Community Home > Discuss > Technology > Security > Guests connect but disconnect soon after

Security

Reply
s_hughes78
Occasional Contributor I
s_hughes78

Guests connect but disconnect soon after

‎11-19-2013 08:35 AM

Hi,

 

I'm hoping someone can help with this.

I have a Dell Powerconnect W-620 controller running Aruba 6.1.3.7.

I also have two AP's associated to this controller.

 

I have already configured a network for LAN connection using EAP/RADIUS and now i'm trying to create a Guest SSID.

 

I have followed what i thought was correct below but it seems the clients (Win7 Laptop and Android Phone) connect, get an IP from the Guest DHCP pool and then disconnect a few seconds afterward.

Subsequent attempts to connect nearly always fail straight away without getting an IP.

I have ran traces using NetMon on the laptop and not every time there are DHCP requests and you can see the IP given by the Guest VLAN IP to the laptop. If you run a quick 'ipconfig' it gets the IP ok but soon disconnects with no event logs.

 

I have only added the pre-authentication role policies below as it doesn't hold its IP long enough to logon to the captive portal.

 

 

Details:

 

Guest VLAN created -  

ID=200 - IP 20.20.20.1 /24 - Not associated to any port

Enabled src-NAT for this VLAN

Inter-VLAN routing enabled

 

DHCP -

Enabled

Guest_Pool1 - 

Default Router - 20.20.20.1

Network - 20.20.20.0 /24

Range - 20.20.20.6 - 20.20.20.254

 

NAT Pools - 

dymanic-srcnat 0.0.0.0 - 0.0.0.0 - 0.0.0.0 for everything

 

IP Routes - 

default gateway - 10.0.0.6 (IP of Firewall)

No other routes

 

Roles-

 

Role - LM-Guest-guest-logon (pre authentication/captive portal)

 

Policies-

 

 

captiveportal

source user Dest controller Service svc-https Action dst-nat 8081

source user Dest any Service svc-http Action dst-nat 8080

source user Dest any Service svc-https Action dst-nat 8081

source user Dest any Service svc-http-proxy1 Action dst-nat 8088

source user Dest any Service svc-http-proxy2 Action dst-nat 8088

source user Dest any Service svc-http-proxy3 Action dst-nat 8088

 

Guest-Logon-Access

 

source any Dest any Service svc-dhcp Action permit

source any Dest Public-DNS Service svc-dns Action src-nat pool dymanic-srcnat  (Public-DNS contains list of external DNS servers)

 

Block-Internal-Networks

source user Dest Internal-Networks Service any Action deny   ( Internal Networks lists IP ranges for internal networks)

 

Alert a Moderator
Message 1 of 12
2,663 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Guests connect but disconnect soon after

‎11-19-2013 08:39 AM

Can the user resolve DNS?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Alert a Moderator
Message 2 of 12
2,660 Views
Reply
0 Kudos
s_hughes78
Occasional Contributor I
s_hughes78

Re: Guests connect but disconnect soon after

‎11-19-2013 08:42 AM

Doesn't look like it.

 

From what i can gather (since the connection only lasts a few seconds) it gets the DNS servers that i have assigned but it can't resolve www.google.com when pinging during  its time of having the IP.

 

Alert a Moderator
Message 3 of 12
2,657 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Guests connect but disconnect soon after

‎11-19-2013 08:43 AM

Resolving DNS is key to bring up the portal. Why are you source natting?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Alert a Moderator
Message 4 of 12
2,654 Views
Reply
0 Kudos
s_hughes78
Occasional Contributor I
s_hughes78

Re: Guests connect but disconnect soon after

‎11-19-2013 08:46 AM

Just going through an Aruba doc, albeit a little old but it gave me the fundamentals to set this up.

I have no doubt there is something just configured incorrectly.

 

Shall i just permit DNS ?

Alert a Moderator
Message 5 of 12
2,649 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Guests connect but disconnect soon after

‎11-19-2013 08:47 AM

Yes.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Alert a Moderator
Message 6 of 12
2,646 Views
Reply
0 Kudos
s_hughes78
Occasional Contributor I
s_hughes78

Re: Guests connect but disconnect soon after

‎11-19-2013 08:53 AM

Ok.

I permitted DNS and it still dodn't work.

Rule for Guest-Logon-Access

 

any any svc-dhcp permit

any public-dns svc-dns permit

 

 

 

Alert a Moderator
Message 7 of 12
2,643 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Guests connect but disconnect soon after

‎11-19-2013 08:54 AM

Can the IP address the client gets route to the internet? What is the default gateway?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Alert a Moderator
Message 8 of 12
2,641 Views
Reply
0 Kudos
s_hughes78
Occasional Contributor I
s_hughes78

Re: Guests connect but disconnect soon after

‎11-19-2013 09:01 AM

The client gets an IP 20.20.20.253

This IP is not routable to the internet

 

The VLAN is set directly on the controller.

The controller is connected to a switch stack which doesn't have this VLAN 200 added to the trunk (not that i though this was necessary as i understood it used the address of the controller as its NAT)

This switch then connects to a Firewall and then out to the internet.

 

The default gateway on the controller is that of the Internal IP of the Firewall.

 

I can understand if the client kept its IP but couldn't get to the Captive Portal but the clients are dropping the wireless connection within 10 seconds....slightly annoying me :-)

 

 

Alert a Moderator
Message 9 of 12
2,639 Views
Reply
0 Kudos
MVP
MVP
Victor Fabian

Re: Guests connect but disconnect soon after

‎11-19-2013 09:23 AM

 

You need to allow DHCP on your captive portal role too ?

 

Make sure you have attached the captive portal profile to that role too ?

 

 

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Alert a Moderator
Message 10 of 12
2,623 Views
Reply
0 Kudos
Search Airheads
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2018 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium