Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

aaa user fast-age

This thread has been viewed 5 times

  • 1.  aaa user fast-age

    Posted Aug 31, 2016 12:46 AM

    Hi Guys,

     

    I have a problem at hand. A particular project setup has an Andriod IP clock. This IP clock is configured with a static IP address.

     

    However due to Andriod behavior, upon reboot the mac address of the device will change. This will result in 2 mac address with the same IP on the aaa user profile, causing traffic black hole.

     

    The current solution is to clear previous user aaa profile for it to work.

     

    For this case, do you think setting aaa user fast-age will help ?
    I have seen other topics talking about this from the perspective of same mac but different IP address.



  • 2.  RE: aaa user fast-age

    EMPLOYEE
    Posted Aug 31, 2016 04:54 AM

    Your situation is very unusual and I am not sure if fast age will work.  Fast-Age is to deal with a situation where the mac address is the same but there is a different ip address.  Try it and let us know.



  • 3.  RE: aaa user fast-age

    Posted Jan 31, 2017 05:15 PM

    We are currently running 6.4.4.11 on our 7240's and M6's.  aaa user fast-age doesn't seem to be working for us to clear the issue.  Our scenario is when a user flips from our guest to our byod ssid.  Their mac is now associated with 2 different IP's and roles in our M6 DMZ controller.  This causes the guest captive portal screen to pop up when they are on the .1x byod ssid.  We have to cli in and aaa user delete mac x:x:x:x:x:x and ask them to connect to the byod ssid again.  Is there another way to fix this issue?



  • 4.  RE: aaa user fast-age

    EMPLOYEE
    Posted Jan 31, 2017 07:12 PM

    Is your DMZ controller admitting users through an untrusted wired interface?



  • 5.  RE: aaa user fast-age

    Posted Feb 01, 2017 11:12 AM

    We send our mobile and guest users into a trusted tunnel in the 7240 and they come out untrusted in the DMZ M6.  The AAA wired profiles associated are .1x authenticated for mobile users and captive portal for guests.



  • 6.  RE: aaa user fast-age

    EMPLOYEE
    Posted Feb 01, 2017 11:30 AM

    I am not sure aaa user fast-age was designed to deal with that specific situation.  There is a disconnect between client traffic to a controller via an AP and client traffic tunneled to another controller thereafter.



  • 7.  RE: aaa user fast-age

    Posted Feb 01, 2017 12:42 PM

    Thanks for the update.  I'll look at other options for us then.  I also mixed up saying M6 instead of M3 but you figured that out.



  • 8.  RE: aaa user fast-age

    EMPLOYEE
    Posted Feb 02, 2017 05:00 AM

    Do you have mac-auth enabled on the guest ssid and role?

    There is a known issue with respect to this which I can upon recently.

     

    The workaround I got back from engineering is as follows,

     

    - either disable the mac-authentication on the AAA-profile 'guest'
    OR
- configure the initial-role and the mac-auth derived role (to handle auth success/failure) as 'registration-role' to avoid caching the mac-auth status on the anchor user-entry.

    To be honest I didn't have much luck with it and in the end things were changed slightly so that we would never encounter this issue.