Security

Reply
Contributor I
Posts: 25
Registered: ‎06-30-2009

Issues with open network

Hi,

 

I have problems to connect to open network. This network has assigned a captive portal profile.

The aaa profile assigned to the vap has a role with dhcp and dns allowed,

There is a dhcp pool in the vlan assigned to the user, but I`ve never connected with some devices.

 

The show auth-tracebub command shows me :

 

Nov 21 13:39:57  station-data-ready     *  f0:e7:7e:a1:03:6b  00:00:00:00:00:00  400  405  
Nov 21 13:39:57  station-up             *  f0:e7:7e:a1:03:6b  00:1a:1e:c3:96:a1  -    -    open system
Nov 21 13:39:57  station-data-ready     *  f0:e7:7e:a1:03:6b  00:00:00:00:00:00  400  405  
Nov 21 13:39:58  station-data-ready     *  f0:e7:7e:a1:03:6b  00:00:00:00:00:00  400  405  
Nov 21 13:39:58  station-up             *  f0:e7:7e:a1:03:6b  00:1a:1e:c3:96:a1  -    -    open system
Nov 21 13:39:58  station-data-ready     *  f0:e7:7e:a1:03:6b  00:00:00:00:00:00  400  405  
Nov 21 13:39:58  station-down           *  f0:e7:7e:a1:03:6b  00:1a:1e:c3:96:a1  -    -   

 

Any ideas?

 

Thanks

Guru Elite
Posts: 21,281
Registered: ‎03-29-2007

Re: Issues with open network

Which devices are you have problems with?

Do the devices get an ip address?

Can you resolve DNS names with those devices?

Can you bring up the Captive Portal?

 

What does not work, from the questions above?

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 25
Registered: ‎06-30-2009

Re: Issues with open network

Thanks for your answer,

 

The client does not get an ip address.

I have an user role with vlan 405 and a firewall policie that permit the dhcp traffic.

I have a dhcp server defined for the interface vlan 405, but all devices are not able to connect to the network.

 

The firewall " any any svc-dhcp permit" is showed when I do "show acl hits", but it seems not work.

In test mode I put this rule for blacklist devices that match it, but it does not work.

 

This is that I can see:

 

#show auth-tracebuf mac  00:1b:77:cf:5c:76

 

Nov 21 15:27:40  station-up             *  00:1b:77:cf:5c:76  00:1a:1e:c3:96:a1  -    -    open system
Nov 21 15:27:40  station-data-ready     *  00:1b:77:cf:5c:76  00:00:00:00:00:00  400  405  
Nov 21 15:27:40  station-down           *  00:1b:77:cf:5c:76  00:1a:1e:c3:96:a1  -    -    
Nov 21 15:27:41  station-data-ready     *  00:1b:77:cf:5c:76  00:00:00:00:00:00  400  405  
Nov 21 15:27:41  station-up             *  00:1b:77:cf:5c:76  00:1a:1e:c3:96:a1  -    -    open system
Nov 21 15:27:41  station-data-ready     *  00:1b:77:cf:5c:76  00:00:00:00:00:00  400  405  
Nov 21 15:27:41  station-down           *  00:1b:77:cf:5c:76  00:1a:1e:c3:96:a1  -    -   

 

#show acl hits | i congresos

 

congresos     logon-control-congresos-II  any   any              svc-dhcp       permit                        3         5           906

 

 

Guru Elite
Posts: 21,281
Registered: ‎03-29-2007

Re: Issues with open network

What is the DHCP server?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 25
Registered: ‎06-30-2009

Re: Issues with open network

The dhcp server is the controller..

Guru Elite
Posts: 21,281
Registered: ‎03-29-2007

Re: Issues with open network

Okay.

 

Is it enabled?

Does the "Network" portion of the DHCP server pool match an ip interface on the controller?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 25
Registered: ‎06-30-2009

Re: Issues with open network

Yes, it is enabled and there is an ip address for interface vlan 405.

 

# sh ip inter brief

vlan 405                  192.168.75.1 / 255.255.255.0     up      up

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 


It´s pretty starnge, because I am watching in a live capture some DHCP NAK and some DHCP offer.

The pc is getting an ip address that is not defined in the controller as dhcp server.

It was defined in the past for other network.

I see that I can restart the dhcp service, but I am thinking of doing a reload.

 

Thanks

Guru Elite
Posts: 21,281
Registered: ‎03-29-2007

Re: Issues with open network

I would turn on network dhcp debugging and watch:

 

config t
logging level debugging network subcat dhcp
logging level debugging network process dhcpd (host) (config) #show log network 20 Nov 17 16:50:47 :209801: <WARN> |fpapps| Physical link down: port 1/3 Nov 17 16:51:33 :209801: <WARN> |fpapps| Physical link down: port 1/3 Nov 21 10:10:42 :202086: <INFO> |dhcpdwrap| netlink_arp_changed(): ker_mac 00:23:6c:90:05:11 pkt_mac 00:23:6c:90:05:11 cip 1.1.1.250 Nov 21 10:11:11 :202085: <DBUG> |dhcpdwrap| No arp entry for ip address 192.168.1.72 eth1.1 Nov 21 10:11:17 :202086: <INFO> |dhcpdwrap| netlink_arp_changed(): ker_mac 00:23:6c:90:05:11 pkt_mac 00:23:6c:90:05:11 cip 1.1.1.250 Nov 21 10:11:38 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x40 opcode 0x5a ingress 0x108c vlan 1000 egress 0x0 src mac 00:23:6c:90:05:11 Nov 21 10:11:38 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1000: REQUEST 00:23:6c:90:05:11 reqIP=1.1.1.250 Options 37:0103060f775ffc2c2e2f 39:05dc 3d:0100236c900511 33:0076a700 Nov 21 10:11:38 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x440 opcode 0x5a ingress 0x108c vlan 1000 egress 0x0 src mac 00:23:6c:90:05:11 Nov 21 10:11:38 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1000: REQUEST 00:23:6c:90:05:11 reqIP=1.1.1.250 Options 37:0103060f775ffc2c2e2f 39:05dc 3d:0100236c900511 33:0076a700 Nov 21 10:11:38 :202523: <DBUG> |dhcpdwrap| |dhcp| dhcprelay: dev=eth1, length=300, from_port=68, op=1, giaddr=0.0.0.0 Nov 21 10:11:38 :202513: <DBUG> |dhcpdwrap| |dhcp| Could not find interface and/or vlan for ip=1.1.1.250, could be reply to mobility message. Nov 21 10:11:38 :202532: <DBUG> |dhcpdwrap| |dhcp| got 2 relay servers Nov 21 10:11:38 :202533: <DBUG> |dhcpdwrap| |dhcp| Relayed: DISCOVER server=192.168.1.32 giaddr=1.1.1.1 MAC=00:23:6c:90:05:11 Nov 21 10:11:38 :202533: <DBUG> |dhcpdwrap| |dhcp| Relayed: DISCOVER server=192.168.1.31 giaddr=1.1.1.1 MAC=00:23:6c:90:05:11 Nov 21 10:11:38 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x0 vlan 1000 egress 0x108c src mac 00:0b:86:6d:20:30 Nov 21 10:11:38 :202086: <INFO> |dhcpdwrap| netlink_arp_changed(): ker_mac 00:23:6c:90:05:11 pkt_mac 00:23:6c:90:05:11 cip 1.1.1.250 Nov 21 10:11:38 :202544: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1000: ACK 00:23:6c:90:05:11 clientIP=1.1.1.250 Nov 21 10:11:38 :202523: <DBUG> |dhcpdwrap| |dhcp| dhcprelay: dev=eth1, length=300, from_port=67, op=1, giaddr=1.1.1.1 Nov 21 10:11:38 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x0 vlan 1 egress 0x1043 src mac 00:0b:86:6d:20:30 Nov 21 10:11:38 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:23:6c:90:05:11 reqIP=1.1.1.250 Options 37:0103060f775ffc2c2e2f 39:05dc 3d:0100236c900511 33:0076a700

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 25
Registered: ‎06-30-2009

Re: Issues with open network

Suddenly I can connect with my laptop, but I can´t see the dhcp offer for other devices:

 

Nov 21 17:27:28 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:1b:77:cf:5c:76 clientIP=192.168.75.254
Nov 21 17:27:29 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:1b:77:cf:5c:76 clientIP=192.168.75.254
Nov 21 17:27:29 :202536:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: REQUEST 00:1b:77:cf:5c:76 reqIP=192.168.75.254
Nov 21 17:27:29 :202544:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: ACK 00:1b:77:cf:5c:76 clientIP=192.168.75.254
Nov 21 17:27:30 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:30 :202536:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: REQUEST 00:21:5c:08:3f:0b reqIP=192.168.75.251
Nov 21 17:27:30 :202544:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: ACK 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:30 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:1b:77:cf:5c:76 clientIP=192.168.75.254
Nov 21 17:27:35 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:39 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:39 :202536:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: REQUEST 00:21:5c:08:3f:0b reqIP=192.168.75.251
Nov 21 17:27:39 :202544:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: ACK 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:40 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:46 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:46 :202536:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: REQUEST 00:21:5c:08:3f:0b reqIP=192.168.75.251
Nov 21 17:27:46 :202544:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: ACK 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:46 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:49 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:49 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:21:5c:08:3f:0b clientIP=192.168.75.251

Guru Elite
Posts: 21,281
Registered: ‎03-29-2007

Re: Issues with open network

Disconnect them and try to reconnect them one by one...

 

If need be, turn on user debugging:

config t
logging level debug user

show log user 50

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: