802.11 Client Device Interoperability

Reply
Contributor II
Posts: 58
Registered: ‎05-12-2009

Devices Camping on Guest logon Role

Has anyone had an issue with devices sitting at the logon-role for guest and consuming IP's? I have a class C network carved out for guest and we never have more than 50 authenticated guest's at a given time. The issue is a lot of IPhones, blackberries, and laptops connect to the SSID and never attempt to login via captive portal. They sit there and consume IP's to the point that I am running short. Rather than expand the DHCP scope and subnet I would rather keep these devices from "camping" on the SSID. Has anyone had similar concerns?

Thanks
Aruba Employee
Posts: 42
Registered: ‎07-30-2010

Re: Devices Camping on Guest logon Role

If the devices seem to be camping for too long on the initial role and not doing any authentication - it is likely that they are idle.

You can check the output of 'show aaa timers' to see if the user idle timeout value is set to something too high - which could cause the entries to not age out from the user-table.

(Aruba) #show aaa timers

User idle timeout = 300 seconds
Auth Server dead time = 10 minutes
Logon user lifetime = 5 minutes
Barath Srinivasan
Customer Engineering Architect
Customer Advocacy | Aruba Networks Inc.
-----------------------------------------------------------------------------------------------------------
Did something you read in the Community solve a problem for you? If so, click "Accept as Solution", in the bottom right hand corner of the post.
-----------------------------------------------------------------------------------------------------------
Occasional Contributor II
Posts: 44
Registered: ‎04-02-2007

Re: Devices Camping on Guest logon Role

We see this a lot. We've now got a /22 carved out for our guest network, so it's not as much of a concern, but it has been in the past.

I can't see a perfect fix - short DHCP lease times (ours is 30 minutes) and a big network seem to be the least painful solution. I suppose you could write some scriptage to identify these idlers and blacklist them for a time, but that brings all new troubles..

Are you using routable IP space for your guest network? If not, the easiest solution may simply be to expand...
Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: Devices Camping on Guest logon Role

NIce that other ppl facing same issues like me , i have this for a long time but not for internal IPs, but for external IP's , i try to post here :

sourceIP of my guest-user : 192.168.xxx.xxx
destinationIP : e.g. some SSH, RDP or SSLVPN server : 213.xxx.xxx.xxx
dstIP: 217.xxx.xxx.xxx = external IP of the controller having external ISP directly attached to some port which using NAT for the guest-network.

The main annoying thing is that everytime guest-voucher users are connecting to ebay or whatever, a lot of external IP's are falling into the logon role, including the external DNS servers of the controller'S external WAN IF . you browse a website and approx 10-20 external ip's are camping in the logon role. aruba engineer wasnt able to tell me "why" this happens, he adviced to use some setting called "only allow local subnet in table". also if you connect to SSLVPN server extern or some SSH, or RDP , every destination IP falls into logon role.
i see that those logon entries are getting auto-deleted after approx 7-8minutes and exact during delete the session disconnects . SSH/SSLVPN just disconnects/freezes/hangs and RDP session you just move your mouse and it gets re-connected but with the popup "session disconnected, please wait" .

as you can see after the logon role user is deleted the destination ip tries to connect back and gets denied cause of some RemoteAP rule which only allows 500/4500 ipsec incoming to this external IF .


