Controllerless Networks

Hi everybody,

I have a customer where I'm changing old Funkwerk AP with new Aruba 104 IAP.

This customer has 3 WLAN running, 1 for devices (WEP) 1 for enterprise access (WPA Enterprise) and 1 for guests.

I have a problem with the Enterprise one.

The enterprise network has 2 radius authentication servers, and the dynamic radius proxy is enabled on the IAP.

I can see that clients can connect to the network, seems to be correctly authenticated, but they cannot get the IP address.

Watching the alerts window on the IAP console i can find those errors:

"Wrong client VLAN"

"DHCP Request timeout"

 

I already verified that the VLAN ID on the IAP and also on the switch ports (The switch is an HP Procurve 5412zl) are correct, in fact the old APs worked correctly.

I also tried to clean the config and re-configure from scratch all the AP but nothing changed...

 

 

Any ideas?

 

Thanx a lot in advance!

 

Regards!

 

On the uplink switch did you trunked the needed ?

What's the native VLAN on your uplink switch ?

Also on the said config are you doing static VLAN assignment (network assigned)?

HI Victor, thanx for reply.

Yes, i did the trunk configuration on the switch ports where the IAP are connected.

In HP terminology, I have the VLAN1 as "untagged" and the VLAN3 (the enterprise one) as "tagged".

 

The native vlan of my switch is the VLAN1 and is also the vlan of the IAP Management uplink.

 

My VLAN configuration is done as static (network assigned).

 

 

What IAP OS version are you using ?

6.3.1.2-4.0.0.2_41506

Try creating a wired port profile as a trunk for port 0

Also try creating a centralize dhcp scope l2 and define the VLAN with IP helper address (dhcp server)

Thanx for suggestion, I created the Centralized pool and configured the HelperAddress, but how can I create the trunk port profile?

I don't want to risk to loose access on the IAP 'cause I'm in a remote site location...:smileyhappy:

 

You actually should be all set since the default wired port profile is setup that way :

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
uplink-enable
no shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
auth-server InternalServer
captive-portal disable
no dot1x

 

 

I can confirm that the wired profiles are in default settings, none changed.

As soon as I can connect to the IAP I'll dump the config and post here.

 

It's possible that is a problem derived from the LLDP protocol?

This is my actual configuration:

 

 

version 6.3.1.0-4.0.0
virtual-controller-country IT
virtual-controller-key ***
name VC_***
virtual-controller-ip 10.1.0.1
syslog-server 10.1.3.210
terminal-access
ntp-server 10.1.1.92
clock timezone Rome 01 00
rf-band all
dynamic-radius-proxy

allowed-ap d8:c7:c8:c7:05:65
allowed-ap 24:de:c6:cd:b8:0f
allowed-ap d8:c7:c8:c7:05:16
allowed-ap d8:c7:c8:c7:02:31
allowed-ap d8:c7:c8:c7:04:eb

snmp-server community 5c460d55a9ec418abe009c213b60feb9

arm
wide-bands 5ghz
80mhz-support
min-tx-power 18
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode preferred-access
client-aware
scanning

rf dot11g-radio-profile
spectrum-monitor
dot11h

rf dot11a-radio-profile
spectrum-monitor
dot11h

syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

 

 

mgmt-user admin ***

wlan access-rule default_wired_port_profile
index 0
rule any any match any any any permit

wlan access-rule wired-instant
index 1
rule 10.1.0.33 255.255.255.255 match tcp 80 80 permit
rule 10.1.0.33 255.255.255.255 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule AGUFFCOMM
index 2
rule any any match any any any permit

wlan access-rule AGPROD
index 3
rule any any match any any any permit

wlan access-rule AG-Guest
index 4
rule any any match any any any permit

wlan ssid-profile AGUFFCOMM
enable
index 0
type employee
essid AGUFFCOMM
opmode wpa2-aes
max-authentication-failures 0
vlan 3
auth-server srvradius01
auth-server SRVPRI02
rf-band all
captive-portal disable
dtim-period 1
inactivity-timeout 1000
broadcast-filter none
radius-reauth-interval 240
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile AGPROD
enable
index 1
type employee
essid AGPROD
wep-key *** 1
opmode static-wep
max-authentication-failures 0
vlan 4
auth-server InternalServer
rf-band all
captive-portal disable
dtim-period 1
inactivity-timeout 1000
broadcast-filter none
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile AG-Guest
enable
index 2
type employee
essid AG-Guest
wpa-passphrase ***
opmode wpa2-psk-aes
max-authentication-failures 0
vlan 9
auth-server InternalServer
rf-band all
captive-portal disable
dtim-period 1
inactivity-timeout 1000
broadcast-filter none
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

auth-survivability cache-time-out 24

 

wlan auth-server SRVPRI02
ip 10.1.1.71
port 1812
acctport 1813
key ***

wlan auth-server srvradius01
ip 10.1.1.117
port 1812
acctport 1813
key ***

wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https

blacklist-time 3600
auth-failure-blacklist-time 3600

ids classification

ids
wireless-containment none

ip dhcp AGUFFCOMM
server-type Centralized,L3
server-vlan 3
vlan-ip 10.36.1.241 mask 255.255.255.0
dhcp-server 10.36.1.99

 

wired-port-profile wired-instant
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-instant
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x

enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180

airgroup
disable

airgroupservice airplay
disable
description AirPlay

airgroupservice airprint
disable
description AirPrint

 

Today I'm at the client and I will try to sniff some traffic coming out from the AP interface using switch port mirroring...

Found and solved the problem. :smileyvery-happy:

 

This deployment has some old AP configured with the management vlan in the same vlan as the Enterprise WiFi (vlan3), so the Enterprise WiFi packets exit from the AP uplink as untagged on VLAN3.

 

My new Aruba deployement has the management vlan pointed to the vlan1 and the Enterprise WiFi on the vlan3, so the Enterprise WiFi packets exit from the AP uplink as tagged on VLAN3.

 

Sniffing some traffic made me to know that seems that the packets does not get into the righ vlan, so I changed the IAP configuration in order to have the VLAN tagging as the old AP.

So now I have the management of the IAP in the vlan3 as the Enterprise WiFi, and so, the Enterprise WiFi packets exit from the AP Uplink as untagged in the VLAN3.

Using this solution did the trick, and all 3 SSIDs works fine...

 

I can't explain how this problem appeared...if I can I'll recreate this situation in my laboratory.