Wireless Access

I've got a problem with Captive Portal.  High-level config:  a captive portal with split-tunneling involving RAP AP's.  It drops the user in a VLAN that has src-nat enabled. Inter-vlan routing enabled too.  It's using the out-of-the-box logon-control rule set for the guest-logon user role.  Here's the problem:    I can't seem to get an IP address which is being served out by the controller. 

Another observation is the parameter, ip cp-redirect address has a value different from the vlan where captive portal users are assigned.  Could this be the problem?

Couple of things to confirm.

1. The VLAN the user is dropped into is defined on the controller
2. The controller has an IP on that VLAN
3. DHCP is enabled
4. The user is put into a role where traffic is "permitted"; the default logon-control and captiveportal should suffi

To confrim policies for that role, run the following for "Initial Role" of that AAA profile:

show rights <name of role>

Hello,

1.  VLAN is configured on controller  (VID 11)

2.  IP is assigned to this VLAN,  192.168.20.1/24

3. DHCP is enabled

4. 

USPHXNRFW101) #show rights CUST_guest-logon_init_role

Derived Role = 'CUST_guest-logon_init_role'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 65/0
 Max Sessions = 65535

 Captive Portal profile = Cust_GuestAccess_RAP

access-list List
----------------
Position  Name           Type     Location
--------  ----           ----     --------
1         logon-control  session  
2         captiveportal  session  

logon-control
-------------
Priority  Source  Destination  Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any          udp 68    deny                             Low                                                           4
2         any     any          svc-icmp  permit                           Low                                                           4
3         any     any          svc-dns   permit                           Low                                                           4
4         any     any          svc-dhcp  permit                           Low                                                           4
5         any     any          svc-natt  permit                           Low                                                           4
captiveportal
-------------
Priority  Source  Destination  Service          Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------          ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    controller   svc-https        dst-nat 8081                           Low                                                           4
2         user    any          svc-http         dst-nat 8080                           Low                                                           4
3         user    any          svc-https        dst-nat 8081                           Low                                                           4
4         user    any          svc-http-proxy1  dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2  dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3  dst-nat 8088                           Low                                                           4

other observations that may help...

I changed to tunnel mode instead of split-tunneling.  I got an IP address in the range specified for the vlan assigned for this captive portal.  I successfully got redirected to the cp splash page, authenticated.  Although I could not browse the Internet, probably need to open more rules, and/or create rules at the upstream firewall, CP is working. I just can't get this DHCP to work.

What the does the firewall show?  <show acl hits>

Is the VLAN 111 assigned to a port w/ link? Or is "operstate up" enabled on this VLAN? (admin state and protocol state up?)

Just trying to check everything.

Historically I had hits...see below.  I cleared the counters and initiated a connection and got no hits.

The original configuration is having this VLAN 11 unbounded to any interface and just have "operstate up." For troubleshooting, I assigned this vlan to a physically connnected interface, removed the operstate up statement and tested again.  Same results. 

CUST_guest-logon_init_role            logon-control                     any   any                      svc-dns           permit                      2244      2244        8686
CUST_guest-logon_init_role            logon-control                     any   any                      svc-dhcp          permit                      9         9           8687
CUST_guest-logon_init_role            captiveportal                     user  any                      svc-http          dst-nat        8080         28        28          8690
CUST_guest-logon_init_role            captiveportal                     user  any                      svc-https         dst-nat        8081         260       260  

A couple more:

show interface vlan 11

show vlan 11

show ip interface brief

(USPHXNRFW101) #show  interface vlan 11

VLAN11 is up line protocol is up
Hardware is CPU Interface, Interface address is 00:0B:86:6E:93:14 (bia 00:0B:86:6E:93:14)
Description: 802.1Q VLAN
Internet address is 192.168.20.1  255.255.255.0
IPv6 Router Advertisements are disabled
Routing interface is enable, Forwarding mode is enable
Directed broadcast is disabled, BCMC Optimization disabled ProxyARP disabled Suppress ARP enable
Encapsulation 802, loopback not set
MTU 1500 bytes
IP NAT Inside is enabled on this interface
Last clearing of "show interface" counters 6 day 17 hr 44 min 1 sec
link status last changed 6 day 17 hr 41 min 1 sec
Proxy Arp is disabled for the Interface
Auto Operstate up is enabled for this Interface
Tunnels Configured on this Interface:
Tunnel 0,Tunnel 0,Tunnel 0

(USPHXNRFW101) #show vlan 11

VLAN CONFIGURATION
------------------
VLAN  Description  Ports  AAA Profile
----  -----------  -----  -----------
11    VLAN0011            N/A

(USPHXNRFW101) #show ip interface br

Interface                   IP Address / IP Netmask        Admin   Protocol
vlan 372                   10.20.72.10 / 255.255.255.0     up      up  
vlan 1                      unassigned / unassigned        up      down
vlan 303                   10.20.32.10 / 255.255.255.0     up      up  
vlan 364                   10.20.64.10 / 255.255.252.0     up      up  
vlan 368                   10.20.68.10 / 255.255.252.0     up      up  
vlan 11                   192.168.20.1 / 255.255.255.0     up      up  
vlan 20                    10.20.20.31 / 255.255.255.0     up      up  
loopback                    unassigned / unassigned        up      up  
mgmt                        unassigned / unassigned        down    down

That all looks good too.

How about the output of these commands:

show ip dhcp statistics

show ip dhcp database

show ip dhcp bindings

the binding 192.168.20.26 was when I had the VAP in tunneled mode.

(USPHXNRFW101) #show ip dhcp statistics

Network Name           192.168.20.0/24
    Free leases        228
    Active leases      1
    Expired leases     0
    Abandoned leases   0
                          
Network Name           10.20.68.0/22
    Free leases        998
    Active leases      0
    Expired leases     0
    Abandoned leases   0
                          

(USPHXNRFW101) #show ip dhcp database

DHCP enabled

# Global scope option declarations

# V368-RAP-Clients
subnet 10.20.68.0 netmask 255.255.252.0 {
    default-lease-time 86415;
    max-lease-time 86415;
    option domain-name "lostarrow.com";
    option vendor-class-identifier  "ArubaAP";
    option vendor-encapsulated-options  "10.20.72.10";
    option domain-name-servers 10.20.11.60, 10.20.11.70;
    option routers 10.20.68.10;
    range 10.20.68.25 10.20.71.254;
    authoritative;
}
# GuestPool
subnet 192.168.20.0 netmask 255.255.255.0 {
    default-lease-time 43200;
    max-lease-time 43200;
    option vendor-class-identifier  "ArubaAP";
    option vendor-encapsulated-options  "10.20.72.10";
    option domain-name-servers 8.8.8.8, 8.8.4.4;
    option routers 192.168.20.1;
    range 192.168.20.26 192.168.20.254;
    authoritative;
}

(USPHXNRFW101) #show ip dhcp binding


lease 10.20.68.25 {
  starts epoch 1379004607; # Thu Sep 12 09:50:07 2013
  ends epoch 1379091022; # Fri Sep 13 09:50:22 2013
  tstp epoch 1379091022; # Fri Sep 13 09:50:22 2013
  cltt epoch 1379004607; # Thu Sep 12 09:50:07 2013
  binding state active;
  next binding state free;
  hardware ethernet 08:11:96:1c:24:a8;
}
 
lease 10.20.68.25 {
  starts epoch 1379004607; # Thu Sep 12 09:50:07 2013
  ends epoch 1379005551; # Thu Sep 12 10:05:51 2013
  tstp epoch 1379005551; # Thu Sep 12 10:05:51 2013
  cltt epoch 1379004607; # Thu Sep 12 09:50:07 2013
  binding state free;
  hardware ethernet 08:11:96:1c:24:a8;
}
lease 192.168.20.26 {
  starts epoch 1379005552; # Thu Sep 12 10:05:52 2013
  ends epoch 1379048752; # Thu Sep 12 22:05:52 2013
  cltt epoch 1379005552; # Thu Sep 12 10:05:52 2013
  binding state active;
  next binding state free;
  hardware ethernet 08:11:96:1c:24:a8;
}
lease 192.168.20.26 {
  starts epoch 1379006484; # Thu Sep 12 10:21:24 2013
  ends epoch 1379049684; # Thu Sep 12 22:21:24 2013
  cltt epoch 1379006484; # Thu Sep 12 10:21:24 2013
  binding state active;
  next binding state free;
  hardware ethernet 08:11:96:1c:24:a8;
}
lease 192.168.20.26 {
  starts epoch 1379007661; # Thu Sep 12 10:41:01 2013
  ends epoch 1379050861; # Thu Sep 12 22:41:01 2013
  cltt epoch 1379007661; # Thu Sep 12 10:41:01 2013
  binding state active;
  next binding state free;
  hardware ethernet 08:11:96:1c:24:a8;
}
lease 192.168.20.26 {
  starts epoch 1379007890; # Thu Sep 12 10:44:50 2013
  ends epoch 1379051090; # Thu Sep 12 22:44:50 2013
  cltt epoch 1379007890; # Thu Sep 12 10:44:50 2013
  binding state active;
  next binding state free;                        
  hardware ethernet 08:11:96:1c:24:a8;
}

Does the issue happen with all VLANs?  If you change the VAP to use one of your other VLANs, does the client get an IP?

I get the same problem.  I placed the cp vap on a vlan used by 802.1x vap; this vlan is also not bound to an interface.  I know this works as I have no problem with 802.1x vap.

Wow, that looks ok too.

I'm down to debug logs for DHCP now.

logging level debugging security process dhcpd

logging level debugging network subcat dhcp

<test dhcp w/ client> then...

show log security all | include <client mac>

show log network all | include <client mac>

I'm wondering if the request is getting to the controller at all.

hmmm,

I only go this....

Sep 13 00:11:17 :126038: <WARN> |wms| |ids| AP(6c:f3:7f:d1:a5:b0@USLOCXNRAPXXX): Cleared Station Associated to Rogue AP: An AP is no longer detecting a client 08:11:96:1c:24:a8 associated to a rogue access point (BSSID 74:d0:2b:40:bf:2c and SSID newjetty_5g on CHANNEL 149).
Sep 13 00:12:05 :126037: <WARN> |wms| |ids| AP(6c:f3:7f:d1:a5:b0@USLOCXNRAPXXX): Station Associated to Rogue AP: An AP detected a client 08:11:96:1c:24:a8 associated to a rogue access point (BSSID 74:d0:2b:40:bf:2c and SSID newjetty_5g on CHANNEL 149).
Sep 13 01:07:21 :126038: <WARN> |wms| |ids| AP(6c:f3:7f:d1:a5:b0@USLOCXNRAPXXX): Cleared Station Associated to Rogue AP: An AP is no longer detecting a client 08:11:96:1c:24:a8 associated to a rogue access point (BSSID 74:d0:2b:40:bf:2c and SSID newjetty_5g on CHANNEL 149).

Doesn't look like the request is getting to the controller at all based upon those log results.  Can you tell us the version of ArubaOS?  

Also run the following for that RAP:

show ap details ap-name <name-of-AP>

show ap bss-table ap-name <name-of-AP>