Wireless Access

last person joined: 10 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Vlans are associated to SSIDs, however, all but Guest VLAN get IP assigned from one VLAN.

This thread has been viewed 0 times

  • 1.  Vlans are associated to SSIDs, however, all but Guest VLAN get IP assigned from one VLAN.

    Posted Apr 04, 2016 05:29 PM

    As stated above, all of our Vlans are associated to single SSIDs, however, all but Guest VLAN get IP assigned from one VLAN.
    Corporate Vlan 55 = 192.168.55.0/24          CorpLAN
    Corp Guest Vlan 56 = 192.168.56.0/24        GuestLAN
    IT Vlan 57 = 192.168.57.0/24                        ITLAN

    If I connect to CorpLAN or ITLAN I am assigned an IP from 192.168.55.0
    If I connect to GuestLAN I am assigned an IP from 192.168.56.0

    GuestLAN uses PreSharedKey for 802.1x Authentication
    CorpLAN uses WPA2 eap-peap,eap-mschapv2, for 802.1x Authentication (Via Radius Server)
    ITLAN uses WPA2 eap-peap,eap-mschapv2, for 802.1x Authentication (Via Internal DB)

    Any ideas what I am doing wrong?

     

     



  • 2.  RE: Vlans are associated to SSIDs, however, all but Guest VLAN get IP assigned from one VLAN.
    Best Answer

    EMPLOYEE
    Posted Apr 04, 2016 05:34 PM

    Make sure that the Role that your user gets when he connects to the IT WLAN does not have a VLAN hardcoded.  To find out why a user got the VLAN use:

     

    show user-table ip <ip address of user>

     

    (Aruba7005-US) #   show user-table ip 192.168.1.236


Name: employee-mac, IP: 192.168.1.236, MAC: b8:c8:56:38:9d:be, Age: 00:00:37
Role: authenticated-vsa (how: ROLE_DERIVATION_DOT1X_VSA), ACL: 68/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: CPPM
Authentication Servers: dot1x authserver: CPPM, mac authserver: 
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X_VSA
VLAN Derivation: Default VLAN
Idle timeout (global): 300 seconds, Age: 00:00:00
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=0, vpnflags=0, u_stm_ageout=1
Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
IP User termcause: 0
phy_type: a-VHT-80, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 1, Assigned: 1, Current: 1 vlan-how: 1 DP assigned vlan:0 
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
SlotPort=0x2100, Port=0x1001d (tunnel 29)
Essid: ACME-TLS, Bssid: 9c:1c:12:90:5d:92 AP name/group: Office-225/default Phy-type: a-VHT-80 Forward Mode: tunnel
RadAcct sessionID:n/a
RadAcct Traffic In 74085/20866998 Out 124929/100439424 (1:8549/0:0:318:26550,1:59393/0:0:1532:38272)
Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
Profiles AAA:ACME-TLS-aaa_prof, dot1x:dot1x_prof-skn93, mac: CP:n/a def-role:'logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 0, dot1x 1, RADIUS interim accounting 0
IP Born: 1459803277 (Mon Apr  4 15:54:37 2016)
Core User Born: 1459803277 (Mon Apr  4 15:54:37 2016)
Upstream AP ID: 0, Downstream AP ID: 0
User Agent String: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36
HTTP based device-id info - Index: 5, Device: OS X
MAC based device-id info - Index = 197, OUI = B8E856 Group = Apple
Overall device-id info - Index: 13, Device: OS X
Max IPv4 users: 2
L3-Auth Session Timeout from Radius: 0
Mac-Auth Session Timeout Value from Radius: 0
Dot1x Session Timeout Value from Radius: 0
CoA Session Timeout Value from Radius: 0
Dot1x Session Term-Action Value from Radius: Default
Reauth-interval from role: 0
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
mac auth server: N/A, dot1x auth server: CPPM
Address is from DHCP: yes
Per-user-log pointer 0x122910c (id 539), num logs 56