Jun 9 13:18:51 authmgr: <124006> |authmgr| {423060} TCP srcip=192.168.xxx.xxx srcport=49856 dstip=213.xxx.xxx.xxx dstport=33890, action=permit, role=guest, policy=allow-any-guest
Jun 9 13:18:51 authmgr: <124006> |authmgr| {423061} TCP srcip=192.168.xxx.xxx srcport=49856 dstip=213.xxx.xxx.xxx dstport=33890, action=permit, role=guest, policy=allow-any-guest
Jun 9 13:18:51 authmgr: <522004> |authmgr| Station inherit: IP=213.xxx.xxx.xxx start bssid:00:00:00:00:00:00 essid: port:0x1024 (0x1024)
Jun 9 13:18:51 authmgr: <522004> |authmgr| download: ip=213.xxx.xxx.xxx acl=1/0 role=logon, Ubwm=0, Dbwm=0 tunl=0x1024, PA=0, HA=1, RO=0, VPN=0
Jun 9 13:18:51 authmgr: <522004> |authmgr| {213.xxx.xxx.xxx} autTable (" Unauthenticated logon ")
Jun 9 13:18:51 authmgr: <522006> |authmgr| MAC=xx:xx:xx:89:fd:77 IP=213.xxx.xxx.xxx User entry added: reason=Sibtye
Jun 9 13:18:51 authmgr: <522026> |authmgr| MAC=xx:xx:xx:89:fd:77 IP=213.xxx.xxx.xxx User miss: ingress=0x1024, VLAN=2104
Jun 9 13:24:08 authmgr: <124006> |authmgr| {423236} TCP srcip=213.xxx.xxx.xxx srcport=33890 dstip=217.xxx.xxx.xxx dstport=49856, action=deny, policy=RemoteAP-Access
Jun 9 13:24:08 authmgr: <124006> |authmgr| {423237} TCP srcip=192.168.xxx.xxx srcport=49856 dstip=213.xxx.xxx.xxx dstport=33890, action=permit, role=guest, policy=allow-any-guest
Jun 9 13:24:08 authmgr: <124006> |authmgr| {423238} TCP srcip=192.168.xxx.xxx srcport=49856 dstip=213.xxx.xxx.xxx dstport=33890, action=permit, role=guest, policy=allow-any-guest
Jun 9 13:24:08 authmgr: <522004> |authmgr| MAC=xx:xx:xx:89:fd:77 IP=213.xxx.xxx.xxx Send mobility delete message, flags=0x0
Jun 9 13:24:08 authmgr: <522004> |authmgr| {213.xxx.xxx.xxx} datapath entry deleted
Jun 9 13:24:08 authmgr: <522005> |authmgr| MAC=xx:xx:xx:89:fd:77 IP=213.xxx.xxx.xxx User entry deleted: reason=logon role lifetime reached
Jun 9 13:24:08 authmgr: <522015> |authmgr| MAC=xx:xx:xx:89:fd:77 IP=213.xxx.xxx.xxx Remove Bridge Entry
Jun 9 13:24:18 authmgr: <124006> |authmgr| {423239} TCP srcip=213.xxx.xxx.xxx srcport=33890 dstip=217.xxx.xxx.xxx dstport=49856, action=deny, policy=RemoteAP-Access

Frequent Contributor I
Posts: 93
Registered: ‎04-09-2007

Re: Devices Camping on Guest logon Role

aruba tech was likely referencing using the validuser session acl.... you can modify this to only permit IP's you own getting placed into the user table...
there's also a command to limit allowed user ip's to belong to subnets configured on the controller - but the controller has to have an ip on every vlan a wireless client might come in on - as # of controllers grows... also using ethernet port bridging becomes a problem since to allow local bridging on a AP requires an entry in the user table... so we've ultimately stopped using validuser acl

You might want to check your interfaces on what is trusted vs untrusted... I think this plays a part - ie on untrusted ports any ip needs to be in a role for communication to be allowed.

Also if pre 5.0 and using v6 - can present issues: https://airheads.arubanetworks.com/vBulletin/archive/index.php/t-1935.html

OK back to original topic re: idle users on your guest ssid eating up all the ip's:

I think aruba has a solution for these guest users pending... I know we've always thought if we could use private IP's for the guest wireless vlan.... but once a user actually logs in - they get srcnatted to a specific IP from a pool of public IP's.... so you avoid all users publically looking like their traffic is sourced from one IP (thereby keeping accountability) - and you keep devices that just bind to any open ssid they see from eating up your public IP's
Search Airheads
Showing results for 
Search instead for 
Did you mean: