Question : Why are wireless clients connected to a captive portal SSID not getting an IP if they disconnect and re-connect in quick succession?
Environment Information : Any Aruba OS
Any Aruba AP
Any Aruba Controller
Symptoms : Working wireless clients unable to get an IP if they disconnect and reconnect to wireless. If we clear the user entry using "aaa user delete mac <user-mac>", the user will be able to connect and get an IP address fine.
Cause :
We keep the L3 entry (user-table) of the user until the expiry of the timer "User Idle-Timeout". This is 5 minutes by default. Hence if an authenticated captive-portal user disconnects from wireless and quickly reconnects within 5 minutes (say) then the user is punted to the post-auth role on the Controller. If post-auth role is restrictive enough then we can potentially block DHCP and hence prevent user from getting an IP address.
Resolution :
If a captive portal authenticated user disconnects from the wireless and reconnects within the "user idle-timeout" period (default 5 minutes), then the will be pushed directly to post-authentication role on the Controller. However the user will still need to either renew its IP address or get a new IP address from DHCP. This user attempt to acquire a new IP or renew its IP address, will fail if DHCP is blocked in the post-authenticated role. Hence we can resolve this issue by allowing DHCP on the post-authenticated role.
Answer :
For the duration of idle-user timeout (default is 5mins), we remember the user IP (L3) entry for authenticated users on the Controller. This is especially useful for captive portal authenticated users that re-connect to the wireless within a short time so that they do not need to re-authenticated at the captive portal page again. If an authenticated user disconnects from wireless and reconnects within the configured "user idle-timeout" then we will pushed the user directly to post-authentication role.
Now, since the user disconnected from wireless and re-connected, it will try to do a “DHCP DISCOVER”. We hence need to allow “DHCP” on the post-authenticated role to allow user to get an IP address this time.
For Example:
Consider a user in post-authenticated role "webaccess".
Configuration before change:
(Aruba) #show rights webaccess
Derived Role = 'webaccess'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 78/0
Max Sessions = 65535
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 WebAcc session
WebAcc
------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 4<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<NO ACL ALLOWING DHCP
2 user any svc-dns permit Low 4
3 any any tcp 26000 permit Low 4
4 any any svc-ssh permit Low 4
5 user any svc-https permit Low 4
6 user any svc-http permit Low 4
7 user any tcp 8080 permit Low 4
8 user 127.108.0.0 255.255.0.0 tcp 9100 permit Low 4
9 user any tcp 7777 permit Low 4
10 user any svc-ftp permit Low 4
11 user 127.108.2.46 any permit Low 4
Expired Policies (due to time constraints) = 0
Configuration Change: (Aruba)# config term
(Aruba) (config)# ip access-list session WebAcc
(Aruba) (config-sess-WebAcc)# any any svc-dhcp permit position 2
(Aruba) (config-sess-WebAcc)# write mem
Configuration After Change:
(Aruba) (config-role) #show rights webaccess
Derived Role = 'webaccess'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 77/0
Max Sessions = 65535
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 WebAcc session
WebAcc
------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 4
2 any any svc-dhcp permit Low 4 <<<<<<<<<<<<<<<<<<<<<<<<<<ACL PERMITS DHCP 3 user any svc-dns permit Low 4
4 any any tcp 26000 permit Low 4
5 any any svc-ssh permit Low 4
6 user any svc-https permit Low 4
7 user any svc-http permit Low 4
8 user any tcp 8080 permit Low 4
9 user 127.108.0.0 255.255.0.0 tcp 9100 permit Low 4
10 user any tcp 7777 permit Low 4
11 user any svc-ftp permit Low 4
Note: Please note that the issue of users not getting an IP after reconnection to wireless might be exacerbated in cases where the user idle-timeout is a higher than the default value.