Wireless Access

Hi Guys,

I have just started a new role and I come from a Cisco background. The network I have to maintain is an Arena and I have been tasked with putting up a new SSID for the betting terminals. I thought how hard can it be, but I cannot seem to get past the last stage. We have created a new VLAN within or HP switching network and confirm that VLAN 500 was working as it should be by configuring devices and pinging the appropriate web pages etc on the internal server. The problems seem to happen when we try to connect to the wireless network.

We have a 7210 Controller and a clear pass server. I am not sure of the clearpass server but I did not believe it was used but maybe I am wrong

I have created a new VAP and allocated the appropriate SSID to this using WPA2 with PSK as advised. The controller is not allocating IP addresses to the devices this is all being controlled by the betting companies gateway which is in the VLAN with DHCP trust etc enabled.I have tested the switched network by setting up ports as access ports within the VLAN on the network and everything works.On the wireless network I receive an IP address within the IP address range the problem is I cannot route to an internal IP addresses on the VLAN. I have tried changing roles and traced the system to check that I have been allocated the correct role using the

Show log user-debug with the mac

Show User

show dot1x supplicant-info list-all

Everything looks okay but still cannot route to anything within the VLAN.

Any help or pointers greatly appreciated

Thanks,

Gavin

ON the 7210, type "show vlan status" to see what VLANs are assigned to what ports.  If the 7210 connects to a switch on a trunk, type "show trunk" on the Aruba Controller to make sure that the native (untagged) VLAN on one side matches the native VLAN on the other side.

Type "show wlan virtual-ap" to find the SSID you are broadcasting.  Then type "show wlan virtual-ap <name of virtual ap>" to find out if it is pointing at the correct VLAN.

To find out what VLAN clients are getting into, type "show user-table verbose".  The client VLAN will be in parentheses.

I can ping devices within the VLAN 500 without any issues from the controller. The betting companies server is 192.168.99.254 and I can ping it fine from the controller source vlan 500. I can see all the information and it does seem to be all correct with VLAN ID 500 as per the commands you suggested.

I have been running a few more tests and when I static a machine and attempt to connect to the SSID it trys to connect and when I run a

show datapath session table for the static IP I see the attempt to connect and then it dissapears with the FLAGS FYD. I can only guess I must have something setup incorrectly on the 802.1x AAA as I would have thought that static ips would not be an issue if I have not checked the enforce DHCP option

Thanks for the response any other pointers.

Gavin

When I run the command

show user mac I can see in the VLAN-ID beside the ESSID the VLAN 500. I will try the other command also

Thanks

Just an update on this one that has me really confused. We have a Public SSID which uses VLAN 100. If I leave everything the same AAA role etc and set the VLAN to 100 I get the IP address from within that range and the role is applied and I can ping and route etc. But if I leave everything the same and select any other VLAN the issue occurs even on any of the other VLANS. Is this a Clearpass issue?

Thanks for any help

Is the issue that you don't get an ip address?

- Connect a device

- Type "show user-table verbose" to see what VLAN the user ends up in (should be in parenthesis)

- In the user table should be the user's role.  Type "show rights <that role>" to see if there is a VLAN hardcoded into that role.

If you are having problems with VLANs, ClearPass is another level and you might want to get some professional help if you are pressed.