Security

Reply
Super Contributor I

Delaying dhcp request on AP225

Hi,

Got a problem with a combination of an AP225 and an HP 5130 switch stack. The actual problem is to do with the 5130 but I'm wondering if there's anything I can do on the 225 to get round the problem

 

Our switch ports are configured to support both 802.1x and mac auth. A successful authentication results in cleapass passing back a vlan name to the switch and the client device is placed in the appropriate vlan. For a failed authentication, the switch drops the client into an "unauth" vlan with limited network access.

 

This is something we do all over campus on our HP Procurve switches. The 5130 is a rebadged H3C switch running ComWare Vsn 7

 

I'm getting a race condition where the sequence of events seems to be as follows:-

 

power up AP via PoE+ from switch

switch puts AP in catch all vlan

Switch sees (dhcp)  traffic from AP and start processng a mac-auth

ap requests an IP address and gets one associated with the "unauth" vlan

switch finishes processing the mac_auth and places AP into the correct vlan

AP has IP associated with one vlan but is in another one

Eventually AP reboots because it can't "phone home" to the mobility controller and sequence starts again.

 

Now the problem is that the switch shouldn't proces the dhcp request until after either a mac-auth or 802.1x auth request has been processed/timed out. If it did that then things would be just fine and the AP would get an IP address on the right vlan.

 

While I could put a silly lease time in for the DHCP pool associated with the "unauth" vlan, that would affect everything connected to it which would be a bit silly. Is there any way of configuring the AP to delay the dhcp request for a couple of seconds to give the switch enough time to process the mac-auth?

 

Rgds

 

Alex

 

 

Guru Elite

Re: Delaying dhcp request on AP225

Do you see the same behavior if you use 802.1X with the AP?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor I

Re: Delaying dhcp request on AP225

Didn't know I could. Need to do some reading.

Rgds

Alex

 

Guru Elite

Re: Delaying dhcp request on AP225

Easiest thing to do is create a local user in clearpass with a tips role of AP. Then in the AP provisioning screen you can specify 1X credentials.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor I

Re: Delaying dhcp request on AP225

cool,

 

I'll give it a try

A

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: