Wireless Access

Reply
MVP
Posts: 1,011
Registered: ‎04-13-2009

Issues Setting VLAN via User Rules or User Roles

Hi All,

 

I'm having issues trying to set the VLAN a device is in via User Rules or User Roles. It hangs when connecting at "Obtaining IP Address".


The reason I'm attempting to do this is because of the following:

  • Limited number of IP addresses on the corporate VLAN.
  • The corporate user will be on an untrusted device so want them to be completely separate from corporate LAN

Essentially it's a BYOD situation where any non iOS device that connects to the corporate SSID gets put in the guest role and also a separate VLAN.

 

VLAN 99 is the guest VLAN
VLAN 2 is the corp VLAN

 

The 802.1x auth SSID had DHCP device  fingerprinting which I've used to attempt to set the VLAN that the device goes into. I've also tried setting it to be in the guest role then setting the Role VLAN ID to be the guest VLAN. 

Both of the above result in devices not gettting an IP address that hit this rule.

 

Here's what's in the network log:

 

Dec 5 15:38:34 :202546: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan99: OFFER 04:46:65:5c:de:d1 clientIP=192.168.99.254
Dec 5 15:38:37 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x40 opcode 0x5a ingress 0x1138 vlan 2 egress 0x2 src mac 04:46:65:5c:de:d1
Dec 5 15:38:37 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan2: DISCOVER 04:46:65:5c:de:d1 Options 3d:010446655cded1 39:05dc 3c:64686370636420342e302e3135 37:01792103061c333a3b
Dec 5 15:38:37 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x440 opcode 0x5a ingress 0x1138 vlan 99 egress 0x63 src mac 04:46:65:5c:de:d1
Dec 5 15:38:37 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan99: DISCOVER 04:46:65:5c:de:d1 Options 3d:010446655cded1 39:05dc 3c:64686370636420342e302e3135 37:01792103061c333a3b
Dec 5 15:38:37 :202523: <DBUG> |dhcpdwrap| |dhcp| dhcprelay: dev=eth1, length=300, from_port=68, op=1, giaddr=0.0.0.0
Dec 5 15:38:37 :202532: <DBUG> |dhcpdwrap| |dhcp| got 0 relay servers
Dec 5 15:38:37 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x0 vlan 99 egress 0x63 src mac 00:0b:86:6d:74:64
Dec 5 15:38:37 :202546: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan99: OFFER 04:46:65:5c:de:d1 clientIP=192.168.99.254
Dec 5 15:38:41 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x40 opcode 0x5a ingress 0x1138 vlan 2 egress 0x2 src mac 04:46:65:5c:de:d1
Dec 5 15:38:41 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan2: DISCOVER 04:46:65:5c:de:d1 Options 3d:010446655cded1 39:05dc 3c:64686370636420342e302e3135 37:01792103061c333a3b
Dec 5 15:38:41 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x440 opcode 0x5a ingress 0x1138 vlan 99 egress 0x63 src mac 04:46:65:5c:de:d1
Dec 5 15:38:41 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan99: DISCOVER 04:46:65:5c:de:d1 Options 3d:010446655cded1 39:05dc 3c:64686370636420342e302e3135 37:01792103061c333a3b
Dec 5 15:38:41 :202523: <DBUG> |dhcpdwrap| |dhcp| dhcprelay: dev=eth1, length=300, from_port=68, op=1, giaddr=0.0.0.0
Dec 5 15:38:41 :202532: <DBUG> |dhcpdwrap| |dhcp| got 0 relay servers
Dec 5 15:38:41 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x0 vlan 99 egress 0x63 src mac 00:0b:86:6d:74:64
Dec 5 15:38:41 :202546: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan99: OFFER 04:46:65:5c:de:d1 clientIP=192.168.99.254

Anyone shed some light on this for me?

 

Thanks
james 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Issues Setting VLAN via User Rules or User Roles

Are you passing back a VLAN from the RADIUS server?  That would over-ride any previous VLAN setting.

MVP
Posts: 1,011
Registered: ‎04-13-2009

Re: Issues Setting VLAN via User Rules or User Roles

No, I'm not passing a VLAN back from RADIUS server.

 

I just created a guest SSID using the same RADIUS server for auth and I am able to authenticate and get the guest role.

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Issues Setting VLAN via User Rules or User Roles

Ok, so lets make sure we are working on the right problem (I have a tendency to misunderstand and answer the wrong question!!!).

 

A coporate user brings in his/her own iPad.  They connect to the corp SSID using PEAP credentials.

 

You want the controller to identify the iOS device, put them in VLAN 99 and assign the guest role, right?

 

If so, where is breaking?  Is the iPad put in VLAN 99?  If so, is it in the guest role?  You can double check those questions by issuing the "show ap association | inc xx:xx:xx:xx:xx:xx" (xx.... is the MAC address of the iPad in question) and "show user | inc xx:xx:xx:xx:xx:xx".  The first will show that the user is in the right VLAN, the second should show the role (assuming the client has already passed authentication).

 

If both are OK, do you allow DHCP in the guest role?

MVP
Posts: 1,011
Registered: ‎04-13-2009

Re: Issues Setting VLAN via User Rules or User Roles

Ok. We're not talking about iOS devices here, it's anything that isn't iOS based that I have a device fingerprint for,

 

I want to put corporate users into the guest VLAN and role when they authenticate against the 802.1x auth SSID when they connect with their own device.

 

Here's show ap association

(cust3200) #show ap association | include 04:46:65:5c:de:d1
A4 d8:c7:c8:ad:a0:b0 04:46:65:5c:de:d1 y y 1 10 CORP-ENT 2 0x113c g-HT-20-1ss 0s 1 WAB

(cust3200) #show ap association | include 04:46:65:5c:de:d1
A4 d8:c7:c8:ad:a0:b0 04:46:65:5c:de:d1 y y 1 10 CORP-ENT 99 0x113c g-HT-20-1ss 1s 1 WAB

(cust3200) #show ap association | include 04:46:65:5c:de:d1
A4 d8:c7:c8:ad:a0:b0 04:46:65:5c:de:d1 y y 1 10 CORP-ENT 99 0x113c g-HT-20-1ss 2s 1 WAB

(cust3200) #show ap association | include 04:46:65:5c:de:d1
A4 d8:c7:c8:ad:a0:b0 04:46:65:5c:de:d1 y y 1 10 CORP-ENT 99 0x113c g-HT-20-1ss 1s 1 WAB

(cust3200) #show ap association | include 04:46:65:5c:de:d1
A4 d8:c7:c8:ad:a0:b0 04:46:65:5c:de:d1 y y 1 10 CORP-ENT 99 0x113c g-HT-20-1ss 2s 1 WAB

(cust3200) #show ap association | include 04:46:65:5c:de:d1

(cust3200) #show ap association | include 04:46:65:5c:de:d1
A4 d8:c7:c8:ad:a0:b0 04:46:65:5c:de:d1 y y 1 10 CORP-ENT 2 0x113c g-HT-20-1ss 0s 1 WAB

(cust3200) #show ap association | include 04:46:65:5c:de:d1
A4 d8:c7:c8:ad:a0:b0 04:46:65:5c:de:d1 y y 1 10 CORP-ENT 99 0x113c g-HT-20-1ss 2s 1 WAB

 

The user is not showing in user-table.

You can see from the above that when the user connects they are in VLAN 2 which is the default VLAN for that SSID then device fingerprinting puts them in the guest role which should move them to VLAN 99 where they should get an IP address.

 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Issues Setting VLAN via User Rules or User Roles

Very strange.  I see from the your first post that the client is offered 192.168.99.254.  If the client is offered that IP, it should have already passed authentication.

 

Can you do "logging level debug user-debug <mac address>"?  Then, try it again and check out "show log user-debug all".

 

That SHOULD shed some light on why this is happening.

Guru Elite
Posts: 21,567
Registered: ‎03-29-2007

Re: Issues Setting VLAN via User Rules or User Roles

I want to go ahead and say that you cannot change VLANs via DHCP fingerprinting.

Consider this:

 

The device that connects is on a VLAN and sends a DHCP request.  Once the controller sees the request, he changes the VLAN based on the user-rule, but the device does not see the VLAN change, because the link has not dropped.  The controller has switched his VLAN and he does not get a response from his DHCP server.  End result: no ip address.  DHCP fingerprinting should only be used to change roles and not vlans, because the client is not aware of the DHCP switch.

 

The best way you can accomplish what I think you are trying to accomplish is "Enforce Machine Authentication".  Make the machine authentication user role the guest VLAN so that devices that have NOT machine authenticated are forced into the guest role/VLAN right after authentication.  Devices that are domain computers will fully pass 802.1x and end up in the default 802.1x role.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Issues Setting VLAN via User Rules or User Roles

But... if his devices are iOS (the ones he is letting on), machine auth wont work unless he puts all of the MAC addresses in the RADIUS server or in the local DB.

 

Since the client doesn't know what VLAN he is on, shouldnt the controller changing the VLAN be transparent?  The client just sends a DHCP broadcast to the AP.  The AP tunnels it to the controller and the controller is responsible for putting it in the right VLAN.  The client is not doing any VLAN tagging.

 

Typically, the DHCP fingerprint would place the MAC into a specific role that uses the same VLAN as the VAP.  I haven't seen it work (or tried to make it work) since the updated role has a hard coded VLAN.  This may not be a supported function.

Aruba Employee
Posts: 117
Registered: ‎09-21-2010

Re: Issues Setting VLAN via User Rules or User Roles

Agree that  DHCP Fingerprint can also be used to assign a VLAN to a device. This AOS feature instructs the stateful firewall to change the VLAN on the very first DHCP packet from the client before forwarding it to the DHCP server. All subsequent DHCP packets are also tagged with the same VLAN. When a client initially connects to a network it issues a DHCP DISCOVER message. On subsequent connections, it issues DHCP REQUEST message requesting a specific IP address that it had previously received. Changing the VLAN tag on the DHCP DISOVER or REQUEST packet ensures that the DHCP server can respond from the appropriate DHCP address scope.

 

 

MVP
Posts: 1,011
Registered: ‎04-13-2009

Re: Issues Setting VLAN via User Rules or User Roles

Ok thanks for all the replies.

 

So what's the consensus? Some say yes it can be done and some say no? 

 

Has anyone actually got this feature working on 6.1.2.5?

Gonna speak to TAC next week when I'm onsite again.


James 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Search Airheads
Showing results for 
Search instead for 
Did you mean: