12-07-2015 07:53 PM
I'm struggling with an issue with our Acer Chromebooks. I have a TAC case opened but I thought it couldn't hurt to through it out here as well.
Basically, if you put them in sleep mode and bring them out of sleep mode, they will not connect to the wireless properly. If I delete them from the user table, the client will connect. Dropping into sleep mode and trying to reconnect shows the same issue. This problem only seems to happen on one of the VAPs. If I put the client on a second VAP, it works fine each time. The problem VAP(named "chromebook") has some ACLs set up to wall the clients off from the internal network besides some explicitely allowed servers. It also has allow ACLs for DHCP and DNS.
What I'm thinking is happening is that when the user doesn't have a table entry, it will use the default role of "logon" until it's authenticated. That's why I seem to be able to connect at first. Subsequent connections already have a user table entry and use the authenticated role(chromebook) and is therefore then using the ACLs for that role. That role seems to be missing the SVC-ICMP.
So my question is, do I need ICMP to properly broadcast or otherwise connect to a DHCP server or is allowing SVC-DHCP sufficient? The default logon role seems to allow SVC-DHCP, SVC-DNS, SVC-ICMP, and SVC-NATT. The chromebook role only allows the first two in that list and not ICMP or NATT.
12-08-2015 10:25 AM
Without your whole config, it's difficult to say for sure.
My first guess is that the DHCP permit rule in your affected user role starts "user" rather than "any". If that's the case, change it to "any" and try again? I suspect TAC would have picked that up though.
You normally don't need ICMP at all in terms of what you're describing.
12-08-2015 01:13 PM
Thank you for the reply. I ended up explicitely adding a DHCP permit to the affected role and suddenly it started working. I can't believe we all missed it.
Sometimes you go looking for the complicated answer to a simple solution.