Wireless Access

last person joined: 22 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

DHCP Fingerprinting: Assing VLAN fails on Open SSID

This thread has been viewed 0 times

  • 1.  DHCP Fingerprinting: Assing VLAN fails on Open SSID

    Posted Mar 13, 2014 11:25 AM

    Hi,

    I'm trying to do a User Derivation Rule for AppleTVs. The goal is to assign VLAN 220 to this devices, but it fails. 

     

    (wlc-master) #show aaa profile bbva.open

     

    AAA Profile "open"

    -----------------------

    Parameter                           Value

    ---------                           -----

    Initial role                        user

    MAC Authentication Profile          N/A

    MAC Authentication Default Role     guest

    MAC Authentication Server Group     default

    802.1X Authentication Profile       N/A

    802.1X Authentication Default Role  guest

    802.1X Authentication Server Group  N/A

    Download Role from CPPM             Disabled

    L2 Authentication Fail Through      Disabled

    Multiple Server Accounting          Disabled

    User idle timeout                   N/A

    RADIUS Accounting Server Group      N/A

    RADIUS Interim Accounting           Disabled

    XML API server                      N/A

    RFC 3576 server                     N/A

    User derivation rules               test

    Wired to Wireless Roaming           Enabled

    SIP authentication role             N/A

    Device Type Classification          Enabled

    Enforce DHCP                        Disabled

    PAN Firewall Integration            Disabled

     

    aaa derivation-rules user test

      set vlan condition dhcp-option starts-with "370103060f77fc" set-value "220" description "AppleTVs - 220"

    !

     

    However, I know that DHCP fingerprintinh this is working fine, because I can assign a role to these devices. If I do: 

     

    aaa derivation-rules user test

      set role condition dhcp-option starts-with "370103060f77fc" set-value authenticated

     

    I see:

     

    fe80::f6f9:51ff:febc:a220  f4:f9:51:bc:a2:20            authenticated  00:00:02                    AP225-1  Wireless  #cpd11/18:64:72:f9:9c:20/g-HT   open  tunnel        AppleTV  Apple-TV

    10.210.254.241             f4:f9:51:bc:a2:20            authenticated  00:00:02                    AP225-1  Wireless  #cpd11/18:64:72:f9:9c:20/g-HT   open  tunnel        AppleTV  Apple-TV

     

    It is an Open SSID... maybe is it related? Any idea? 

     

     



  • 2.  RE: DHCP Fingerprinting: Assing VLAN fails on Open SSID

    EMPLOYEE
    Posted Mar 13, 2014 02:21 PM

    Hi,

     

    Can you try to change it to be 'condition macaddr equals' and see if that works?

     

    I have just done this yesterday with a HP printer to get it into a particular vlan when they were using vlan-pooling and it worked.

     

     



  • 3.  RE: DHCP Fingerprinting: Assing VLAN fails on Open SSID

    Posted Mar 13, 2014 02:43 PM

    Thanks for the suggestion... Looks like the VLAN assignment now works:

     

    aaa derivation-rules user "ATV-220"

      set vlan condition macaddr equals "f4:f9:51:bc:a2:20" set-value "220" description "AppleTVs - 220"

    !

     

    (wlc-master) (config) #aaa profile XXXX.open 

    (AAA Profile "bbva.open") #user-derivation-rules "ATV-220" 

    (wlc-master) (AAA Profile "bbva.open") #!                               

    (wlc-master) (config) #write memory 

     

    And I can see that now the device connects through VLAN 220, although it doesnt receive an IP address (that can be another network problem).

     

    fe80::f6f9:51ff:febc:a220  f4:f9:51:bc:a2:20            authenticated  00:00:02                    AP225-1  Wireless  #avbb.cpd11/18:64:72:f9:9c:30/a-HT   XXXX.open  tunnel        AppleTV  

     

    (wlc-local1) #show user mac f4:f9:51:bc:a2:20

    IP address not found

     

     

    The phy column shows client's operational capabilities for current association

     

    Flags: A: Active, B: Band Steerable, H: Hotspot(802.11u) client, K: 802.11K client, R: 802.11R client, W: WMM client, w: 802.11w client

     

    PHY Details: HT   : High throughput;      20: 20MHz;  40: 40MHz

                 VHT  : Very High throughput; 80: 80MHz; 160: 160MHz; 80p80: 80MHz + 80MHz

                 <n>ss: <n> spatial streams

     

    Association Table

    -----------------

    Name     bssid              mac                auth  assoc  aid  l-int  essid        vlan-id  tunnel-id  phy             assoc. time  num assoc  Flags  Band steer moves (T/S)

    ----     -----              ---                ----  -----  ---  -----  -----        -------  ---------  ---             -----------  ---------  -----  ----------------------

    AP225-1  18:64:72:f9:9c:30  f4:f9:51:bc:a2:20  y     y      3    15     #avbb.cpd11  220      0x100cb    a-HT-40sgi-1ss  7m:29s       1          WAB    0/0

     

    Why it doesnt work when I use the DHCP Option? 

     

    I'm using AOS 6.4.0.1

     

    ----------------------------------

    Partition       : 0:1 (/dev/usb/flash2) **Default boot**

    Software Version: ArubaOS 6.4.0.1 (Digitally Signed - Production Build)

    Build number    : 42354

    Label           : 42354

    Built on        : Wed Feb 19 17:09:36 PST 2014

     

    Thanks

     



  • 4.  RE: DHCP Fingerprinting: Assing VLAN fails on Open SSID

    Posted Mar 14, 2014 05:39 AM

    Even if it works with a MAC based rule, I need to get it working using the DHCP option... Any suggestion? I know that DHCP option works to assign a role, and I know that VLAN assignment works if it's used with MAC addr condition.... What about the original target? It should work

     

    Thanks