Wireless Access

last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

ArubaOS 6.3 DHCP issue

This thread has been viewed 1 times

  • 1.  ArubaOS 6.3 DHCP issue

    Posted Oct 03, 2013 11:05 AM

    Hi,

     

    we have a big problem with a controller Aruba650 with arubaOS 6.3. The clients that try to access the SSIDs (Guest and WPA2-PSK-AES) aren't able to obtain an IP address both from internal DHP Server of Aruba650, both from external DHCP Server. 

    Only if we change the "initial role" of the aaa-profile in "authenticated" DHCP works fine. But if we leave the default initial roles ("guest-logon", "logon", ...), DHCP don't work, clients don't obtain IP address, and they can't access the WiFi!

     

    If we downgrade the controller to arubaOS 6.2 everything works fine!!! Clients obtain their own IP address from DHCP, internal or external!

     

    Does anyone know the reason for this behavior?

    Can anyone help us? We want to test the function ClientMatch.

     

    Thanks,

     

    Massimo 



  • 2.  RE: ArubaOS 6.3 DHCP issue

    Posted Oct 03, 2013 11:24 AM

     

    Make sure that that the dhcp service is allowed on one of the guest-logon ACL sessions : any any svc-dhcp permit



  • 3.  RE: ArubaOS 6.3 DHCP issue

    Posted Oct 03, 2013 11:45 AM

    Hi Victor,

    thanks for your quickly answer. But yes, the dhcp service is allowed on the guest-logon ACL session. I check also the firewall hits on controller and this rule is never hit.

     



  • 4.  RE: ArubaOS 6.3 DHCP issue

    Posted Oct 03, 2013 12:08 PM

     

    can you please share show rights <role>



  • 5.  RE: ArubaOS 6.3 DHCP issue

    Posted Oct 04, 2013 02:42 AM

    Now the controller has the firmware 6.2, so I'm not able to show you this command output for the arubaOS 6.3.

    I attach here the output command for arubaOS 6.2, but i'm not change anything in the role "guest-logon".

     

    (Aruba650_TLG) #show rights guest-logon

    Derived Role = 'guest-logon'
     Up BW:No Limit   Down BW:No Limit
     L2TP Pool = default-l2tp-pool
     PPTP Pool = default-pptp-pool
     Periodic reauthentication: Disabled
     ACL Number = 6/0
     Max Sessions = 65535

     Captive Portal profile = default

    access-list List
    ----------------
    Position  Name              Type     Location
    --------  ----              ----     --------
    1         ra-guard          session
    2         v6-logon-control  session
    3         captiveportal6    session
    4         logon-control     session
    5         captiveportal     session

    ra-guard
    --------
    Priority  Source  Destination  Service           Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------  -------           ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         user    any          icmpv6 rtr-adv    deny                             Low                                                           6
    v6-logon-control
    ----------------
    Priority  Source  Destination          Service      Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------          -------      ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         any     fc00::/7             any          permit                           Low                                                           6
    2         any     fe80::/64            any          permit                           Low                                                           6
    3         any     ipv6-reserved-range  any          deny                             Low                                                           6
    4         user    any                  udp 68       deny                             Low                                                           6
    5         any     any                  svc-v6-icmp  permit                           Low                                                           6
    6         any     any                  svc-v6-dhcp  permit                           Low                                                           6
    7         any     any                  svc-dns      permit                           Low                                                           6
    captiveportal6
    --------------
    Priority  Source  Destination  Service          Action   TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------  -------          ------   ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         user    controller6  svc-https        captive                           Low                                                           6
    2         user    any          svc-http         captive                           Low                                                           6
    3         user    any          svc-https        captive                           Low                                                           6
    4         user    any          svc-http-proxy1  captive                           Low                                                           6
    5         user    any          svc-http-proxy2  captive                           Low                                                           6
    6         user    any          svc-http-proxy3  captive                           Low                                                           6
    logon-control
    -------------
    Priority  Source  Destination              Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------              -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         any     169.254.0.0 255.255.0.0  any       deny                             Low                                                           4
    2         user    any                      udp 68    deny                             Low                                                           4
    3         any     any                      svc-icmp  permit                           Low                                                           4
    4         any     any                      svc-dns   permit                           Low                                                           4
    5         any     any                      svc-dhcp  permit                           Low                                                           4
    6         any     any                      svc-natt  permit                           Low                                                           4
    captiveportal
    -------------
    Priority  Source  Destination  Service          Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------  -------          ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         user    controller   svc-https        dst-nat 8081                           Low                                                           4
    2         user    any          svc-http         dst-nat 8080                           Low                                                           4
    3         user    any          svc-https        dst-nat 8081                           Low                                                           4
    4         user    any          svc-http-proxy1  dst-nat 8088                           Low                                                           4
    5         user    any          svc-http-proxy2  dst-nat 8088                           Low                                                           4
    6         user    any          svc-http-proxy3  dst-nat 8088                           Low                                                           4

    Expired Policies (due to time constraints) = 0

     

     

    A question: if I invert the position of policies logon-control and captiveportal can change something (for the worse) ?



  • 6.  RE: ArubaOS 6.3 DHCP issue

    EMPLOYEE
    Posted Oct 04, 2013 04:59 AM

    Please try removing the IPV6 reference ACLs, unless you have a specific need for them, to troubleshoot this.



  • 7.  RE: ArubaOS 6.3 DHCP issue

    Posted Oct 04, 2013 05:20 AM

    I did it, but this didn't solve the issue. But the command output of role that I attached before works fine with arubaOS 6.2.

    In arubaOS 6.3 semms like there is a problem with IPv6 (arubaOS 6.3 introduced functionalities for DHCP ipv6...), but i'm not sure of this. This is my supposition, because with clients that support ipv6 i saw in the "show user" of Aruba650 with arubaos 6.3 also request of IPv6 address clients.



  • 8.  RE: ArubaOS 6.3 DHCP issue

    EMPLOYEE
    Posted Oct 04, 2013 05:26 AM

    When you type "show acl hits" what ACL is being hit in that list?  You should really remove all of the IPv6 references and make sure that IPv6 firewall is NOT on.



  • 9.  RE: ArubaOS 6.3 DHCP issue

    Posted Oct 04, 2013 10:34 AM

     

    Have you tried moving the logon-control session all the way to the top ?



  • 10.  RE: ArubaOS 6.3 DHCP issue

    Posted Oct 04, 2013 12:02 PM

    I re-upgrade the controller to arubaOS 6.3 and....now it works fine! :smileysurprised: I don't really understand what is happened. I'm trying to investigate the  thing.

    Thanks for the your help and for your time!