Wireless Access

Hello,
My clients aren't retaining their vlan association after re-authentication on a WPA2-PSK SSID (our .1x SSID is working perfectly). I have a 3600 controller and a mixture of primarily AP-105s and AP-135s. We have two Windows Server 2012r2 machines that handle DHCP/DNS/Domain Controller roles. The "clients" are HP P1102w laserjet printers that can't do 802.1x so we had to create a WPA2-PSK SSID for them.

Here's our reproducable scenario:
1. Ensure there are no existing DHCP leases for the printer
2. Turn on the printer and configure it to connect to the printer SSID
3. Observe the printer gets a vlan 40 IP
4. Power off the printer, wait for it to fall asleep, or become deauthenticated from the AP
5. Power on the printer
6. Observe the printer "gets stuck" in an Initializing state
7. Log in to a DHCP server and observe the printer has been assigned an IP from vlan 1
8. Additionally, observe the Aruba Controller has 0.0.0.0 listed as the client IP for the MAC

Here's the SSID, virtual-ap, and user role config for the printer SSID:

wlan ssid-profile "printer"
essid "Printer"
opmode wpa2-psk-aes
hide-ssid
! wpa-passphrase <removed>
!
wlan virtual-ap "printer"
aaa-profile "printer"
ssid-profile "printer"
vlan 40
steering-mode balance-bands
no mobile-ip
preserve-vlan
!
user-role printer
vlan 40
dpi disable
web-cc disable
access-list session global-sacl
access-list session apprf-printer-sacl
access-list session allowall
!
(master01) #show interface gigabitethernet 1/0 switchport
Name: GE1/0
Switchport: Enabled
Administrative mode: trunk 
Operational mode: trunk 
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Access Mode VLAN: 0 ((Inactive))
Trunking Native Mode VLAN: 1 (Default)
Trunking Vlans Enabled: ALL 
Trunking Vlans Active: 1,10,20,30,40,60

And, on the switch side (Aruba MAS S3500 stack)-

interface-profile switching-profile "trunk"
switchport-mode trunk
!
interface gigabitethernet "1/0/25"
description "GE 1/0/25 - Aruba-Master"
switching-profile "trunk"
!

I've swapped the AP forward mode from tunnel to bridge mode and still get the same symptoms.

Any help or troubleshooting tips to possibly find the root cause of this would be fantastic.

That does not look good; especially because VLAN 18 where the printer goes to seems nowhere in your configuration.

Please make sure that the initial role for the SSID does not have a VLAN assigned (role based VLANs are deprecated), and check with the 'show ap association' command from the controller in which VLAN the client actually resides.

As you have a reproducible situation, please contact Aruba support (TAC) to get this investigated.

Hey Herman, thanks for taking time to reply.  The clients being assigned to vlan 40 dont show up at all in the output of "show ap association"; even the ones that are currently connected and responding to ICMP.

I thought I had a 100% reproducable solution but I upgraded the firmware on my test P1102w and now it always reconnects and gets a proper IP.  I upgraded the firmware on several other known problem devices and they still exhibit the issue.

 What's extremely odd is that I have two other smaller sites, both with a mixture of AP-105 and AP-135s, one with a 3600 controller and the other with a 3400 with an identical "printer vlan" setup in their configs and those sites are not having any issues and their vlan40 clients show up in "show ap assoc".  We're running the same release code on all controllers but I just noticed we're about three versions behind the latest general release.

EDIT:

Oops, turns out I spoke too soon.  I switched the SSID back to tunnel mode instead of Bridge and now APs are starting to show up broadcasting the printer SSID with the correct vlan 40 tag.  I will try and do more debugging today.