Wireless Access

Hi everyone,

I'm working in a municipality with the wireless network. For some weeks ago we have started having some issues with computers not being able to retreive an IP-address from our DHCP-server at the CTRL+ALT+DELETE screen.

We are using machine authentication with Clearpass and the client is accepted but the user is not able to login since the computer does not have an IP-address. If we login with a local user on the computer we can see that the wifi is connected but it has the yellow triangle above the wifi icon.

I have searched but not found any solution to this. Only thing I can find is that some logs differ in the clearpass logs, see attachments. Can't find any other issues with the keywords I'm searching on. It affects both our new environment and our old.

From logs:

2017-01-11 11:56:59,007	[RequestHandler-1-0x7f7acfbdd700 h=92935534 c=R004e36d8-01-58760f7a] WARN Core.SessionInfoOperations - Skip SessionInfoOperations::persistSessionInfo because of NULL NAD or NAD IP matching localhost
2017-01-11 11:56:59,007	[RequestHandler-1-0x7f7acfbdd700 h=92935534 c=R004e36d8-01-58760f7a] ERROR Common.NadClientTable - getNadClient: Unknown NadClient X.X.X.X

2017-01-11 11:56:59,008	[RequestHandler-1-0x7f7acfbdd700 r=R004e36d8-01-58760f7a h=92935535 c=R004e36d8-01-58760f7a] INFO Core.PETaskRadiusCoAEnfProfileBuilder - getApplicableProfiles: No radius_coa enforcement profiles applicable for this device

2017-01-11 11:56:59,012	[RequestHandler-1-0x7f7acfbdd700 h=92935541 c=R004e36d8-01-58760f7a] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
2017-01-11 11:56:59,012	[RequestHandler-1-0x7f7acfbdd700 h=92935541 c=R004e36d8-01-58760f7a] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2017-01-11 11:56:59,012	[RequestHandler-1-0x7f7acfbdd700 h=92935540 c=R004e36d8-01-58760f7a] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr

New environment

Controller: 7210

ArubaOS: 6.5.0.2

AP: Every model

Old environment

Controller: 3200

ArubaOS: 6.3.1.9

AP: Every model

Computers are HP and running Win7 and Win10. Random computers with random models are affected and doesn't mather if it is Win7 or Win10. Can't find anything interesting in the event viewer.

DHCP server is Windows 2012 R2. No logs of the computers exists when this problem occurs.

Only solution is to restart the computer a couple of times and then it works but as you can understand it is not a very good solution. Not sure this is an Aruba problem or if it is HP or Windows but hopefully you can help me.

Attachment(s)

not_working.txt   19 KB 1 version

working.txt   18 KB 1 version

What role does the client have on the controller after Machine Authentication?

It gets the role AD-Personal-Dator, [Machine Authenticated]

This is the name it forwards to the controller and based on this it gets a network. Is it possible that the controller does not receive this?

As I said in the first post, it is not all computers that are having problems.

I have checked with a computer now and everything looks ok in Clearpass but the computer is not visible in the controller.

Hmm, why is the controller not receiving the information?

The computer is visible and connected to the AP when issuing "show user mac". 

It is not visible if I check "show user ap-name".

Attachment is of debug log of the controller when the computer connects. Seems that it understands correct role but still no IP-address.

(arubamaster) #show user mac f0:d5:bf:b7:c5:55

The phy column shows client's operational capabilities for current association

Flags: A: Active, B: Band Steerable, H: Hotspot(802.11u) client, K: 802.11K client, M: Mu beam formee, R: 802.11R client, W: WMM client, w: 802.11w client V: 802.11v BSS trans capable

PHY Details: HT   : High throughput;      20: 20MHz;  40: 40MHz; t: turbo-rates (256-QAM)
             VHT  : Very High throughput; 80: 80MHz; 160: 160MHz; 80p80: 80MHz + 80MHz
             <n>ss: <n> spatial streams

Association Table
-----------------
Name            bssid              mac                auth  assoc  aid  l-int  essid           vlan-id  tunnel-id  phy              assoc. time  num assoc  Flags  Band steer moves (T/S)
----            -----              ---                ----  -----  ---  -----  -----           -------  ---------  ---              -----------  ---------  -----  ----------------------
AP1  18:64:72:f0:5d:51  f0:d5:bf:b7:c5:55  y     y      2    250    Municipality-SSID  85       0x1019e    a-VHT-80sgi-2ss  3m:11s       1          WAB    4/4

f0:d5:bf:b7:c5:55-18:64:72:f0:5d:51 Stats
------------------------------------------
Parameter                            Value
---------                            -----
Channel                              116
Channel Frame Retry Rate(%)          8
Channel Frame Low Speed Rate(%)      0
Channel Frame Non Unicast Rate(%)    0
Channel Frame Fragmentation Rate(%)  0
Channel Frame Error Rate(%)          0
Channel Bandwidth Rate(kbps)         2116
Channel Noise                        97
Client Frame Retry Rate(%)           0
Client Frame Low Speed Rate(%)       0
Client Frame Non Unicast Rate(%)     0
Client Frame Fragmentation Rate(%)   0
Client Frame Receive Error Rate(%)   0
Client Bandwidth Rate(kbps)          0
Client Tx Packets                    1697
Client Rx Packets                    54
Client Tx Bytes                      130039
Client Rx Bytes                      16247
Client SNR                           37
A2c_SM SeqNum, Old SeqNums           18759 0

(arubamaster) #show user ap-name AP1

Users
-----
    IP              MAC            Name                                 Role                 Age(d:h:m)  Auth    VPN link  AP name         Roaming   Essid/Bssid/Phy                         Profile           Forward mode  Type     Host Name
----------     ------------       ------                                ----                 ----------  ----    --------  -------         -------   ---------------                         -------           ------------  ----     ---------
172.21.28.139  ac:7b:a1:a2:b3:09  host/COMPUTER321.municipality.intra  AD-Personal-Dator    02:06:44    802.1x            Municipality-SSID  Wireless  Municipality-Kommun/18:64:72:f0:5d:51/a-HT   Municipality-Personal  tunnel        Win 7    ALM-ADM-KLF0004
172.21.31.146  6c:fa:a7:13:44:2b                                        Municipality-PSK          24:00:41                      Municipality-SSID  Wireless  ah-adm/18:64:72:f0:5d:40/g-HT           Municipality-PSK       tunnel        Android
172.21.27.146  34:12:98:cf:81:9d                                        Municipality-PSK          00:00:20                      Municipality-SSID  Wireless  ah-adm/18:64:72:f0:5d:50/a-VHT          Municipality-PSK       tunnel
172.21.29.34   c4:b3:01:59:dc:d2                                        Municipality-PSK          00:00:24                      Municipality-SSID  Wireless  ah-adm/18:64:72:f0:5d:50/a-HT           Municipality-PSK       tunnel        iPhone
172.21.27.51   d0:25:98:6e:95:d5  almpersipad                           ALM-PERS-IPAD        00:02:42    802.1x            Municipality-SSID  Wireless  Municipality-Kommun/18:64:72:f0:5d:51/a-VHT  Municipality-Personal  tunnel        iPhone
172.22.21.7    f4:f9:51:be:72:73  f4f951be7273                          Guest-Device-ADMMOB  24:00:57    MAC               Municipality-SSID  Wireless  Municipality-Guest/18:64:72:f0:5d:52/a-HT    Municipality-Guest     tunnel        AppleTV  festlund-4
172.23.0.18    b8:8a:60:87:6d:15  host/COMPUTER322.municipality.intra  AD-IT-Enheten        00:03:31    802.1x            Municipality-SSID  Wireless  Municipality-Kommun/18:64:72:f0:5d:51/a-VHT  Municipality-Personal  tunnel        Win 10
172.22.17.7    44:2c:05:01:70:5e  442c0501705e                          Guest-Device-ADMMOB  08:06:23    MAC               Municipality-SSID  Wireless  Municipality-Guest/18:64:72:f0:5d:52/a-HT    Municipality-Guest     tunnel        Linux
172.21.26.17   c8:1e:e7:ba:89:7c                                        Municipality-PSK          00:08:04                      Municipality-SSID  Wireless  ah-adm/18:64:72:f0:5d:50/a-VHT          Municipality-PSK       tunnel        iPhone

User Entries: 9/9
 Curr/**bleep** Alloc:1423/688197 Free:279/686774 Dyn:1702 AllocErr:0 FreeErr:0

Attachment(s)

controller_debug_log.txt   11 KB 1 version

Hi

Had a similar issue, if you have ticked the "Enforce DHCP" in the AAA profile, there was a bug in the system, falsely stopping users from getting an IP address for whatever reason.

This bug is fixed, i'm just not sure what patch on the 6.5 that is.

By looking up the host in the controller Dashboard, you can see that client and it's role, even if you can't see it under Monitoring->Clients.

This should at least clear up if it has the correct role or not.

The log you included also states that the role is changed at some point, giving it the one you mentioned.

Roar Fossen

Thanks for your reply. I have checked my AAA configuration but I'm not using "Enforce DHCP".

I have started a wireshark capture on a computer and it is sending ARP requests to the gateway in the network it is given but the gateway is not responding. Could the controller block the ARP traffic? Network is a /24.

Broadcast             ARP           Who has 172.21.29.1? Tell 169.254.172.141

I have also noticed that the mDNS process is taking 100% CPU in the controller. Could this be the issue?

 PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 4712 root      20   0  144m  49m 9920 R  100  1.0  59903:08 mdns

What role does the device have in the user table?  Type "show rights (role)"

As I said before, it is not every computer in this role that has this problem.

show rights AD-Personal-Dator

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'AD-Personal-Dator'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 496
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 IP-Classification Enforcement: Enabled
 ACL Number = 92/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                          Type     Location
--------  ----                          ----     --------
1         global-sacl                   session
2         apprf-AD-Personal-Dator-sacl  session
3         allowall                      session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-AD-Personal-Dator-sacl
----------------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
allowall
--------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          any                   permit                           Low                                                           4
2         any     any          any-v6                permit                           Low                                                           6

Expired Policies (due to time constraints) = 0

I would type "show audit-trail" on the controller to see if there were any changes made in the timeframe when problems started happening; or you can open a TAC case.  There are simply too many reasons why this would happen and a TAC case would be the best way to obtain your tech-support and narrow down the issue.