Wireless Access

Hey all, 

I have an SSID that is attached to vlan 40 however when a user tries to connect to it, the connection takes a while and says "limited access" and when it finally does get an IP its either from a different vlan range or a self assigned IP.

Any ideas?

Give us some more relevant info:

• What encryption are u using? Are u using any auth (like 802.1x or mac-auth?)
• Check the user-role that your client getting.
• Check that u got connectivity to VLAN40 , and that it's UP
• DHCP from external server or from the controller?
• If u setting another VLAN - is the client getting an IP , and it able to connect?

Are you using tunnel or bridge forward mode?

Can you post any relevant config? (ssid-profile, virtual-ap profile, aaa profile, etc)

What version are you running? 

If you are on ArubaOS 6.3 you can use the packet-capture feature on the controller via the CLI:

packet-capture destination local-filesystem

packet-capture datapath wifi-client <MAC ADDR>

Then pull the PCAP from the logs.tar.

Okay well here is my how I want my SSID to run.

2 layers on authentication.

1) WPA-2 Personal
2) MAC Auth

I am currently testing with a computer that I inputted the MAC address into the Internal DB already. 

AP profile: VLAN 40, Forward Mode: Tunnel, allowed band: all
AAA Profile: I have a Mac Auth profile configured, MAC Auth server group, and those were previously working.

When the user first connects, if they are not in the Internal DB they are to get a "denyall" role but if they do auth then they can get access to certain spots in the network.

The issue is that I cannot even connect to the network and get a valid IP address from the DHCP server. (With or without the "Enforce DHCP" option.)

USE logon as initial role and try connect your client.

(if it's allowed mac it's should get the role u configured ,if it's allowed mac and it's getting web-auth disabled web page - u got something missconfigured in your mac-auth profile/mac-auth list.)

or make a role with only DHCP allowed.

I think the deny all is causing it for u right now.

I am using a guest role as initial however its still not working.

AND

That link you provided was a link I posted, as you can tell it was working but for some reason is no longer giving out DHCP.

This is the output of the Show association command

Association Table
-----------------
Name: AP4F-1

BSSID: xx:xx:xx:xx:xx

MAC: xx:xx:xx:xx:xx:xx

Assoc: y

auth: y

aid: 1

I-int: 10

essid: Dev

vlan-id: 40 (So it is associating with Vlan 40 but not getting an address from dhcp?)

assoc time: 5s (I just tried to connect it) ... 

------------------------------------------
Parameter Value
--------- -----
Channel 161
Channel Frame Retry Rate(%) 13
Channel Frame Low Speed Rate(%) 0
Channel Frame Non Unicast Rate(%) 10
Channel Frame Fragmentation Rate(%) 25
Channel Frame Error Rate(%) 10
Channel Bandwidth Rate(kbps) 315
Channel Noise 91
Client Frame Retry Rate(%) 0
Client Frame Low Speed Rate(%) 0
Client Frame Non Unicast Rate(%) 0
Client Frame Fragmentation Rate(%) 0
Client Frame Receive Error Rate(%) 0
Client Bandwidth Rate(kbps) 0
Client Tx Packets 0
Client Rx Packets 0
Client Tx Bytes 0
Client Rx Bytes 0
Client SNR 0

If you are doing DHCP on the controller:

- Do you have an IP on "interface vlan 40"?

- Do you have the DHCP server enabled?

- Do you have a DHCP scope for this subnet?

Is VLAN 40 Trusted on the trunk back to the uplink ?

Hey guys, 

Thanks to everyone who replied, it seems there was some issue with the firewall policies but I couldn't delete it for some reason one of the rules would not delete. I had to re-write the policies and it works.

Even if I remove MAC authentication and just leave Wpa2-personal it still does the same thing.

JD

Encryption: 802.1x - Connecting takes a long time (Notification comes up saying that its taking longer than usual, and then I have limited connectivity)

User-Role: Aruba Controller isn't even finding the user as they are getting a self assigned IP (169.x.x.x)

VLAN 40 is up and I can ping the IP I set to it.

DHCP from the controller.

UPDATE: I saw it get an address from the correct pool for about 2 mintues then it reverted back to the 169.x.x.x address.

Please share the following :

show ap association client-mac <device mac>

show user mac <device mac>

show rights <role name>

Is your uplink hosting that VLAN ? or your controller ? 

Do you have enforce-dhcp enabled under the aaa profile ?