Security

Reply
Contributor I
Posts: 67
Registered: ‎08-30-2011

DHCP offer can't pass on controller after MAC authentication sometimes.

Hi all

 

We use mac-authenticaion with wired. Sometimes all mac-authentication clients can't get DHCP suddenly. The issue disappeared after one or two hours later automatically. Or reboot of the controller fixed issue quickly. This symptom happens once a three or four days at random even in holiday. We don't know the trigger. According to packet capture, found out that DHCP offer from radius are dropped on the controller and don't go clients side.  When this issue happens, all clients can't take DHCP. So sound like there is something badly happen insdie the controller during the issue. Can anyone tell me how to troubleshoot and put some debug commands relate to DHCP?

 

Interesting thing, authenticating with captive portal after this mac- authentication, this issue doesn't happen at all. We don't know why. Hope if this fact has hint.

 

Below messages were displayed in several mac address.

<ERRS> |authmgr|  Maximum number of retries was attempted for station 0019xxxxx189 00:19:xx:xx:x1:89 01:80:xx:xx:x0:03, deauthenticating the station

 

5.0.3.3

OAW4700(Aruba3600)

 

Regards

Simon

Moderator
Posts: 243
Registered: ‎09-12-2007

Re: DHCP offer can't pass on controller after MAC authentication sometimes.

Were you able to correlate the "Maximum retries" message with the clients that were having problems?  It seems like the problem is that the station is being deleted from the user table, which is causing DHCP to be dropped because the controller thinks the station doesn't exist anymore.

 

I have no idea why it would happen though.  This seems like a) a bug in AOS, or b) something is happening on your network that triggers the controller to start kicking off stations, or c) both.  Probably best to open a support case on this one - they will have suggestions on what log settings to enable to troubleshoot further.

---
Jon Green, ACMX, CISSP
Security Guy
Contributor I
Posts: 67
Registered: ‎08-30-2011

Re: DHCP offer can't pass on controller after MAC authentication sometimes.

Jgreen

 

Thanks for your comment.

>>Were you able to correlate the "Maximum retries" message with the clients that were having problems?

 

No, it was due to 802.1x enabled on config even though clients are not 802.1x disabled. It may be not related to the issue.

 

I checked old log. The users were on the user table as well as station table. So they might now be deleted.

But I need to double check because worker might not take the log in correct timing.

 

I opened SR, but they just said to set some user debug to reoccur.  We have not reproduced it since then because they added session acl to prevent it. So the case was stuck.

 

I asked to upgrade to 6.x to isolate the issue as one DHCP offer bug was fixed.

 

Regards

Simon

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: