Wireless Access

Reply
Contributor I

Weirdness with mobile handsets

I've got a guest network that I connect my handset (Droid Bionic) to via MAC authentication. This has happened with other handsets, iPod Touches and iPads. I've even seen it happen with Windows machines (although these authenticate through the captive portal rather than MAC auth). Sometimes clients works great, sometimes not. When not, I'll see e.g. my Droid try to associate with the guest network, get to 'obtaining IP address'; then it fails and tries again. This will continue until I do the following:

I log into the controller (6000) and do a

(6000-2) #show user

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- -------
10.167.224.208 98:4b:4a:53:d2:3a 98:4b:4a:53:d2:3a natickssc-open-guest-role 00:00:05 MAC 1.1.10 Associated NatickSSC-Guest/00:0b:86:ac:87:90/g natickssc-guest-aaa-profile
172.16.1.31 44:2a:60:a3:62:e7 44:2a:60:a3:62:e7 natickssc-open-guest-role 00:01:06 MAC 1.1.10 Associated NatickSSC-Guest/00:0b:86:ac:87:90/g natickssc-guest-aaa-profile
172.16.1.66 98:4b:4a:53:d2:3a 98:4b:4a:53:d2:3a natickssc-open-guest-role 00:00:06 MAC 1.1.10 Associated NatickSSC-Guest/00:0b:86:ac:87:90/g natickssc-guest-aaa-profile
172.16.1.124 18:e7:f4:19:31:aa 18:e7:f4:19:31:aa natickssc-open-guest-role 00:01:57 MAC 1.1.10 Associated NatickSSC-Guest/00:0b:86:ac:87:90/g natickssc-guest-aaa-profile
172.16.1.182 00:26:ba:43:28:d0 00:26:ba:43:28:d0 natickssc-open-guest-role 00:01:57 MAC 1.1.10 Associated NatickSSC-Guest/00:0b:86:ac:87:90/g natickssc-guest-aaa-profile

User Entries: 5/5

(6000-2) #


You can see there are two entries for 98:4b:4a:53:d2:3a. One has a valid address (172.16) where the other, while a valid private IP (10.167) is not an IP range we use.

If I do a
(6000-2) #aaa user delete mac 98:4b:4a:53:d2:3a
2 users deleted

(6000-2) #


Now my phone will connect correctly again. I'm not sure what's causing the second entry to show up. It may be occurring when my handset swaps from one AP to another.

Is there a way to make the user database allow only ONE entry per MAC? :confused:
Guru Elite

Re: Weirdness with mobile handsets

That most likely is the Verizon WAN address of that phone. You can deal with this issue by using the special validuser acl.

"ip access-list session validuser any any any permit

"This firewall rule controls which users will be added to the user- table of the controller through untrusted interfaces. Only IP addresses permitted by this ACL will be admitted to the system for further processing. If a client device attempts to use an IP address that is denied by this rule, the client device will be ignored by the controller and given no network access. You can use this rule to restrict foreign IP addresses from being added to the user-table. This policy should not be applied to any user role, it is an internal system policy."

if you only want your users to get ip addresses from 172.16.x.x, you configure the validuser ACL lke this:

config t
ip access-list session validuser
any network 172.16.0.0 255.255.0.0 any permit
any any any deny


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: Weirdness with mobile handsets

Thanks for the quick reply! I currently have an access-list on this network. Most of them look like this:



So the guest network is NAT'd.

So would this be a new access-list I'd apply to the guest role? Would it come before or after my current access-list. Should the validuser access-list be NAT'd as well?

E.g.
config t
ip access-list session validuser
any network 172.16.0.0 255.255.0.0 any pool nat-guest-pool
any any any deny


Thanks again!
Guru Elite

Re: Weirdness with mobile handsets

The validuser ACL is a special ACL, that just needs to be configured to allow only the ip addresses you want clients to be able to obtain. Do not NAT or do anything else or apply it to a role. Just permit only the subnets you want to be assigned to users. If you have guests in a different subnet, you also have to add a line permitting traffic to those subnets, as well. For example if you have regular users in 172.16.x.x and guests in 192.168.1.x, you would do this:

config t
ip access-list session validuser
any network 172.16.0.0 255.255.0.0 any permit
any network 192.168.1.0 255.255.255.0 any permit
any any any deny


This ONLY exists so that only clients that have ip addresses i 172.16.x.x and in 192.168.1.x will enter the user table. No more, no less.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: Weirdness with mobile handsets

Sweet! Makes sense! Thanks a ton. I put in my valid networks. I'll keep an eye on it, and see if it fixes the oddness.


The validuser ACL is a special ACL, that just needs to be configured to allow only the ip addresses you want clients to be able to obtain. Do not NAT or do anything else or apply it to a role. Just permit only the subnets you want to be assigned to users. If you have guests in a different subnet, you also have to add a line permitting traffic to those subnets, as well. For example if you have regular users in 172.16.x.x and guests in 192.168.1.x, you would do this:

config t
ip access-list session validuser
any network 172.16.0.0 255.255.0.0 any permit
any network 192.168.1.0 255.255.255.0 any permit
any any any deny


This ONLY exists so that only clients that have ip addresses i 172.16.x.x and in 192.168.1.x will enter the user table. No more, no less.


MVP

Re: Weirdness with mobile handsets


That most likely is the Verizon WAN address of that phone. You can deal with this issue by using the special validuser acl.

"ip access-list session validuser any any any permit

"This firewall rule controls which users will be added to the user- table of the controller through untrusted interfaces. Only IP addresses permitted by this ACL will be admitted to the system for further processing. If a client device attempts to use an IP address that is denied by this rule, the client device will be ignored by the controller and given no network access. You can use this rule to restrict foreign IP addresses from being added to the user-table. This policy should not be applied to any user role, it is an internal system policy."

if you only want your users to get ip addresses from 172.16.x.x, you configure the validuser ACL lke this:




Any chance you could explain how the controller actually gets a whiff of the phones '3G' ip address? Surely a phone (or whatever device) doesn't bridge between the two interfaces?
Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: Weirdness with mobile handsets

It surely does bridge. You will see the same thing if you have VMWARE installed on a laptop.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: Weirdness with mobile handsets

More on the topic of the validuser ACL - i notice it is not just a permit all in 6.x anymore.


1 any any svc-sec-papi permit
2 169.254.0.0 255.255.0.0 any any deny


so now its blocking 169.254.0.0/16 by default

Also I notice this rule has the source ip defined - previous rules in this thread were using the destination to define networks?

The first line is interesting - I guess its to permit devices that talk like a RAP regardless of their IP.... could be an interesting use for this ACL...
ie deny clients that were serving dhcp/dns etc.... would that work
is the validuser acl constantly being processed for users/devices not assigned a role?
so once they are in a role it no longer applies?

Is there more documentation for the validuser acl outside of the userguide?
Contributor I

Re: Weirdness with mobile handsets

i am running 3.4 here. doesn't seem like ti allow me to configure it in local controller.

Guru Elite

Re: Weirdness with mobile handsets

It is global so you can only configure it on the master.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: