Wireless Access

last person joined: 17 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

DHCP fingerprinting for VLAN not working at all

This thread has been viewed 0 times

  • 1.  DHCP fingerprinting for VLAN not working at all

    Posted Dec 06, 2011 03:42 AM

    Hiya,

    Long time listener first time caller here.

    I have an issue where a customer would like to do DHCP fingerprinting to put iPads in a seperate VLAN.  Based on http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/COTD-DHCP-Fingerprinting-how-to-ArubaOS-6-0-1-0-and-above/m-p/11164/highlight/true#M188 we've set up the fingerprinting and the VLAN on three different controllers.

    On the customer's live controller it accepts the iPads but doesn't put them in the iPad vlan (2). It just dumps them into the usual vlan (1).  

    On another 3600 with the same config, except with his two vlans getting DHCP from the controller and the 802.1x database is on the controller, the test iPads are seen and pretty much ignored.  The iPad can't join the network.

    On our office 620 with the rules from the above link set up, the controller sees the iPad and appears to put it in the right vlan but then it doesn't actually let it join.

    On the two test controllers, the iPad never makes it onto the "show user" table and in the network settings they just hang or say "Unable to join the network xxx".

     

    Here is the "show log user-debug all" from the test 3600 with the customer's config:

     

    Dec 7 08:21:04 :501095: <NOTI> |stm| Assoc request @ 08:21:04.794432: e8:06:88:94:92:36 (SN 118): AP 10.19.24.254-d8:c7:c8:28:4b:f8-d8:c7:c8:ca:84:bf
    Dec 7 08:21:04 :501100: <NOTI> |stm| Assoc success @ 08:21:04.798125: e8:06:88:94:92:36: AP 10.19.24.254-d8:c7:c8:28:4b:f8-d8:c7:c8:ca:84:bf
    Dec 7 08:21:04 :501065: <DBUG> |stm| Sending STA e8:06:88:94:92:36 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr Dynamic WPA,WPA2 8021X TKIP VLAN 0xa, wmm:1, rsn_cap:c
    Dec 7 08:21:04 :500511: <DBUG> |mobileip| Station e8:06:88:94:92:36, 0.0.0.0: Received association on ESSID: W-NET Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name d8:c7:c8:ca:84:bf Group default BSSID d8:c7:c8:28:4b:f8, phy a, VLAN 10
    Dec 7 08:21:04 :522035: <INFO> |authmgr| MAC=e8:06:88:94:92:36 Station UP: BSSID=d8:c7:c8:28:4b:f8 ESSID=W-NET VLAN=10 AP-name=d8:c7:c8:ca:84:bf
    Dec 7 08:21:04 :500010: <NOTI> |mobileip| Station e8:06:88:94:92:36, 0.0.0.0: Mobility trail, on switch 10.19.24.238, VLAN 10, AP d8:c7:c8:ca:84:bf, W-NET/d8:c7:c8:28:4b:f8/a
    Dec 7 08:21:04 :522050: <INFO> |authmgr| MAC=e8:06:88:94:92:36,IP=0.0.0.0 User data downloaded to datapath, new Role=logon/1, bw Contract=0/0,reason=UDR driven download
    Dec 7 08:25:24 :501106: <NOTI> |stm| Deauth to sta: e8:06:88:94:92:36: Ageout AP 10.19.24.254-d8:c7:c8:28:4b:f8-d8:c7:c8:ca:84:bf wifi_deauth_sta
    Dec 7 08:25:24 :501065: <DBUG> |stm| Sending STA e8:06:88:94:92:36 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr Dynamic WPA,WPA2 8021X TKIP VLAN 0xa, wmm:1, rsn_cap:c
    Dec 7 08:25:24 :500511: <DBUG> |mobileip| Station e8:06:88:94:92:36, 0.0.0.0: Received disassociation on ESSID: W-NET Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name d8:c7:c8:ca:84:bf Group default BSSID d8:c7:c8:28:4b:f8, phy a, VLAN 10
    Dec 7 08:25:24 :522036: <INFO> |authmgr| MAC=e8:06:88:94:92:36 Station DN: BSSID=d8:c7:c8:28:4b:f8 ESSID=W-NET VLAN=10 AP-name=d8:c7:c8:ca:84:bf
    Dec 7 08:25:24 :500010: <NOTI> |mobileip| Station e8:06:88:94:92:36, 255.255.255.255: Mobility trail, on switch 10.19.24.238, VLAN 10, AP d8:c7:c8:ca:84:bf, W-NET/d8:c7:c8:28:4b:f8/a
    Dec 7 08:25:24 :501080: <NOTI> |stm| Deauth to sta: e8:06:88:94:92:36: Ageout AP 10.19.24.254-d8:c7:c8:28:4b:f8-d8:c7:c8:ca:84:bf Denied; Ageout
    Dec 7 08:25:24 :501000: <DBUG> |stm| Station e8:06:88:94:92:36: Clearing state

     

    Here's the debug from our office controller:

     

    Dec 7 00:17:12 :501109: <NOTI> |AP MainArea:cb:f3@192.168.10.118 stm| Auth request: e8:06:88:94:92:36: AP 192.168.10.118-d8:c7:c8:9c:bf:38-MainArea:cb:f3 auth_alg 0
    Dec 7 00:17:12 :501093: <NOTI> |AP MainArea:cb:f3@192.168.10.118 stm| Auth success: e8:06:88:94:92:36: AP 192.168.10.118-d8:c7:c8:9c:bf:38-MainArea:cb:f3
    Dec 7 00:17:12 :501095: <NOTI> |AP MainArea:cb:f3@192.168.10.118 stm| Assoc request @ 00:17:12.194185: e8:06:88:94:92:36 (SN 3651): AP 192.168.10.118-d8:c7:c8:9c:bf:38-MainArea:cb:f3
    Dec 7 00:17:12 :501095: <NOTI> |stm| Assoc request @ 00:17:12.192837: e8:06:88:94:92:36 (SN 3651): AP 192.168.10.118-d8:c7:c8:9c:bf:38-MainArea:cb:f3
    Dec 7 00:17:12 :501100: <NOTI> |AP MainArea:cb:f3@192.168.10.118 stm| Assoc success @ 00:17:12.195086: e8:06:88:94:92:36: AP 192.168.10.118-d8:c7:c8:9c:bf:38-MainArea:cb:f3
    Dec 7 00:17:12 :501100: <NOTI> |stm| Assoc success @ 00:17:12.199372: e8:06:88:94:92:36: AP 192.168.10.118-d8:c7:c8:9c:bf:38-MainArea:cb:f3
    Dec 7 00:17:12 :501065: <DBUG> |stm| Sending STA e8:06:88:94:92:36 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr Dynamic WPA,WPA2 8021X TKIP VLAN 0x1, wmm:1, rsn_cap:c
    Dec 7 00:17:12 :500511: <DBUG> |mobileip| Station e8:06:88:94:92:36, 0.0.0.0: Received association on ESSID: ouraruba Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name MainArea:cb:f3 Group default BSSID d8:c7:c8:9c:bf:38, phy a, VLAN 1
    Dec 7 00:17:12 :522035: <INFO> |authmgr| MAC=e8:06:88:94:92:36 Station UP: BSSID=d8:c7:c8:9c:bf:38 ESSID=ouraruba VLAN=1 AP-name=MainArea:cb:f3
    Dec 7 00:17:12 :500010: <NOTI> |mobileip| Station e8:06:88:94:92:36, 0.0.0.0: Mobility trail, on switch 192.168.10.15, VLAN 1, AP MainArea:cb:f3, ouraruba/d8:c7:c8:9c:bf:38/a
    Dec 7 00:17:12 :522004: <DBUG> |authmgr| MAC=e8:06:88:94:92:36 ingress 0x10ca (tunnel 10), u_encr 64, m_encr 4112, slotport 0x1028 , type: local, FW mode: 0, AP IP: 0.0.0.0
    Dec 7 00:17:12 :522004: <DBUG> |authmgr| MAC=e8:06:88:94:92:36, wired: 0, vlan:1 ingress:0x10ca (tunnel 10), new_aaa_prof: ouraruba-aaa_prof, stored profile: ouraruba-aaa_prof stored wired: 0 stored essid: ouraruba
    Dec 7 00:17:12 :522004: <DBUG> |authmgr| Deriving role from user attributes
    Dec 7 00:17:12 :522038: <INFO> |authmgr| username=jpickering MAC=e8:06:88:94:92:36 IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=Vizfs1
    Dec 7 00:17:12 :522044: <INFO> |authmgr| MAC=e8:06:88:94:92:36 Station authenticate(start): method=802.1x, role=authenticated/authenticated/, VLAN=1/1/10/0/0, Derivation=1/0, Value Pair=1
    Dec 7 00:17:12 :522004: <DBUG> |authmgr| {L2} authenticated from profile "ouraruba-aaa_prof"
    Dec 7 00:17:12 :522004: <DBUG> |authmgr| {L2} Update role from authenticated to authenticated for IP=0.0.0.0
    Dec 7 00:17:12 :522049: <INFO> |authmgr| MAC=e8:06:88:94:92:36,IP=0.0.0.0 User role updated, existing Role=authenticated/authenticated, new Role=authenticated/authenticated, reason=Station Authenticated with auth type: 4
    Dec 7 00:17:12 :522004: <DBUG> |authmgr| download: acl=51/0 role=authenticated, tunl=0x10ca, PA=0, HA=1, RO=0, VPN=0
    Dec 7 00:17:12 :522050: <INFO> |authmgr| MAC=e8:06:88:94:92:36,IP=0.0.0.0 User data downloaded to datapath, new Role=authenticated/51, bw Contract=0/0,reason=Download driven by user role setting
    Dec 7 00:17:12 :522004: <DBUG> |authmgr| Station authenticate has l2 role :authenticated default role authenticated logon role logon
    Dec 7 00:17:12 :522004: <DBUG> |authmgr| Valid Dot1xct, remote:0, assigned:1, default:1,current:1,termstate:8, wired:0,dot1x enabled:1, psk:0 static:0 bssid=d8:c7:c8:9c:bf:38
    Dec 7 00:17:12 :522004: <DBUG> |authmgr| Vlan assignment is not needed during station authentication
    Dec 7 00:17:12 :522004: <DBUG> |authmgr| MAC=e8:06:88:94:92:36 def_vlan 1 derive vlan: 0 auth_type 4 auth_subtype 4
    Dec 7 00:17:12 :522029: <INFO> |authmgr| MAC=e8:06:88:94:92:36 Station authenticate: method=802.1x, role=authenticated/authenticated/, VLAN=1/1/10/0/0, Derivation=1/0, Value Pair=1
    Dec 7 00:17:13 :522026: <INFO> |authmgr| MAC=e8:06:88:94:92:36 IP=0.0.0.0 User miss: ingress=0x10ca, VLAN=1
    Dec 7 00:17:13 :522004: <DBUG> |authmgr| MAC e8:06:88:94:92:36, dhcp option 55, signature 370103060F77FC
    Dec 7 00:17:13 :522024: <INFO> |authmgr| MAC=e8:06:88:94:92:36 IP=?? Derived VLAN 10 from user rules
    Dec 7 00:17:13 :522004: <DBUG> |authmgr| Deriving role from user attributes
    Dec 7 00:17:13 :522004: <DBUG> |authmgr| e8:06:88:94:92:36: Sending STM new vlan info: vlan 10, AP d8:c7:c8:9c:bf:38
    Dec 7 00:17:13 :522004: <DBUG> |authmgr| MAC=e8:06:88:94:92:36 def_vlan 1 derive vlan: 10 auth_type 4 auth_subtype 4
    Dec 7 00:17:15 :522026: <INFO> |authmgr| MAC=e8:06:88:94:92:36 IP=0.0.0.0 User miss: ingress=0x10ca, VLAN=10
    Dec 7 00:17:15 :522004: <DBUG> |authmgr| MAC e8:06:88:94:92:36, dhcp option 55, signature 370103060F77FC
    Dec 7 00:17:15 :522024: <INFO> |authmgr| MAC=e8:06:88:94:92:36 IP=?? Derived VLAN 10 from user rules
    Dec 7 00:17:15 :522004: <DBUG> |authmgr| Deriving role from user attributes
    Dec 7 00:17:16 :501106: <NOTI> |stm| Deauth to sta: e8:06:88:94:92:36: Ageout AP 192.168.10.118-d8:c7:c8:9c:bf:38-MainArea:cb:f3 wifi_deauth_sta
    Dec 7 00:17:16 :501065: <DBUG> |stm| Sending STA e8:06:88:94:92:36 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr Dynamic WPA,WPA2 8021X TKIP VLAN 0xa, wmm:1, rsn_cap:c
    Dec 7 00:17:16 :500511: <DBUG> |mobileip| Station e8:06:88:94:92:36, 0.0.0.0: Received disassociation on ESSID: ouraruba Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name MainArea:cb:f3 Group default BSSID d8:c7:c8:9c:bf:38, phy a, VLAN 10
    Dec 7 00:17:16 :522036: <INFO> |authmgr| MAC=e8:06:88:94:92:36 Station DN: BSSID=d8:c7:c8:9c:bf:38 ESSID=ouraruba VLAN=10 AP-name=MainArea:cb:f3
    Dec 7 00:17:16 :500010: <NOTI> |mobileip| Station e8:06:88:94:92:36, 255.255.255.255: Mobility trail, on switch 192.168.10.15, VLAN 10, AP MainArea:cb:f3, ouraruba/d8:c7:c8:9c:bf:38/a
    Dec 7 00:17:16 :522004: <DBUG> |authmgr| MAC=e8:06:88:94:92:36 ingress 0x10ca (tunnel 10), u_encr 64, m_encr 4112, slotport 0x1028 , type: local, FW mode: 0, AP IP: 0.0.0.0
    Dec 7 00:17:16 :522004: <DBUG> |authmgr| station free: bssid=d8:c7:c8:9c:bf:38, @=0x108a8e34
    Dec 7 00:17:16 :501080: <NOTI> |stm| Deauth to sta: e8:06:88:94:92:36: Ageout AP 192.168.10.118-d8:c7:c8:9c:bf:38-MainArea:cb:f3 Denied; Ageout
    Dec 7 00:17:16 :501000: <DBUG> |stm| Station e8:06:88:94:92:36: Clearing state

     

    Thanks.

     


    #3600


  • 2.  RE: DHCP fingerprinting for VLAN not working at all

    Posted Dec 06, 2011 10:39 AM

    I'm looking at a very similar issue in this post.



  • 3.  RE: DHCP fingerprinting for VLAN not working at all

    Posted Dec 06, 2011 08:39 PM

    Ah yep.  That looks like it.

    Here's the official word from Aruba regarding this. I sent them the same thing I wrote here:

     

    =====

    The user rule DHCP-Option will override the 802.1x server derivative rule. 

    Changing the VLAN through a DHCP-based derivation rule is not supported.  DHCP happens after the client is already assigned to a VLAN – changing it after the fact would lead to a race condition (if the DHCP response comes back before the VLAN is changed, the client will get an IP address assignment on the old VLAN.)

     

    The workaround is to create dummy in the VAP profile. And for the 802.1x clients map the vlan in the user-role defined in the server rule.

    =====

     

    There we go.  Unsupported.