ArubaOS and Controllers

Reply
Regular Contributor I

Guest / Captive Portal issue

I am currently doing an Aruba evaluation and have run into the following problem:

Controller connected to the network via a /30 routed link to upstream router on gi 1/0. Using OSPF between router and controller to advertise routes and controller's loopback address. I have 3 ssids in their own vlan on the controller that are working fine.

I have our guest internet (dsl) plugged into gi 1/3. If I set the interface to DHCP it pulls and address just fine, however, when a client connects to the guest ssid they do not pull an address. I have set the initial and authenticated roles for the ssid aaa profile to "allowall" and I still cannot pull an address. Does anyone have any suggestions?
Guru Elite

Re: Guest / Captive Portal issue

Question: what is providing DHCP for that client subnet? Make sure the client is getting into the correct VLAN by typing "show user-table verbose". Next type "show vlan status" to see what VLANs are tied to what ports, etc to make sure the user is getting attached correctly.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I

Re: Guest / Captive Portal issue

The DSL is plugged into a small firewall that providing DHCP. I put another controller port in my guest vlan then plugged laptop into that port and the machine pulled an address so I know thats working.

When I do "show user-table verbose" I do not see the client. I only see the client if I do "show user-table station"
Guru Elite

Re: Guest / Captive Portal issue

The user will not show up in the user table if it does not get an ip address. type "show station-table" so that we know that role the user is in. Then, type "show rights " to see what network rights the user gets when he is attached. Paste that in here.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I

Re: Guest / Captive Portal issue

Station Entry
-------------
MAC Name Role Age(d:h:m) Auth AP name Essid Phy Remote Profile
------------ ------ ---- ---------- ---- ------- ----- --- ------ -------
24:ab:81:af:ae:58 AllowAll 00:00:00 No 00:24:6c:c8:6e:16 Centra Guest g-HT No Centra Guest-aaa_prof




(lgh-aruba-3200) #show rights AllowAll

Derived Role = 'AllowAll'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 52/0
Max Sessions = 65535


access-list List
----------------
Position Name Location
-------- ---- --------
1 allowall

allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any permit Low 4
2 any any any permit Low 6

Expired Policies (due to time constraints) = 0
Guru Elite

Re: Guest / Captive Portal issue

Ok, now type "show wlan virtual-ap". It will show you a list of virtual APs or wireless networks on your system. Next type "show wlan virtual-ap " for the wireless network your are trying to connect to. The output of that will show the VLAN the clients are to be assigned. Next, type show vlan status, which will show you what VLANs are attached to what ports, so see if the VLAN is connected to the correct physical port.k


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I

Re: Guest / Captive Portal issue

(lgh-aruba-3200) #show wlan virtual-ap "Centra Guest-vap_prof"

Virtual AP profile "Centra Guest-vap_prof"
------------------------------------------
Parameter Value
--------- -----
Virtual AP enable Enabled
Allowed band all
AAA Profile Centra Guest-aaa_prof
802.11K Profile default
SSID Profile Centra Guest-ssid_prof
VLAN 999
Forward mode tunnel
Deny time range N/A
Mobile IP Enabled
HA Discovery on-association Disabled
DoS Prevention Disabled
Station Blacklisting Enabled
Blacklist Time 3600 sec
Dynamic Multicast Optimization (DMO) Disabled
Dynamic Multicast Optimization (DMO) Threshold 6
Authentication Failure Blacklist Time 3600 sec
Multi Association Disabled
Strict Compliance Disabled
VLAN Mobility Disabled
Preserve Client VLAN Disabled
Remote-AP Operation standard
Drop Broadcast and Multicast Disabled
Convert Broadcast ARP requests to unicast Disabled
Deny inter user traffic Disabled
Band Steering Disabled
Steering Mode prefer-5ghz
WMM Traffic Management Profile N/A




(lgh-aruba-3200) # show vlan status

Vlan Status
-----------
VlanId IPAddress Adminstate Operstate PortCount Nat Inside Mode Ports AAA Profile
------ --------- ---------- --------- --------- ---------- ---- ----- -----------
999 10.10.10.4/255.255.255.0 Enabled Up 2 Disabled Regular GE1/2-3 N/A
Regular Contributor I

Re: Guest / Captive Portal issue

My client is being put in the correct vlan:

(lgh-aruba-3200) #show datapath station

Datapath Station Table Statistics
---------------------------------
Current Entries 3
Pending Deletes 0
High Water Mark 15
Maximum Entries 4095
Total Entries 438
Allocation Failures 0
Max link length 1

Datapath Station Table Entries
------------------------------

Flags: W - WEP, T - TKIP, A - AESCCM, M - WMM N - .11n client
S - AMSDU, G - AESGCM

MAC BSSID VLAN Bad Decrypts Bad Encrypts Cpu Qsz RSN cap Flags
----------------- ----------------- ---- ------------ ------------ --- ---------- ------- -----
00:27:10:00:B9:EC 00:24:6C:06:E1:60 76 0 0 6 0 0 0 0 0000 W
00:1B:77:C2:6D:3E 00:24:6C:06:E1:60 76 0 0 6 0 0 0 0 0000 W
24:AB:81:AF:AE:58 00:24:6C:06:E1:63 999 0 0 7 0 0 0 0 0000 MN
Guru Elite

Re: Guest / Captive Portal issue

Okay,

Let's do enable debugging for that client, disconnect him and then reconnect him to see what he is doing:

config t
logging level debugging user


After enabling the debugging, shut off the client radio, then clear all users:



Now enable the client radio and connect the client

After you attempt to connect the client, display the client log:



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I

Re: Guest / Captive Portal issue

(lgh-aruba-3200) # show log user 50 | include ae:58
May 8 21:28:28 :522027: |authmgr| MAC=00:1f:3c:ce:f9:d3 IP=172.18.77.103 IP Spoof from MAC=24:ab:81:af:ae:58 role=authenticated/(null)
May 8 21:29:03 :522027: |authmgr| MAC=00:1f:3c:ce:f9:d3 IP=172.18.77.103 IP Spoof from MAC=24:ab:81:af:ae:58 role=authenticated/(null)
May 8 21:30:07 :522027: |authmgr| MAC=00:1f:3c:ce:f9:d3 IP=172.18.77.103 IP Spoof from MAC=24:ab:81:af:ae:58 role=authenticated/(null)
May 10 20:11:32 :501109: |AP 00:24:6c:c8:6e:16@192.168.16.106 stm| Auth request: 24:ab:81:af:ae:58: AP 192.168.16.106-00:24:6c:06:e1:63-00:24:6c:c8:6e:16 auth_alg 0
May 10 20:11:32 :501093: |AP 00:24:6c:c8:6e:16@192.168.16.106 stm| Auth success: 24:ab:81:af:ae:58: AP 192.168.16.106-00:24:6c:06:e1:63-00:24:6c:c8:6e:16
May 10 20:11:32 :501095: |stm| Assoc request @ 20:11:32.732198: 24:ab:81:af:ae:58 (SN 347): AP 192.168.16.106-00:24:6c:06:e1:63-00:24:6c:c8:6e:16
May 10 20:11:32 :501095: |AP 00:24:6c:c8:6e:16@192.168.16.106 stm| Assoc request @ 20:11:31.941096: 24:ab:81:af:ae:58 (SN 347): AP 192.168.16.106-00:24:6c:06:e1:63-00:24:6c:c8:6e:16
May 10 20:11:32 :501100: |AP 00:24:6c:c8:6e:16@192.168.16.106 stm| Assoc success @ 20:11:31.941941: 24:ab:81:af:ae:58: AP 192.168.16.106-00:24:6c:06:e1:63-00:24:6c:c8:6e:16
May 10 20:11:32 :501100: |stm| Assoc success @ 20:11:32.735977: 24:ab:81:af:ae:58: AP 192.168.16.106-00:24:6c:06:e1:63-00:24:6c:c8:6e:16
May 10 20:11:32 :501065: |stm| Sending STA 24:ab:81:af:ae:58 message to Auth and Mobility Unicast Encr Open Multicast Encr Open VLAN 0x3e7, wmm:1, rsn_cap:0
May 10 20:11:32 :500511: |mobileip| Station 24:ab:81:af:ae:58, 0.0.0.0: Received association on ESSID: Centra Guest Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name 00:24:6c:c8:6e:16 Group CSP-ap-group BSSID 00:24:6c:06:e1:63, phy g, VLAN 999
May 10 20:11:32 :500010: |mobileip| Station 24:ab:81:af:ae:58, 0.0.0.0: Mobility trail, on switch 172.18.254.77, VLAN 999, AP 00:24:6c:c8:6e:16, Centra Guest/00:24:6c:06:e1:63/g
May 10 20:11:32 :522035: |authmgr| MAC=24:ab:81:af:ae:58 Station UP: BSSID=00:24:6c:06:e1:63 ESSID=Centra Guest VLAN=999 AP-name=00:24:6c:c8:6e:16
May 10 20:13:04 :501102: |AP 00:24:6c:c8:6e:16@192.168.16.106 stm| Disassoc from sta: 24:ab:81:af:ae:58: AP 192.168.16.106-00:24:6c:06:e1:63-00:24:6c:c8:6e:16 Reason STA has left and is disassocisted
May 10 20:13:04 :501102: |stm| Disassoc from sta: 24:ab:81:af:ae:58: AP 192.168.16.106-00:24:6c:06:e1:63-00:24:6c:c8:6e:16 Reason STA has left and is disassocisted
May 10 20:13:04 :501000: |AP 00:24:6c:c8:6e:16@192.168.16.106 stm| Station 24:ab:81:af:ae:58: Clearing state
May 10 20:13:04 :501065: |stm| Sending STA 24:ab:81:af:ae:58 message to Auth and Mobility Unicast Encr Open Multicast Encr Open VLAN 0x3e7, wmm:1, rsn_cap:0
May 10 20:13:04 :522036: |authmgr| MAC=24:ab:81:af:ae:58 Station DN: BSSID=00:24:6c:06:e1:63 ESSID=Centra Guest VLAN=999 AP-name=00:24:6c:c8:6e:16
May 10 20:13:04 :500511: |mobileip| Station 24:ab:81:af:ae:58, 0.0.0.0: Received disassociation on ESSID: Centra Guest Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name 00:24:6c:c8:6e:16 Group CSP-ap-group BSSID 00:24:6c:06:e1:63, phy g, VLAN 999
May 10 20:13:04 :500010: |mobileip| Station 24:ab:81:af:ae:58, 255.255.255.255: Mobility trail, on switch 172.18.254.77, VLAN 999, AP 00:24:6c:c8:6e:16, Centra Guest/00:24:6c:06:e1:63/g
May 10 20:13:04 :501000: |stm| Station 24:ab:81:af:ae:58: Clearing state
May 10 20:13:07 :501109: |AP 00:24:6c:c8:6e:16@192.168.16.106 stm| Auth request: 24:ab:81:af:ae:58: AP 192.168.16.106-00:24:6c:06:e1:63-00:24:6c:c8:6e:16 auth_alg 0
May 10 20:13:07 :501093: |AP 00:24:6c:c8:6e:16@192.168.16.106 stm| Auth success: 24:ab:81:af:ae:58: AP 192.168.16.106-00:24:6c:06:e1:63-00:24:6c:c8:6e:16
May 10 20:13:07 :501095: |stm| Assoc request @ 20:13:07.878352: 24:ab:81:af:ae:58 (SN 559): AP 192.168.16.106-00:24:6c:06:e1:63-00:24:6c:c8:6e:16
May 10 20:13:07 :501095: |AP 00:24:6c:c8:6e:16@192.168.16.106 stm| Assoc request @ 20:13:06.600247: 24:ab:81:af:ae:58 (SN 559): AP 192.168.16.106-00:24:6c:06:e1:63-00:24:6c:c8:6e:16
May 10 20:13:07 :501100: |AP 00:24:6c:c8:6e:16@192.168.16.106 stm| Assoc success @ 20:13:06.601080: 24:ab:81:af:ae:58: AP 192.168.16.106-00:24:6c:06:e1:63-00:24:6c:c8:6e:16
May 10 20:13:07 :501100: |stm| Assoc success @ 20:13:07.882052: 24:ab:81:af:ae:58: AP 192.168.16.106-00:24:6c:06:e1:63-00:24:6c:c8:6e:16
May 10 20:13:07 :501065: |stm| Sending STA 24:ab:81:af:ae:58 message to Auth and Mobility Unicast Encr Open Multicast Encr Open VLAN 0x3e7, wmm:1, rsn_cap:0
May 10 20:13:07 :522035: |authmgr| MAC=24:ab:81:af:ae:58 Station UP: BSSID=00:24:6c:06:e1:63 ESSID=Centra Guest VLAN=999 AP-name=00:24:6c:c8:6e:16
May 10 20:13:07 :500511: |mobileip| Station 24:ab:81:af:ae:58, 0.0.0.0: Received association on ESSID: Centra Guest Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name 00:24:6c:c8:6e:16 Group CSP-ap-group BSSID 00:24:6c:06:e1:63, phy g, VLAN 999
May 10 20:13:07 :500010: |mobileip| Station 24:ab:81:af:ae:58, 0.0.0.0: Mobility trail, on switch 172.18.254.77, VLAN 999, AP 00:24:6c:c8:6e:16, Centra Guest/00:24:6c:06:e1:63/g

Thanks for all your help by the way.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: