Wireless Access

Hi,

The company I work for recently upgraded the Aruba controller from 7010 to 7030, everything seems working but users are complaining they get no internet access on the enterprise SSID, devices authenticate via clear pass but just doesn't get an IP, however when they  run troubleshoot and fix on the computer it tends to get an IP and works,  

If the computer is idle for a while and comes backup up the user gets the no internet access message again, which means they can't access the internet on enterprise SSID but it works on other SSID.

I had 802.11k enabled but I have since disabled it thinking that would fix it but no joy, am running out of options.

Hello Willson,

As the internet acces comes back as soon as the user runs a diagnostic on his device, It seems to me that the authentication is working fine and the user is redirected to the correct vlan but is not getting an ip address.
I would start looking at the access tracker on clearpass to see if it is returning the correct profile to the controller.
Then I would check if the users are able to get an ip on the vlan for the corporate SSID.
And lastly I would check the dhcp server to make sure the ip pool used has enough ip address available to users.

Regards.

Hi,

Yes, users getting the right profile clear pass,

Yes users are getting the right IP on corporate SSID

It seems we still loads of IP left as its a /20 subnet.

Make sure that the ACLs in the user role either have just allowall allowing all traffic or a rule permitting dhcp from any to any:

any any service dhcp permit

You would have the problem you described if you had this acl:

user any service dhcp permit

If you do, delete that acl and instead use the"any any service dhcp permit" rule instead.

I have a word document with the existing settings.

The authenticates role described on the word file will give access to any host/service with IPv4.

Have you had the opportunity to analyse what changes on user's device when they run a diagnostic?

Do they have access to the internal network before running a diag?

Do they change IP address after running a diag?

What role does the user session is in before and after running a diag?

I there is a firewall that requires authentication before internet access, what is the user's authenticated status before and after running a diag?

Regards

Do they have access to the internal network before running a diag? No, as the device is assigned AIPA address (windows IP).

What role does the user session is in before and after running a diag? The role doesn't change in clear pass.

Is there is a firewall that requires authentication before internet access, NO,

what is the user's authenticated status before and after running a diag? Access allows.