Reply
New Contributor
jpickering
Posts: 4
Registered: ‎09-29-2011

DHCP fingerprinting for VLAN not working at all

Hiya,

Long time listener first time caller here.

I have an issue where a customer would like to do DHCP fingerprinting to put iPads in a seperate VLAN.  Based on http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/COTD-DHCP-Fingerprinting-how-to-ArubaOS-6-0-1-0-and-above/m-p/11164/highlight/true#M188 we've set up the fingerprinting and the VLAN on three different controllers.

On the customer's live controller it accepts the iPads but doesn't put them in the iPad vlan (2). It just dumps them into the usual vlan (1).  

On another 3600 with the same config, except with his two vlans getting DHCP from the controller and the 802.1x database is on the controller, the test iPads are seen and pretty much ignored.  The iPad can't join the network.

On our office 620 with the rules from the above link set up, the controller sees the iPad and appears to put it in the right vlan but then it doesn't actually let it join.

On the two test controllers, the iPad never makes it onto the "show user" table and in the network settings they just hang or say "Unable to join the network xxx".

 

Here is the "show log user-debug all" from the test 3600 with the customer's config:

 

Dec 7 08:21:04 :501095: <NOTI> |stm| Assoc request @ 08:21:04.794432: e8:06:88:94:92:36 (SN 118): AP 10.19.24.254-d8:c7:c8:28:4b:f8-d8:c7:c8:ca:84:bf
Dec 7 08:21:04 :501100: <NOTI> |stm| Assoc success @ 08:21:04.798125: e8:06:88:94:92:36: AP 10.19.24.254-d8:c7:c8:28:4b:f8-d8:c7:c8:ca:84:bf
Dec 7 08:21:04 :501065: <DBUG> |stm| Sending STA e8:06:88:94:92:36 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr Dynamic WPA,WPA2 8021X TKIP VLAN 0xa, wmm:1, rsn_cap:c
Dec 7 08:21:04 :500511: <DBUG> |mobileip| Station e8:06:88:94:92:36, 0.0.0.0: Received association on ESSID: W-NET Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name d8:c7:c8:ca:84:bf Group default BSSID d8:c7:c8:28:4b:f8, phy a, VLAN 10
Dec 7 08:21:04 :522035: <INFO> |authmgr| MAC=e8:06:88:94:92:36 Station UP: BSSID=d8:c7:c8:28:4b:f8 ESSID=W-NET VLAN=10 AP-name=d8:c7:c8:ca:84:bf
Dec 7 08:21:04 :500010: <NOTI> |mobileip| Station e8:06:88:94:92:36, 0.0.0.0: Mobility trail, on switch 10.19.24.238, VLAN 10, AP d8:c7:c8:ca:84:bf, W-NET/d8:c7:c8:28:4b:f8/a
Dec 7 08:21:04 :522050: <INFO> |authmgr| MAC=e8:06:88:94:92:36,IP=0.0.0.0 User data downloaded to datapath, new Role=logon/1, bw Contract=0/0,reason=UDR driven download
Dec 7 08:25:24 :501106: <NOTI> |stm| Deauth to sta: e8:06:88:94:92:36: Ageout AP 10.19.24.254-d8:c7:c8:28:4b:f8-d8:c7:c8:ca:84:bf wifi_deauth_sta
Dec 7 08:25:24 :501065: <DBUG> |stm| Sending STA e8:06:88:94:92:36 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr Dynamic WPA,WPA2 8021X TKIP VLAN 0xa, wmm:1, rsn_cap:c
Dec 7 08:25:24 :500511: <DBUG> |mobileip| Station e8:06:88:94:92:36, 0.0.0.0: Received disassociation on ESSID: W-NET Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name d8:c7:c8:ca:84:bf Group default BSSID d8:c7:c8:28:4b:f8, phy a, VLAN 10
Dec 7 08:25:24 :522036: <INFO> |authmgr| MAC=e8:06:88:94:92:36 Station DN: BSSID=d8:c7:c8:28:4b:f8 ESSID=W-NET VLAN=10 AP-name=d8:c7:c8:ca:84:bf
Dec 7 08:25:24 :500010: <NOTI> |mobileip| Station e8:06:88:94:92:36, 255.255.255.255: Mobility trail, on switch 10.19.24.238, VLAN 10, AP d8:c7:c8:ca:84:bf, W-NET/d8:c7:c8:28:4b:f8/a
Dec 7 08:25:24 :501080: <NOTI> |stm| Deauth to sta: e8:06:88:94:92:36: Ageout AP 10.19.24.254-d8:c7:c8:28:4b:f8-d8:c7:c8:ca:84:bf Denied; Ageout
Dec 7 08:25:24 :501000: <DBUG> |stm| Station e8:06:88:94:92:36: Clearing state

 

Here's the debug from our office controller:

 

Dec 7 00:17:12 :501109: <NOTI> |AP MainArea:cb:f3@192.168.10.118 stm| Auth request: e8:06:88:94:92:36: AP 192.168.10.118-d8:c7:c8:9c:bf:38-MainArea:cb:f3 auth_alg 0
Dec 7 00:17:12 :501093: <NOTI> |AP MainArea:cb:f3@192.168.10.118 stm| Auth success: e8:06:88:94:92:36: AP 192.168.10.118-d8:c7:c8:9c:bf:38-MainArea:cb:f3
Dec 7 00:17:12 :501095: <NOTI> |AP MainArea:cb:f3@192.168.10.118 stm| Assoc request @ 00:17:12.194185: e8:06:88:94:92:36 (SN 3651): AP 192.168.10.118-d8:c7:c8:9c:bf:38-MainArea:cb:f3
Dec 7 00:17:12 :501095: <NOTI> |stm| Assoc request @ 00:17:12.192837: e8:06:88:94:92:36 (SN 3651): AP 192.168.10.118-d8:c7:c8:9c:bf:38-MainArea:cb:f3
Dec 7 00:17:12 :501100: <NOTI> |AP MainArea:cb:f3@192.168.10.118 stm| Assoc success @ 00:17:12.195086: e8:06:88:94:92:36: AP 192.168.10.118-d8:c7:c8:9c:bf:38-MainArea:cb:f3
Dec 7 00:17:12 :501100: <NOTI> |stm| Assoc success @ 00:17:12.199372: e8:06:88:94:92:36: AP 192.168.10.118-d8:c7:c8:9c:bf:38-MainArea:cb:f3
Dec 7 00:17:12 :501065: <DBUG> |stm| Sending STA e8:06:88:94:92:36 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr Dynamic WPA,WPA2 8021X TKIP VLAN 0x1, wmm:1, rsn_cap:c
Dec 7 00:17:12 :500511: <DBUG> |mobileip| Station e8:06:88:94:92:36, 0.0.0.0: Received association on ESSID: ouraruba Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name MainArea:cb:f3 Group default BSSID d8:c7:c8:9c:bf:38, phy a, VLAN 1
Dec 7 00:17:12 :522035: <INFO> |authmgr| MAC=e8:06:88:94:92:36 Station UP: BSSID=d8:c7:c8:9c:bf:38 ESSID=ouraruba VLAN=1 AP-name=MainArea:cb:f3
Dec 7 00:17:12 :500010: <NOTI> |mobileip| Station e8:06:88:94:92:36, 0.0.0.0: Mobility trail, on switch 192.168.10.15, VLAN 1, AP MainArea:cb:f3, ouraruba/d8:c7:c8:9c:bf:38/a
Dec 7 00:17:12 :522004: <DBUG> |authmgr| MAC=e8:06:88:94:92:36 ingress 0x10ca (tunnel 10), u_encr 64, m_encr 4112, slotport 0x1028 , type: local, FW mode: 0, AP IP: 0.0.0.0
Dec 7 00:17:12 :522004: <DBUG> |authmgr| MAC=e8:06:88:94:92:36, wired: 0, vlan:1 ingress:0x10ca (tunnel 10), new_aaa_prof: ouraruba-aaa_prof, stored profile: ouraruba-aaa_prof stored wired: 0 stored essid: ouraruba
Dec 7 00:17:12 :522004: <DBUG> |authmgr| Deriving role from user attributes
Dec 7 00:17:12 :522038: <INFO> |authmgr| username=jpickering MAC=e8:06:88:94:92:36 IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=Vizfs1
Dec 7 00:17:12 :522044: <INFO> |authmgr| MAC=e8:06:88:94:92:36 Station authenticate(start): method=802.1x, role=authenticated/authenticated/, VLAN=1/1/10/0/0, Derivation=1/0, Value Pair=1
Dec 7 00:17:12 :522004: <DBUG> |authmgr| {L2} authenticated from profile "ouraruba-aaa_prof"
Dec 7 00:17:12 :522004: <DBUG> |authmgr| {L2} Update role from authenticated to authenticated for IP=0.0.0.0
Dec 7 00:17:12 :522049: <INFO> |authmgr| MAC=e8:06:88:94:92:36,IP=0.0.0.0 User role updated, existing Role=authenticated/authenticated, new Role=authenticated/authenticated, reason=Station Authenticated with auth type: 4
Dec 7 00:17:12 :522004: <DBUG> |authmgr| download: acl=51/0 role=authenticated, tunl=0x10ca, PA=0, HA=1, RO=0, VPN=0
Dec 7 00:17:12 :522050: <INFO> |authmgr| MAC=e8:06:88:94:92:36,IP=0.0.0.0 User data downloaded to datapath, new Role=authenticated/51, bw Contract=0/0,reason=Download driven by user role setting
Dec 7 00:17:12 :522004: <DBUG> |authmgr| Station authenticate has l2 role :authenticated default role authenticated logon role logon
Dec 7 00:17:12 :522004: <DBUG> |authmgr| Valid Dot1xct, remote:0, assigned:1, default:1,current:1,termstate:8, wired:0,dot1x enabled:1, psk:0 static:0 bssid=d8:c7:c8:9c:bf:38
Dec 7 00:17:12 :522004: <DBUG> |authmgr| Vlan assignment is not needed during station authentication
Dec 7 00:17:12 :522004: <DBUG> |authmgr| MAC=e8:06:88:94:92:36 def_vlan 1 derive vlan: 0 auth_type 4 auth_subtype 4
Dec 7 00:17:12 :522029: <INFO> |authmgr| MAC=e8:06:88:94:92:36 Station authenticate: method=802.1x, role=authenticated/authenticated/, VLAN=1/1/10/0/0, Derivation=1/0, Value Pair=1
Dec 7 00:17:13 :522026: <INFO> |authmgr| MAC=e8:06:88:94:92:36 IP=0.0.0.0 User miss: ingress=0x10ca, VLAN=1
Dec 7 00:17:13 :522004: <DBUG> |authmgr| MAC e8:06:88:94:92:36, dhcp option 55, signature 370103060F77FC
Dec 7 00:17:13 :522024: <INFO> |authmgr| MAC=e8:06:88:94:92:36 IP=?? Derived VLAN 10 from user rules
Dec 7 00:17:13 :522004: <DBUG> |authmgr| Deriving role from user attributes
Dec 7 00:17:13 :522004: <DBUG> |authmgr| e8:06:88:94:92:36: Sending STM new vlan info: vlan 10, AP d8:c7:c8:9c:bf:38
Dec 7 00:17:13 :522004: <DBUG> |authmgr| MAC=e8:06:88:94:92:36 def_vlan 1 derive vlan: 10 auth_type 4 auth_subtype 4
Dec 7 00:17:15 :522026: <INFO> |authmgr| MAC=e8:06:88:94:92:36 IP=0.0.0.0 User miss: ingress=0x10ca, VLAN=10
Dec 7 00:17:15 :522004: <DBUG> |authmgr| MAC e8:06:88:94:92:36, dhcp option 55, signature 370103060F77FC
Dec 7 00:17:15 :522024: <INFO> |authmgr| MAC=e8:06:88:94:92:36 IP=?? Derived VLAN 10 from user rules
Dec 7 00:17:15 :522004: <DBUG> |authmgr| Deriving role from user attributes
Dec 7 00:17:16 :501106: <NOTI> |stm| Deauth to sta: e8:06:88:94:92:36: Ageout AP 192.168.10.118-d8:c7:c8:9c:bf:38-MainArea:cb:f3 wifi_deauth_sta
Dec 7 00:17:16 :501065: <DBUG> |stm| Sending STA e8:06:88:94:92:36 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr Dynamic WPA,WPA2 8021X TKIP VLAN 0xa, wmm:1, rsn_cap:c
Dec 7 00:17:16 :500511: <DBUG> |mobileip| Station e8:06:88:94:92:36, 0.0.0.0: Received disassociation on ESSID: ouraruba Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name MainArea:cb:f3 Group default BSSID d8:c7:c8:9c:bf:38, phy a, VLAN 10
Dec 7 00:17:16 :522036: <INFO> |authmgr| MAC=e8:06:88:94:92:36 Station DN: BSSID=d8:c7:c8:9c:bf:38 ESSID=ouraruba VLAN=10 AP-name=MainArea:cb:f3
Dec 7 00:17:16 :500010: <NOTI> |mobileip| Station e8:06:88:94:92:36, 255.255.255.255: Mobility trail, on switch 192.168.10.15, VLAN 10, AP MainArea:cb:f3, ouraruba/d8:c7:c8:9c:bf:38/a
Dec 7 00:17:16 :522004: <DBUG> |authmgr| MAC=e8:06:88:94:92:36 ingress 0x10ca (tunnel 10), u_encr 64, m_encr 4112, slotport 0x1028 , type: local, FW mode: 0, AP IP: 0.0.0.0
Dec 7 00:17:16 :522004: <DBUG> |authmgr| station free: bssid=d8:c7:c8:9c:bf:38, @=0x108a8e34
Dec 7 00:17:16 :501080: <NOTI> |stm| Deauth to sta: e8:06:88:94:92:36: Ageout AP 192.168.10.118-d8:c7:c8:9c:bf:38-MainArea:cb:f3 Denied; Ageout
Dec 7 00:17:16 :501000: <DBUG> |stm| Station e8:06:88:94:92:36: Clearing state

 

Thanks.

 

MVP
jrwhitehead
Posts: 403
Registered: ‎04-13-2009

Re: DHCP fingerprinting for VLAN not working at all

I'm looking at a very similar issue in this post.

---------------
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
New Contributor
jpickering
Posts: 4
Registered: ‎09-29-2011

Re: DHCP fingerprinting for VLAN not working at all

Ah yep.  That looks like it.

Here's the official word from Aruba regarding this. I sent them the same thing I wrote here:

 

=====

The user rule DHCP-Option will override the 802.1x server derivative rule. 

Changing the VLAN through a DHCP-based derivation rule is not supported.  DHCP happens after the client is already assigned to a VLAN – changing it after the fact would lead to a race condition (if the DHCP response comes back before the VLAN is changed, the client will get an IP address assignment on the old VLAN.)

 

The workaround is to create dummy in the VAP profile. And for the 802.1x clients map the vlan in the user-role defined in the server rule.

=====

 

There we go.  Unsupported.