Wireless Access

Reply
Frequent Contributor II
Posts: 149
Registered: ‎01-31-2013

ArubaOS 6.3 DHCP issue

Hi,

 

we have a big problem with a controller Aruba650 with arubaOS 6.3. The clients that try to access the SSIDs (Guest and WPA2-PSK-AES) aren't able to obtain an IP address both from internal DHP Server of Aruba650, both from external DHCP Server. 

Only if we change the "initial role" of the aaa-profile in "authenticated" DHCP works fine. But if we leave the default initial roles ("guest-logon", "logon", ...), DHCP don't work, clients don't obtain IP address, and they can't access the WiFi!

 

If we downgrade the controller to arubaOS 6.2 everything works fine!!! Clients obtain their own IP address from DHCP, internal or external!

 

Does anyone know the reason for this behavior?

Can anyone help us? We want to test the function ClientMatch.

 

Thanks,

 

Massimo 

------------------------------------------------------------
Massimo Gallina
Telecommunications engineer - ACMP2013
MVP
Posts: 4,225
Registered: ‎07-20-2011

Re: ArubaOS 6.3 DHCP issue

 

Make sure that that the dhcp service is allowed on one of the guest-logon ACL sessions : any any svc-dhcp permit

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II
Posts: 149
Registered: ‎01-31-2013

Re: ArubaOS 6.3 DHCP issue

Hi Victor,

thanks for your quickly answer. But yes, the dhcp service is allowed on the guest-logon ACL session. I check also the firewall hits on controller and this rule is never hit.

 

------------------------------------------------------------
Massimo Gallina
Telecommunications engineer - ACMP2013
MVP
Posts: 4,225
Registered: ‎07-20-2011

Re: ArubaOS 6.3 DHCP issue

 

can you please share show rights <role>

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II
Posts: 149
Registered: ‎01-31-2013

Re: ArubaOS 6.3 DHCP issue

Now the controller has the firmware 6.2, so I'm not able to show you this command output for the arubaOS 6.3.

I attach here the output command for arubaOS 6.2, but i'm not change anything in the role "guest-logon".

 

(Aruba650_TLG) #show rights guest-logon

Derived Role = 'guest-logon'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 6/0
 Max Sessions = 65535

 Captive Portal profile = default

access-list List
----------------
Position  Name              Type     Location
--------  ----              ----     --------
1         ra-guard          session
2         v6-logon-control  session
3         captiveportal6    session
4         logon-control     session
5         captiveportal     session

ra-guard
--------
Priority  Source  Destination  Service           Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------           ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any          icmpv6 rtr-adv    deny                             Low                                                           6
v6-logon-control
----------------
Priority  Source  Destination          Service      Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------          -------      ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     fc00::/7             any          permit                           Low                                                           6
2         any     fe80::/64            any          permit                           Low                                                           6
3         any     ipv6-reserved-range  any          deny                             Low                                                           6
4         user    any                  udp 68       deny                             Low                                                           6
5         any     any                  svc-v6-icmp  permit                           Low                                                           6
6         any     any                  svc-v6-dhcp  permit                           Low                                                           6
7         any     any                  svc-dns      permit                           Low                                                           6
captiveportal6
--------------
Priority  Source  Destination  Service          Action   TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------          ------   ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    controller6  svc-https        captive                           Low                                                           6
2         user    any          svc-http         captive                           Low                                                           6
3         user    any          svc-https        captive                           Low                                                           6
4         user    any          svc-http-proxy1  captive                           Low                                                           6
5         user    any          svc-http-proxy2  captive                           Low                                                           6
6         user    any          svc-http-proxy3  captive                           Low                                                           6
logon-control
-------------
Priority  Source  Destination              Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------              -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     169.254.0.0 255.255.0.0  any       deny                             Low                                                           4
2         user    any                      udp 68    deny                             Low                                                           4
3         any     any                      svc-icmp  permit                           Low                                                           4
4         any     any                      svc-dns   permit                           Low                                                           4
5         any     any                      svc-dhcp  permit                           Low                                                           4
6         any     any                      svc-natt  permit                           Low                                                           4
captiveportal
-------------
Priority  Source  Destination  Service          Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------          ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    controller   svc-https        dst-nat 8081                           Low                                                           4
2         user    any          svc-http         dst-nat 8080                           Low                                                           4
3         user    any          svc-https        dst-nat 8081                           Low                                                           4
4         user    any          svc-http-proxy1  dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2  dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3  dst-nat 8088                           Low                                                           4

Expired Policies (due to time constraints) = 0

 

 

A question: if I invert the position of policies logon-control and captiveportal can change something (for the worse) ?

------------------------------------------------------------
Massimo Gallina
Telecommunications engineer - ACMP2013
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: ArubaOS 6.3 DHCP issue

[ Edited ]

Please try removing the IPV6 reference ACLs, unless you have a specific need for them, to troubleshoot this.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 149
Registered: ‎01-31-2013

Re: ArubaOS 6.3 DHCP issue

I did it, but this didn't solve the issue. But the command output of role that I attached before works fine with arubaOS 6.2.

In arubaOS 6.3 semms like there is a problem with IPv6 (arubaOS 6.3 introduced functionalities for DHCP ipv6...), but i'm not sure of this. This is my supposition, because with clients that support ipv6 i saw in the "show user" of Aruba650 with arubaos 6.3 also request of IPv6 address clients.

------------------------------------------------------------
Massimo Gallina
Telecommunications engineer - ACMP2013
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: ArubaOS 6.3 DHCP issue

When you type "show acl hits" what ACL is being hit in that list?  You should really remove all of the IPv6 references and make sure that IPv6 firewall is NOT on.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 4,225
Registered: ‎07-20-2011

Re: ArubaOS 6.3 DHCP issue

 

Have you tried moving the logon-control session all the way to the top ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II
Posts: 149
Registered: ‎01-31-2013

Re: ArubaOS 6.3 DHCP issue

I re-upgrade the controller to arubaOS 6.3 and....now it works fine! :smileysurprised: I don't really understand what is happened. I'm trying to investigate the  thing.

Thanks for the your help and for your time!

 

------------------------------------------------------------
Massimo Gallina
Telecommunications engineer - ACMP2013
Search Airheads
Showing results for 
Search instead for 
Did you mean: