Wireless Access

Reply
Occasional Contributor I
Posts: 6
Registered: ‎01-11-2017

Problem with getting IP on the CTRL+ALT+DELETE screen

Hi everyone,

I'm working in a municipality with the wireless network. For some weeks ago we have started having some issues with computers not being able to retreive an IP-address from our DHCP-server at the CTRL+ALT+DELETE screen.

We are using machine authentication with Clearpass and the client is accepted but the user is not able to login since the computer does not have an IP-address. If we login with a local user on the computer we can see that the wifi is connected but it has the yellow triangle above the wifi icon.

 

I have searched but not found any solution to this. Only thing I can find is that some logs differ in the clearpass logs, see attachments. Can't find any other issues with the keywords I'm searching on. It affects both our new environment and our old.

 

From logs:

2017-01-11 11:56:59,007	[RequestHandler-1-0x7f7acfbdd700 h=92935534 c=R004e36d8-01-58760f7a] WARN Core.SessionInfoOperations - Skip SessionInfoOperations::persistSessionInfo because of NULL NAD or NAD IP matching localhost
2017-01-11 11:56:59,007	[RequestHandler-1-0x7f7acfbdd700 h=92935534 c=R004e36d8-01-58760f7a] ERROR Common.NadClientTable - getNadClient: Unknown NadClient X.X.X.X
2017-01-11 11:56:59,008	[RequestHandler-1-0x7f7acfbdd700 r=R004e36d8-01-58760f7a h=92935535 c=R004e36d8-01-58760f7a] INFO Core.PETaskRadiusCoAEnfProfileBuilder - getApplicableProfiles: No radius_coa enforcement profiles applicable for this device
2017-01-11 11:56:59,012	[RequestHandler-1-0x7f7acfbdd700 h=92935541 c=R004e36d8-01-58760f7a] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
2017-01-11 11:56:59,012	[RequestHandler-1-0x7f7acfbdd700 h=92935541 c=R004e36d8-01-58760f7a] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2017-01-11 11:56:59,012	[RequestHandler-1-0x7f7acfbdd700 h=92935540 c=R004e36d8-01-58760f7a] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr

 

New environment

Controller: 7210

ArubaOS: 6.5.0.2

AP: Every model

 

Old environment

Controller: 3200

ArubaOS: 6.3.1.9

AP: Every model

 

Computers are HP and running Win7 and Win10. Random computers with random models are affected and doesn't mather if it is Win7 or Win10. Can't find anything interesting in the event viewer.

 

DHCP server is Windows 2012 R2. No logs of the computers exists when this problem occurs.

 

Only solution is to restart the computer a couple of times and then it works but as you can understand it is not a very good solution. Not sure this is an Aruba problem or if it is HP or Windows but hopefully you can help me.

Guru Elite
Posts: 8,641
Registered: ‎09-08-2010

Re: Problem with getting IP on the CTRL+ALT+DELETE screen

What role does the client have on the controller after Machine Authentication?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 6
Registered: ‎01-11-2017

Re: Problem with getting IP on the CTRL+ALT+DELETE screen

It gets the role AD-Personal-Dator, [Machine Authenticated]

 

This is the name it forwards to the controller and based on this it gets a network. Is it possible that the controller does not receive this?

As I said in the first post, it is not all computers that are having problems.

Guru Elite
Posts: 8,641
Registered: ‎09-08-2010

Re: Problem with getting IP on the CTRL+ALT+DELETE screen

Did you verify the user-table on the controller? TIPS role in ClearPass !=
role on the controller.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,641
Registered: ‎09-08-2010

Re: Problem with getting IP on the CTRL+ALT+DELETE screen

Did you verify the user-table on the controller? TIPS role in ClearPass !=
role on the controller.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 6
Registered: ‎01-11-2017

Re: Problem with getting IP on the CTRL+ALT+DELETE screen

I have checked with a computer now and everything looks ok in Clearpass but the computer is not visible in the controller.

 

Hmm, why is the controller not receiving the information?

Occasional Contributor I
Posts: 6
Registered: ‎01-11-2017

Re: Problem with getting IP on the CTRL+ALT+DELETE screen

[ Edited ]

The computer is visible and connected to the AP when issuing "show user mac". 

It is not visible if I check "show user ap-name".

 

Attachment is of debug log of the controller when the computer connects. Seems that it understands correct role but still no IP-address.

 

(arubamaster) #show user mac f0:d5:bf:b7:c5:55

The phy column shows client's operational capabilities for current association

Flags: A: Active, B: Band Steerable, H: Hotspot(802.11u) client, K: 802.11K client, M: Mu beam formee, R: 802.11R client, W: WMM client, w: 802.11w client V: 802.11v BSS trans capable

PHY Details: HT   : High throughput;      20: 20MHz;  40: 40MHz; t: turbo-rates (256-QAM)
             VHT  : Very High throughput; 80: 80MHz; 160: 160MHz; 80p80: 80MHz + 80MHz
             <n>ss: <n> spatial streams

Association Table
-----------------
Name            bssid              mac                auth  assoc  aid  l-int  essid           vlan-id  tunnel-id  phy              assoc. time  num assoc  Flags  Band steer moves (T/S)
----            -----              ---                ----  -----  ---  -----  -----           -------  ---------  ---              -----------  ---------  -----  ----------------------
AP1  18:64:72:f0:5d:51  f0:d5:bf:b7:c5:55  y     y      2    250    Municipality-SSID  85       0x1019e    a-VHT-80sgi-2ss  3m:11s       1          WAB    4/4

f0:d5:bf:b7:c5:55-18:64:72:f0:5d:51 Stats
------------------------------------------
Parameter                            Value
---------                            -----
Channel                              116
Channel Frame Retry Rate(%)          8
Channel Frame Low Speed Rate(%)      0
Channel Frame Non Unicast Rate(%)    0
Channel Frame Fragmentation Rate(%)  0
Channel Frame Error Rate(%)          0
Channel Bandwidth Rate(kbps)         2116
Channel Noise                        97
Client Frame Retry Rate(%)           0
Client Frame Low Speed Rate(%)       0
Client Frame Non Unicast Rate(%)     0
Client Frame Fragmentation Rate(%)   0
Client Frame Receive Error Rate(%)   0
Client Bandwidth Rate(kbps)          0
Client Tx Packets                    1697
Client Rx Packets                    54
Client Tx Bytes                      130039
Client Rx Bytes                      16247
Client SNR                           37
A2c_SM SeqNum, Old SeqNums           18759 0

(arubamaster) #show user ap-name AP1

Users
-----
    IP              MAC            Name                                 Role                 Age(d:h:m)  Auth    VPN link  AP name         Roaming   Essid/Bssid/Phy                         Profile           Forward mode  Type     Host Name
----------     ------------       ------                                ----                 ----------  ----    --------  -------         -------   ---------------                         -------           ------------  ----     ---------
172.21.28.139  ac:7b:a1:a2:b3:09  host/COMPUTER321.municipality.intra  AD-Personal-Dator    02:06:44    802.1x            Municipality-SSID  Wireless  Municipality-Kommun/18:64:72:f0:5d:51/a-HT   Municipality-Personal  tunnel        Win 7    ALM-ADM-KLF0004
172.21.31.146  6c:fa:a7:13:44:2b                                        Municipality-PSK          24:00:41                      Municipality-SSID  Wireless  ah-adm/18:64:72:f0:5d:40/g-HT           Municipality-PSK       tunnel        Android
172.21.27.146  34:12:98:cf:81:9d                                        Municipality-PSK          00:00:20                      Municipality-SSID  Wireless  ah-adm/18:64:72:f0:5d:50/a-VHT          Municipality-PSK       tunnel
172.21.29.34   c4:b3:01:59:dc:d2                                        Municipality-PSK          00:00:24                      Municipality-SSID  Wireless  ah-adm/18:64:72:f0:5d:50/a-HT           Municipality-PSK       tunnel        iPhone
172.21.27.51   d0:25:98:6e:95:d5  almpersipad                           ALM-PERS-IPAD        00:02:42    802.1x            Municipality-SSID  Wireless  Municipality-Kommun/18:64:72:f0:5d:51/a-VHT  Municipality-Personal  tunnel        iPhone
172.22.21.7    f4:f9:51:be:72:73  f4f951be7273                          Guest-Device-ADMMOB  24:00:57    MAC               Municipality-SSID  Wireless  Municipality-Guest/18:64:72:f0:5d:52/a-HT    Municipality-Guest     tunnel        AppleTV  festlund-4
172.23.0.18    b8:8a:60:87:6d:15  host/COMPUTER322.municipality.intra  AD-IT-Enheten        00:03:31    802.1x            Municipality-SSID  Wireless  Municipality-Kommun/18:64:72:f0:5d:51/a-VHT  Municipality-Personal  tunnel        Win 10
172.22.17.7    44:2c:05:01:70:5e  442c0501705e                          Guest-Device-ADMMOB  08:06:23    MAC               Municipality-SSID  Wireless  Municipality-Guest/18:64:72:f0:5d:52/a-HT    Municipality-Guest     tunnel        Linux
172.21.26.17   c8:1e:e7:ba:89:7c                                        Municipality-PSK          00:08:04                      Municipality-SSID  Wireless  ah-adm/18:64:72:f0:5d:50/a-VHT          Municipality-PSK       tunnel        iPhone

User Entries: 9/9
 Curr/**bleep** Alloc:1423/688197 Free:279/686774 Dyn:1702 AllocErr:0 FreeErr:0
Frequent Contributor II
Posts: 109
Registered: ‎11-11-2008

Re: Problem with getting IP on the CTRL+ALT+DELETE screen

Hi

 

Had a similar issue, if you have ticked the "Enforce DHCP" in the AAA profile, there was a bug in the system, falsely stopping users from getting an IP address for whatever reason.

This bug is fixed, i'm just not sure what patch on the 6.5 that is.

 

By looking up the host in the controller Dashboard, you can see that client and it's role, even if you can't see it under Monitoring->Clients.

This should at least clear up if it has the correct role or not.

The log you included also states that the role is changed at some point, giving it the one you mentioned.

 

Roar Fossen

 

 

Occasional Contributor I
Posts: 6
Registered: ‎01-11-2017

Re: Problem with getting IP on the CTRL+ALT+DELETE screen

Thanks for your reply. I have checked my AAA configuration but I'm not using "Enforce DHCP".

 

I have started a wireshark capture on a computer and it is sending ARP requests to the gateway in the network it is given but the gateway is not responding. Could the controller block the ARP traffic? Network is a /24.

 

Broadcast             ARP           Who has 172.21.29.1? Tell 169.254.172.141

I have also noticed that the mDNS process is taking 100% CPU in the controller. Could this be the issue?

 PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 4712 root      20   0  144m  49m 9920 R  100  1.0  59903:08 mdns

 

Guru Elite
Posts: 21,280
Registered: ‎03-29-2007

Re: Problem with getting IP on the CTRL+ALT+DELETE screen

What role does the device have in the user table?  Type "show rights (role)"



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: