc:a5:52  00:00:00:00:00:00                            1120   1112
Feb  6 14:15:04  wpa2-key2             ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            -      117
Feb  6 14:15:04  wpa2-key3             <-  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            -      151
Feb  6 14:15:04  wpa2-key4             ->  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            -      95
Feb  6 14:16:05  station-down           *  4c:b1:99:dc:a5:52  00:1a:1e:63:df:c1                            -      -

     



  • 8.  RE: What happens if I do not set VLAN ID at a Virtual AP?

    Posted Feb 06, 2015 11:36 AM

    Hi,

     

    What is the expected  VLAN to this client, is it VLAN 1112 or any other ? I'm seeing VLAN 1112 was assigned through the Aruba VSA.

     

    Please feel for any further help on this.



  • 9.  RE: What happens if I do not set VLAN ID at a Virtual AP?

    Posted Feb 06, 2015 11:42 AM

    VLAN 1112 is expected and is working fine. My doubt is if this configuration without a vlan ID at VAP could cause security problems or it isn't a good practice.



  • 10.  RE: What happens if I do not set VLAN ID at a Virtual AP?
    Best Answer

    Posted Feb 06, 2015 12:02 PM
    Is not bad practice and actually more secure to implement it that way because users will only get that VLAN if they meet the condition defined in SDR and the Radius server instead getting that by default on the VAP