Wireless Access

We have 3 controllers 4704. Master and two local controllers are purely layer-2 connected to  layer 3 switch. We see multiple IP for users after enabling vlan pooling even assignment.

(controller) #show user-table verbose | include 2e:dc

10.37.46.9     60:67:20:01:2e:dc  xxxxx               authenticated         00:01:22    802.1x                  xxx-AP-01  Wireless  xxx/24:de:c6:52:6e:99/a-HT     xxx   tunnel        Win XP   xxx  605 (605)  

10.37.21.222  60:67:20:01:2e:dc  xxx              authenticated         00:01:38    802.1x                   xxx-AP-01  Wireless  xxx/24:de:c6:52:6e:99/a-HT    xxx    tunnel        Win XP   xxx  605 (605)

From the above log we isolated the issue is due to wired & wireless  nics on the client  connected to the same  network  are displayed in the user-table . we are sure will by valid user-ACL we will come out of the situation because wired NIC subnet is not part WLAN.

But we do see the valid IP addresses for the same client on the User-table. So my Doubt was an client roam from controller-1 to other controller-2 , if client is moving from controller on vlan 1 (example) and goes controller-2  on vlan 2 (vlan pooling is even assignment) he is carrying the IP address on of VLAN-1 and displayed in the user-table of controller-2 ,again he acquires vlan-2 IP address from dhcp server (external) is also displayed in the user-table. Not all the clients are seeing the issue.

So we are trying implement Valid user ACL , Enforce DHCP and ARP spoofing to come out of the issue? Please let me know if my approach is correct. Else advice me a better solution.

Only use "Enforce DHCP" in the AAA profile.  The ValidUser ACL is too time consuming to maintain.

Hi CJ,Thank you. so enabling only "enforce dhcp" we will come out of the probelm or you want me have enforce dhcp and ARP Spoofing.

Only Enforce DHCP

Thank you. let me implement this.

Hi CJ,

            I tried in my lab with DHCP server on the controller. See the issue without vlan pooling.

(OAW-4306G) (config) #show user-table

Users
-----
    IP              MAC            Name     Role           Age(d:h:m)  Auth  VPN link  AP name            Roaming   Essid/Bssid/Phy                    Profile  Forward mode  Type  Host Name
----------     ------------       ------    ----           ----------  ----  --------  -------            -------   ---------------                    -------  ------------  ----  ---------
192.168.20.7   38:59:f9:e0:ca:2f            authenticated  00:00:07                    00:1a:1e:cd:7a:6e  Wireless  alcatel-ap/00:1a:1e:57:a6:e0/g-HT  default  tunnel  
192.168.20.10  38:59:f9:e0:ca:2f            authenticated  00:00:28                    00:1a:1e:cd:7a:6e  Wireless  alcatel-ap/00:1a:1e:57:a6:e0/g-HT  default  tunnel  

User Entries: 2/2
 Curr/**bleep** Alloc:1/22 Free:2/21 Dyn:3 AllocErr:0 FreeErr:0

Issue is seen very randomly. attached is the log. May i know your view on this,. this issue can be addressed by enforce-dhcp?

Attachment(s)

airheads.txt   9 KB 1 version

To be clear, what you are seeing is a side effect where if two interfaces are connected at the same time (wired and wireless)... Traffic from one interface leaks through the wireless network and appears in the user table as the other interface with the same mac address.  The same thing happens with mobile phones that connect to wifi:  Their mobile ip address also appears in the user table.  Enforce-DHCP resolves this, because it will only put a device in the user table that it has observed negotiated DHCP through the controller.