Client Classification Failing for one User Group, Succeeding for Another

  • 1
  • Question
  • Updated 5 years ago
  • Answered
I'm scratching my head over this one.

Our clients authenticate via 802.1X (against an Open Directory Master) and are members of either a Faculty group or Student group. Once Faculty users authenticate, they are mapped to vlan 20 and receive an ip of 10.0.2.x. Once Student users authenticate, they are mapped to vlan 30 and receive an ip of 10.0.3.x. This simple setup works without fail.

I've been using Client Classification to try to increase the number of devices we can have access our network. I have created and tested vlans 40 (chromebooks), 50 (ios devices), and 60 (guest users). The vlans themselves check out fine.

The default user profile has one client classification that detects chromebooks and routs them to vlan 40 (10.0.4.x) and this has been working as expected.

The problem I'm having now, though, is that none of the classification on the student user profile work. Theortecically, if a student logs into an ipad or an iphone they bring from home, it should get mapped to vlan 50 with an address of 10.0.5.x. Instead, it is receiving an ip of 10.0.3.x which is designated for school-owned devices used by students. The same thing is happening with Kindles, Windows phones, etc...no matter what students log into, they are getting mapped to vlan 30 with an ip of 10.0.3.x

As a trouble shooting measure, I used the exact same classification rules and applied them to the Faculty user group. Bizarrely, these are wokring as I expect them to: teachers authenticating an iphone or an ipad to our wifi get mapped to vlan 50 and receive an ip of 10.0.5.x. I am completely baffled as to why the setup is working as expected for one user profile but not the other.

Any one have any ideas? I can share screenshots and other config data if you think it is relevant.

Christopher
Photo of Christopher Tawes

Christopher Tawes

  • 39 Posts
  • 4 Reply Likes

Posted 5 years ago

  • 1
Photo of Chris B

Chris B, Official Rep

  • 93 Posts
  • 10 Reply Likes
Hi Christopher

Please share a few screenshots so I can check it out.

Chris
Photo of Christopher Tawes

Christopher Tawes

  • 39 Posts
  • 4 Reply Likes
Chris,

Here you go...let me know whatever else you might need:









Photo of Chris B

Chris B, Official Rep

  • 93 Posts
  • 10 Reply Likes
Hi Christopher

Is the enable user profile reassignment based on client classification rules checked in the user profile selection box?



Chris
Photo of Christopher Tawes

Christopher Tawes

  • 39 Posts
  • 4 Reply Likes
Chris,

Enable User Profile Reassignment Based on Client Classification Rules is checked. Like I said, it works when redirecting faculty logins...teacher iphones get mapped to the iOSDeviceUsers Profile and end up on vlan50 where I expect them to. The same rule, however, does not work for student logins. Every time a student logs in, they are assigned to the Students User Profile and mapped to vlan 30, no matter what device they are logging into.
Photo of Chris B

Chris B, Official Rep

  • 93 Posts
  • 10 Reply Likes
I just wanted to check as this needs to be checked in 2 places, and I didn't see a screenshot of the User profile selection page in your last note....is this a HMOL account so I can check over the configuration?

Chris
Photo of Christopher Tawes

Christopher Tawes

  • 39 Posts
  • 4 Reply Likes
Chris,

It is a HMOL account...you have an email where I can send you the info you need?
Photo of Chris B

Chris B, Official Rep

  • 93 Posts
  • 10 Reply Likes
Let me know the VHM-ID and I will take a look

Chris
Photo of Christopher Tawes

Christopher Tawes

  • 39 Posts
  • 4 Reply Likes
VHM ID: VHM-MU2ZBZ

Cheers!
Photo of Chris B

Chris B, Official Rep

  • 93 Posts
  • 10 Reply Likes
It seems like it is working for some devices..see these on VLAN 50, they have the correct attribute assigned (50)



But we see a lot of other ios devices in VLAN 30 with default attribute assigned (1), so are not being re classified properly.

Photo of Christopher Tawes

Christopher Tawes

  • 39 Posts
  • 4 Reply Likes
All of the devices that have been reassigned were faculty devices (faculty group in RADIUS, directed to Faculty-Test user profile, and then reassigned/reclassified. None of the devices on VLAN 50 are student devices, those are all still sitting in VLAN 30. That's the problem. Reclassification is working for devices using Teacher logins, but not for student logins and that's where it is most needed because pretty soon I'm going to have 300 student owned devices taking up all my ips and no ability to get school-issued computers online.
Photo of Chris B

Chris B, Official Rep

  • 93 Posts
  • 10 Reply Likes
Can you share a users details from both profiles so I can run the radius test to see what attributes are being returned.
Photo of Christopher Tawes

Christopher Tawes

  • 39 Posts
  • 4 Reply Likes
crt0627 is me in the facultystaff OD group, which should map to the Faculty-Test user profile and then onto vlan 20 (default)



clr0607 is a student in the students OD group, which should map to the Students user profile and then onto vlan 30 (default)
Photo of Chris B

Chris B, Official Rep

  • 93 Posts
  • 10 Reply Likes
So you are assigning profiles based on either VLAN ID for Students and User attribute for Faculty.....Can you try changing the Student profile use User attribute also?
Photo of Christopher Tawes

Christopher Tawes

  • 39 Posts
  • 4 Reply Likes
I just saw that in the results...Sam @ Aerohive helped me get our RADIUS config up and working on Mac OS X Server 10.8.4. Let me shoot him an email and see if he can talk me through the change. I can't think of why we would have used a different attribute for both of those groups. Thanks for getting me this far, Chris!
Photo of Chris B

Chris B, Official Rep

  • 93 Posts
  • 10 Reply Likes
I'm pretty sure if you fix that it will get the classification rules working, but let me know if not!

Chris
Photo of Christopher Tawes

Christopher Tawes

  • 39 Posts
  • 4 Reply Likes
I think you're right...I just fired off an email to Sam about scheduling some time to to look at our RADIUS setup. I've said it before and I'll say it again: Aerohive has the best customer support I've come across in Ed IT.
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
Working with Chris - waiting to see output of /etc/raddb/users
Photo of Christopher Tawes

Christopher Tawes

  • 39 Posts
  • 4 Reply Likes
bravo:~ root# tail –n 50 /etc/raddb/users
tail: –n: No such file or directory
tail: 50: No such file or directory
==> /etc/raddb/users
bravo:~ root#
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
When setting the RADIUS server up w/ Chris, I typed the wrong values in /etc/raddb/users for the student group...

Corrected it to GRE and IP.
Photo of Christopher Tawes

Christopher Tawes

  • 39 Posts
  • 4 Reply Likes
Thanks Chris and Sam for helping me resolve this!
Photo of Chris B

Chris B, Official Rep

  • 93 Posts
  • 10 Reply Likes
NP, don't forget to mark the topic as resolved ! :-)

Chris
Photo of Christopher Tawes

Christopher Tawes

  • 39 Posts
  • 4 Reply Likes
Bizarrely enough, I can't find an opetion anywhere to indicate that this question is answered/resolved...
Photo of Amanda

Amanda

  • 396 Posts
  • 25 Reply Likes
Taken care of - thanks Christopher.