Security

Reply
Contributor II
Posts: 43
Registered: ‎12-14-2011

Devices wont connect to guest network

Hi all

 

I have a really frustrating problem with the Guest network I have set up on our lab controller. We have a 3200 running OS 6.2.0.3. This is in our lab but has a public IP. I have an AP95 here at home that is connected correctly and working.

 

I have created two SSID's, one for dot1x testing and one for guest. Both SSIDs are set up to take IP addressing from DHCP on the controller, with a separate VLAN for both. 

 

The dot1x network works fine however the guest does not. Using my Android phone, I try and connect and the phone attempts connection, then stops. It will keep doing that until I give up. Occasionally, it will say its obtaining an IP address, but that times out. I set up debugging for the device and here is the latest output from an attempted connection:

 

Apr 30 21:15:20 :522246: <DBUG> |authmgr| Idle timeout should be driven by STM for MAC 98:0c:82:85:e6:35.
Apr 30 21:15:20 :522083: <DBUG> |authmgr| Skip User-Derivation, mba:0 udr_exist:0,default_role:guest-logon,pDefRole:0x0x109908e4
Apr 30 21:15:20 :522243: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35 Station Updated Update MMS: BSSID=00:24:6c:41:f0:01 ESSID=demo-guest VLAN=18 AP-name=Demo_AP
Apr 30 21:15:24 :501095: <NOTI> |stm| Assoc request @ 21:15:24.959200: 98:0c:82:85:e6:35 (SN 746): AP 192.168.1.14-00:24:6c:41:f0:01-Demo_AP
Apr 30 21:15:24 :501100: <NOTI> |stm| Assoc success @ 21:15:24.960806: 98:0c:82:85:e6:35: AP 192.168.1.14-00:24:6c:41:f0:01-Demo_AP
Apr 30 21:15:24 :522035: <INFO> |authmgr| MAC=98:0c:82:85:e6:35 Station UP: BSSID=00:24:6c:41:f0:01 ESSID=demo-guest VLAN=18 AP-name=Demo_AP
Apr 30 21:15:24 :522077: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35 ingress 0x0x10009 (tunnel 9), u_encr 1, m_encr 1, slotport 0x0x2040 , type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Apr 30 21:15:24 :522078: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35, wired: 0, vlan:18 ingress:0x0x10009 (tunnel 9), ingress:0x0x10009 new_aaa_prof: demo-guest-AAA-profile, stored profile: demo-guest-AAA-profile stored wired: 0 stored essid: demo-guest, stored-ingress: 0x0x10009
Apr 30 21:15:24 :522246: <DBUG> |authmgr| Idle timeout should be driven by STM for MAC 98:0c:82:85:e6:35.
Apr 30 21:15:24 :522083: <DBUG> |authmgr| Skip User-Derivation, mba:0 udr_exist:0,default_role:guest-logon,pDefRole:0x0x109908e4
Apr 30 21:15:24 :522243: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35 Station Updated Update MMS: BSSID=00:24:6c:41:f0:01 ESSID=demo-guest VLAN=18 AP-name=Demo_AP
Apr 30 21:15:28 :501095: <NOTI> |stm| Assoc request @ 21:15:28.696280: 98:0c:82:85:e6:35 (SN 787): AP 192.168.1.14-00:24:6c:41:f0:01-Demo_AP
Apr 30 21:15:28 :501100: <NOTI> |stm| Assoc success @ 21:15:28.697868: 98:0c:82:85:e6:35: AP 192.168.1.14-00:24:6c:41:f0:01-Demo_AP
Apr 30 21:15:28 :522035: <INFO> |authmgr| MAC=98:0c:82:85:e6:35 Station UP: BSSID=00:24:6c:41:f0:01 ESSID=demo-guest VLAN=18 AP-name=Demo_AP
Apr 30 21:15:28 :522077: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35 ingress 0x0x10009 (tunnel 9), u_encr 1, m_encr 1, slotport 0x0x2040 , type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Apr 30 21:15:28 :522078: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35, wired: 0, vlan:18 ingress:0x0x10009 (tunnel 9), ingress:0x0x10009 new_aaa_prof: demo-guest-AAA-profile, stored profile: demo-guest-AAA-profile stored wired: 0 stored essid: demo-guest, stored-ingress: 0x0x10009
Apr 30 21:15:28 :522246: <DBUG> |authmgr| Idle timeout should be driven by STM for MAC 98:0c:82:85:e6:35.
Apr 30 21:15:28 :522083: <DBUG> |authmgr| Skip User-Derivation, mba:0 udr_exist:0,default_role:guest-logon,pDefRole:0x0x109908e4
Apr 30 21:15:28 :522243: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35 Station Updated Update MMS: BSSID=00:24:6c:41:f0:01 ESSID=demo-guest VLAN=18 AP-name=Demo_AP
Apr 30 21:15:32 :501095: <NOTI> |stm| Assoc request @ 21:15:32.742959: 98:0c:82:85:e6:35 (SN 828): AP 192.168.1.14-00:24:6c:41:f0:01-Demo_AP
Apr 30 21:15:32 :501100: <NOTI> |stm| Assoc success @ 21:15:32.744456: 98:0c:82:85:e6:35: AP 192.168.1.14-00:24:6c:41:f0:01-Demo_AP
Apr 30 21:15:32 :522035: <INFO> |authmgr| MAC=98:0c:82:85:e6:35 Station UP: BSSID=00:24:6c:41:f0:01 ESSID=demo-guest VLAN=18 AP-name=Demo_AP
Apr 30 21:15:32 :522077: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35 ingress 0x0x10009 (tunnel 9), u_encr 1, m_encr 1, slotport 0x0x2040 , type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Apr 30 21:15:32 :522078: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35, wired: 0, vlan:18 ingress:0x0x10009 (tunnel 9), ingress:0x0x10009 new_aaa_prof: demo-guest-AAA-profile, stored profile: demo-guest-AAA-profile stored wired: 0 stored essid: demo-guest, stored-ingress: 0x0x10009
Apr 30 21:15:32 :522246: <DBUG> |authmgr| Idle timeout should be driven by STM for MAC 98:0c:82:85:e6:35.
Apr 30 21:15:32 :522083: <DBUG> |authmgr| Skip User-Derivation, mba:0 udr_exist:0,default_role:guest-logon,pDefRole:0x0x109908e4
Apr 30 21:15:32 :522243: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35 Station Updated Update MMS: BSSID=00:24:6c:41:f0:01 ESSID=demo-guest VLAN=18 AP-name=Demo_AP

 

It seems to be joining the network fine but then going nowhere. Initially I had created my own pre-auth guest role but as that wasnt working, I reverted to using the default guest-logon role but still no change.

 

I have tried connecting using a Windows machine and an iPhone and they fail too. It's not a tricky config and its one I've used for hundreds of customers, but I just cannot get it to work.

 

Any ideas?

Aruba
Posts: 1,642
Registered: ‎04-13-2009

Re: Devices wont connect to guest network

Does the controller have an IP on the VLAN that you are trying to give to the guests?   Since you know the VLAN works for your 802.1X network, have you configured the guest virtual AP to use that VLAN?  Does it work and get an IP?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor II
Posts: 43
Registered: ‎12-14-2011

Re: Devices wont connect to guest network

Hi Clembo

 

I've just set both VAPs to use the same (working) dot1x VLAN and it hasn't made a difference.

Aruba
Posts: 1,642
Registered: ‎04-13-2009

Re: Devices wont connect to guest network

Please confirm the role the guest gets put into upon connection and run the following command and share the output:

 

show rights <Name-of-Role>

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor II
Posts: 43
Registered: ‎12-14-2011

Re: Devices wont connect to guest network

Currently they are going into the default guest-logon role. Note that no CP is currently applied here, but before I had them going into a guest-preauth-role that had the logon-control and cp policies applied and had a CP profile set, but this had the same issue. 

 

(Aruba3200) # show rights guest-logon

Derived Role = 'guest-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 6/0
Max Sessions = 65535

Captive Portal profile = default

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 logon-control session
2 captiveportal session
3 v6-logon-control session
4 captiveportal6 session

logon-control
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
captiveportal
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4
v6-logon-control
----------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 6
2 any any svc-v6-icmp permit Low 6
3 any any svc-v6-dhcp permit Low 6
4 any any svc-dns permit Low 6
captiveportal6
--------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user controller6 svc-https captive Low 6
2 user any svc-http captive Low 6
3 user any svc-https captive Low 6
4 user any svc-http-proxy1 captive Low 6
5 user any svc-http-proxy2 captive Low 6
6 user any svc-http-proxy3 captive Low 6

Expired Policies (due to time constraints) = 0

 

MVP
Posts: 4,175
Registered: ‎07-20-2011

Re: Devices wont connect to guest network

 

 

How do you have the DHCP setup for this?

 

Are you doing any natting on the VLAN ?

 

Are you using the internal captive portal or Clearpass/Amigopod ?

 

Please check this doc :

 

http://www.arubanetworks.com/wp-content/uploads/aos_guestacccess-appnote.pdf 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba
Posts: 1,642
Registered: ‎04-13-2009

Re: Devices wont connect to guest network

Can you confirm what forwarding mode the virtual AP for the guests is in?  tunnel, bridge, split-tunnel?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor II
Posts: 43
Registered: ‎12-14-2011

Re: Devices wont connect to guest network

DHCP setup:

 

ip dhcp pool demo-guest-dhcp-pool
default-router 192.168.18.1
dns-server 8.8.8.8
lease 1 0 0 0
network 192.168.18.0 255.255.255.0
authoritative
!
service dhcp

 

Yes, we have ip nat-inside on the VLAN as well as on the dot1x VLAN. Currently the landing page is on the controller. I have read the pdf and think I'm doing everything right!

Contributor II
Posts: 43
Registered: ‎12-14-2011

Re: Devices wont connect to guest network

Both VAPs are configured in tunnel mode.

MVP
Posts: 4,175
Registered: ‎07-20-2011

Re: Devices wont connect to guest network

 

Do you have an ip nat pool setup ? or you are doing the natting at the border ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: