Wireless Access

Reply
Aruba Employee

DHCP Fingerprinting: Assing VLAN fails on Open SSID

Hi,

I'm trying to do a User Derivation Rule for AppleTVs. The goal is to assign VLAN 220 to this devices, but it fails. 

 

(wlc-master) #show aaa profile bbva.open

 

AAA Profile "open"

-----------------------

Parameter                           Value

---------                           -----

Initial role                        user

MAC Authentication Profile          N/A

MAC Authentication Default Role     guest

MAC Authentication Server Group     default

802.1X Authentication Profile       N/A

802.1X Authentication Default Role  guest

802.1X Authentication Server Group  N/A

Download Role from CPPM             Disabled

L2 Authentication Fail Through      Disabled

Multiple Server Accounting          Disabled

User idle timeout                   N/A

RADIUS Accounting Server Group      N/A

RADIUS Interim Accounting           Disabled

XML API server                      N/A

RFC 3576 server                     N/A

User derivation rules               test

Wired to Wireless Roaming           Enabled

SIP authentication role             N/A

Device Type Classification          Enabled

Enforce DHCP                        Disabled

PAN Firewall Integration            Disabled

 

aaa derivation-rules user test

  set vlan condition dhcp-option starts-with "370103060f77fc" set-value "220" description "AppleTVs - 220"

!

 

However, I know that DHCP fingerprintinh this is working fine, because I can assign a role to these devices. If I do: 

 

aaa derivation-rules user test

  set role condition dhcp-option starts-with "370103060f77fc" set-value authenticated

 

I see:

 

fe80::f6f9:51ff:febc:a220  f4:f9:51:bc:a2:20            authenticated  00:00:02                    AP225-1  Wireless  #cpd11/18:64:72:f9:9c:20/g-HT   open  tunnel        AppleTV  Apple-TV

10.210.254.241             f4:f9:51:bc:a2:20            authenticated  00:00:02                    AP225-1  Wireless  #cpd11/18:64:72:f9:9c:20/g-HT   open  tunnel        AppleTV  Apple-TV

 

It is an Open SSID... maybe is it related? Any idea? 

 

 

Re: DHCP Fingerprinting: Assing VLAN fails on Open SSID

Hi,

 

Can you try to change it to be 'condition macaddr equals' and see if that works?

 

I have just done this yesterday with a HP printer to get it into a particular vlan when they were using vlan-pooling and it worked.

 

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Aruba Employee

Re: DHCP Fingerprinting: Assing VLAN fails on Open SSID

Thanks for the suggestion... Looks like the VLAN assignment now works:

 

aaa derivation-rules user "ATV-220"

  set vlan condition macaddr equals "f4:f9:51:bc:a2:20" set-value "220" description "AppleTVs - 220"

!

 

(wlc-master) (config) #aaa profile XXXX.open 

(AAA Profile "bbva.open") #user-derivation-rules "ATV-220" 

(wlc-master) (AAA Profile "bbva.open") #!                               

(wlc-master) (config) #write memory 

 

And I can see that now the device connects through VLAN 220, although it doesnt receive an IP address (that can be another network problem).

 

fe80::f6f9:51ff:febc:a220  f4:f9:51:bc:a2:20            authenticated  00:00:02                    AP225-1  Wireless  #avbb.cpd11/18:64:72:f9:9c:30/a-HT   XXXX.open  tunnel        AppleTV  

 

(wlc-local1) #show user mac f4:f9:51:bc:a2:20

IP address not found

 

 

The phy column shows client's operational capabilities for current association

 

Flags: A: Active, B: Band Steerable, H: Hotspot(802.11u) client, K: 802.11K client, R: 802.11R client, W: WMM client, w: 802.11w client

 

PHY Details: HT   : High throughput;      20: 20MHz;  40: 40MHz

             VHT  : Very High throughput; 80: 80MHz; 160: 160MHz; 80p80: 80MHz + 80MHz

             <n>ss: <n> spatial streams

 

Association Table

-----------------

Name     bssid              mac                auth  assoc  aid  l-int  essid        vlan-id  tunnel-id  phy             assoc. time  num assoc  Flags  Band steer moves (T/S)

----     -----              ---                ----  -----  ---  -----  -----        -------  ---------  ---             -----------  ---------  -----  ----------------------

AP225-1  18:64:72:f9:9c:30  f4:f9:51:bc:a2:20  y     y      3    15     #avbb.cpd11  220      0x100cb    a-HT-40sgi-1ss  7m:29s       1          WAB    0/0

 

Why it doesnt work when I use the DHCP Option? 

 

I'm using AOS 6.4.0.1

 

----------------------------------

Partition       : 0:1 (/dev/usb/flash2) **Default boot**

Software Version: ArubaOS 6.4.0.1 (Digitally Signed - Production Build)

Build number    : 42354

Label           : 42354

Built on        : Wed Feb 19 17:09:36 PST 2014

 

Thanks

 

Aruba Employee

Re: DHCP Fingerprinting: Assing VLAN fails on Open SSID

Even if it works with a MAC based rule, I need to get it working using the DHCP option... Any suggestion? I know that DHCP option works to assign a role, and I know that VLAN assignment works if it's used with MAC addr condition.... What about the original target? It should work

 

Thanks

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: