Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

  • 1.  Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Jan 30, 2015 10:26 AM
      |   view attached

    I have vlans established on all switches in the path from Layer 3 building entry point to the WiFi controller.

    I can ping & traceroute from the controller to the DHCP at the central office.

    Clients get IP in vlan 1 instead of the range assigned to the virtual AP via the appropriate vlan.

     

    Relevant config excerpts attached.

     

    Has to be something simple I am missing and would appreciate another set of eyes to point me in the right direction. 

     

    Attachment(s)



  • 2.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Jan 30, 2015 10:44 AM

    use the command below to find out:

     

    show aaa debug vlan user mac <mac address of user>

     



  • 3.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Feb 02, 2015 07:25 AM

    (DM-Controller) #show aaa debug
    ^
    % Invalid input detected at '^' marker.

     

    -----------------------

    (DM-Controller) #show aaa ?
    accounting Show accounting configuration
    authentication Authentication methods
    authentication-server Authentication Servers
    bandwidth-contracts Show bandwidth contracts
    derivation-rules Show role/vlan derivation rules
    device-id-cache Device ID Cache
    dns-query-interval DNS query interval
    fqdn-server-names Auth Server FQDN names
    main-profile Show summary of all AAA profiles
    password-policy Password policy for locally configured management
    users
    profile Show an AAA Profile
    pubcookie-authenticat.. Show Pubcookie authentication Configuration
    radius-attributes Show RADIUS attributes
    rfc-3576-server RFC 3576 server
    server-group Show a Server Group
    state Show internal state of authentication module
    tacacs-accounting Show TACACS accounting configuration
    timers Show timers
    web Show web server configuration
    xml-api External XML API server

     

     



  • 4.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Feb 03, 2015 09:50 AM

    As far i understand you getting an ip address from the incorrect vlan.

     

    I know its silly but who knows... i already saw it happening before.

     

    can you do in the computer you are getting the wrong ip address ipconfig /all and see who is the dhcp server which is giving you the ip? is the correct dhcp server?

     

    I saw it  in  a client happing that someone connected somethign that was giving dhcp ip address in the same vlan of the wifi.  Of cousre is was the other device and that was the problem.   he was confused and was thinking he was getting ips from the other vlan because for concidence the device a small wifi router was giving him ip addresses in the same network of the other vlan...

     

    Anyways is never hurt to check :)

     

    Cheers

    Carlos



  • 5.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Feb 03, 2015 10:02 AM

    9 of 10 3400's took the changes fine, add the vlans, assign them in Virtual AP, watch the DHCP system populate the clients. This one kept getting them from vlan1 and didn't change. Not a client issue because NO clients changed. Knew it had to be the controller, just couldn't figure out why. Authentication precedence and a role set that I didn't know was.

    While I have to wait until after school to test, pretty confident that is the issue.

    Thank you.

     



  • 6.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Feb 04, 2015 12:23 AM

     

     

    To confirm your suspicions, run the following on a working client and a non-working client.   Review the VLAN ID and VLAN Derivation results.

     

    show user ip x.x.x.x

     

    Name: chris, IP: 192.168.13.156, MAC: 40:0e:85:01:b5:69, Role: 1X-AUTH, ACL: 76/0, Age: 00:09:42
    Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: CPPM-BETA.LAB.NET
    Authentication Servers: dot1x authserver: CPPM-BETA.LAB.NET, mac authserver:
    Bandwidth = No Limit
    Bandwidth = No Limit
    Role Derivation: Aruba VSA
    VLAN Derivation: Default VLAN
    Idle timeout (global): 300 seconds, Age: 00:00:00
    ......

    Vlan default: 192, Assigned: 192, Current: 192 vlan-how: 1 DP assigned

     

    ---------------------

            vs

    ---------------------

     

    Name: chris, IP: 10.10.0.2, MAC: 40:0e:85:01:b5:69, Role: 1X-AUTH, ACL: 76/0, Age: 00:00:00
    Authentication: Yes, status: started, method: 802.1x, protocol: EAP-PEAP, server: CPPM-BETA.LAB.NET
    Authentication Servers: dot1x authserver: CPPM-BETA.LAB.NET, mac authserver:
    Bandwidth = No Limit
    Bandwidth = No Limit
    Role Derivation: Aruba VSA
    VLAN Derivation: Dot1x Aruba VSA Role Contained
    Idle timeout (global): 300 seconds, Age: 00:00:00
    ......

    Vlan default: 192, Assigned: 999, Current: 999 vlan-how: 16 DP assigned



  • 7.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Feb 05, 2015 07:59 AM

    Now that's a darn handy command I didn't know!

    Ton of information there. And yes, that wasn't the whole problem so thank you for suggesting this.

    Now to figure out how to use this information to solve the problem. Obviously there is still a vlan problem.

     

    Non-working:

     

    Name: , IP: 10.44.90.15, MAC: 28:6a:ba:e7:35:3d, Role:guest, ACL:3/0, Age: 00:14:32
    Authentication: No, status: not started, method: , protocol: , server:
    Role Derivation: AAA profile default role
    VLAN Derivation: unknown
    Idle timeouts: 161, ICMP requests sent: 163, replies received: 161, Valid ARP: 0
    Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
    Flags: internal=0, trusted_ap=0, l3auth=0, mba=0
    Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
    Auth fails: 0, phy_type: a, reauth: 0, BW Contract: up:0 down:0, user-how: 1
    Vlan default: 1, Assigned: 0, Current: 1 vlan-how: 0 DP assigned vlan:0
    Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
    Tunnel=0, SlotPort=0x1040, Port=0x10de (tunnel 94)
    Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
    Current Role name: guest, role-how: 10, L2-role: guest, L3-role: guest
    Essid: MSDPT, Bssid: d8:c7:c8:f7:5f:d9 AP name/group: AP-DM-Office-Hall/default Phy-type: a
    RadAcct sessionID:n/a
    RadAcct Traffic In 10323/1297358 Out 10836/11636078 (0:10323/0:0:19:52174,0:10836/0:0:177:36206)
    Timers: ping_reply 0, spoof reply 0, reauth 0
    Profiles AAA:MSDPT-aaa_prof, dot1x:, mac: CP: def-role:'guest' sip-role:'' via-auth-profile:''
    ncfg flags udr 0, mac 0, dot1x 0, RADIUS interim accounting 0
    IP Born: 1423088666 (Wed Feb 4 17:24:26 2015)
    Core User Born: 1423088665 (Wed Feb 4 17:24:25 2015)
    Upstream AP ID: 0, Downstream AP ID: 0
    DHCP assigned IP address 10.44.90.15, from DHCP server 0.0.0.0
    Device Type: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Mobile/11D257

     

     Working: (different 3400

     

    (MB-Controller) #show user-table ip 10.236.64.165


    Name: , IP: 10.236.64.165, MAC: 04:e5:36:be:74:d9, Role:guest, ACL:3/0, Age: 00:00:00
    Authentication: No, status: not started, method: , protocol: , server:
    Role Derivation: AAA profile default role
    VLAN Derivation: unknown
    Idle timeouts: 415, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
    Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
    Flags: internal=0, trusted_ap=0, l3auth=0, mba=0
    Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
    Auth fails: 0, phy_type: a, reauth: 0, BW Contract: up:0 down:0, user-how: 1
    Vlan default: 303, Assigned: 0, Current: 303 vlan-how: 0 DP assigned vlan:0
    Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
    Tunnel=0, SlotPort=0x1040, Port=0x1105 (tunnel 133)
    Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
    Current Role name: guest, role-how: 10, L2-role: guest, L3-role: guest
    Essid: MSDPT, Bssid: d8:c7:c8:f2:f1:a9 AP name/group: AP-MB-27 - p18/default Phy-type: a
    RadAcct sessionID:n/a
    RadAcct Traffic In 26398/2223129 Out 13870/10473226 (0:26398/0:0:33:60441,0:13870/0:0:159:53002)
    Timers: ping_reply 0, spoof reply 0, reauth 0
    Profiles AAA:MSDPT-aaa_prof, dot1x:, mac: CP: def-role:'guest' sip-role:'' via-auth-profile:''
    ncfg flags udr 0, mac 0, dot1x 0, RADIUS interim accounting 0
    IP Born: 1423141463 (Thu Feb 5 08:04:23 2015)
    Core User Born: 1422450793 (Wed Jan 28 08:13:13 2015)
    Upstream AP ID: 0, Downstream AP ID: 0
    DHCP assigned IP address 10.236.64.165, from DHCP server 0.0.0.0
    Device Type: server-bag [iPhone OS,7.1.2,11D257,iPad2,4]

     

     



  • 8.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Feb 03, 2015 07:36 AM

    Not an option:

     

    (DM-Controller) #show aaa ?
    accounting Show accounting configuration
    authentication Authentication methods
    authentication-server Authentication Servers
    bandwidth-contracts Show bandwidth contracts
    derivation-rules Show role/vlan derivation rules
    device-id-cache Device ID Cache
    dns-query-interval DNS query interval
    fqdn-server-names Auth Server FQDN names
    main-profile Show summary of all AAA profiles
    password-policy Password policy for locally configured management
    users
    profile Show an AAA Profile
    pubcookie-authenticat.. Show Pubcookie authentication Configuration
    radius-attributes Show RADIUS attributes
    rfc-3576-server RFC 3576 server
    server-group Show a Server Group
    state Show internal state of authentication module
    tacacs-accounting Show TACACS accounting configuration
    timers Show timers
    web Show web server configuration
    xml-api External XML API server

     

     



  • 9.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Feb 03, 2015 09:16 AM

    Hi!

     

    Your issue is probably that you are defining the VLAN in the user role, that will override the VLAN configured in the virtual AP profile.

     

    If you are putting your users in the role "authenticated" please navigate to that user role and either make the "Role VLAN ID" unassigned or correct. Keep in mind that this change will affect all users ending up in this role.

     

    Good luck,



  • 10.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Feb 03, 2015 09:57 AM

    No idea how that got set, but YEAH!!! and THANK YOU!!!

    Thanks to all for the leads, but this was, at least to this point, the stumbling block. May be more issues, but this allows me to advance to the next step(s).

     



  • 11.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Jan 30, 2015 10:46 AM

    Hi friend,

     

    Let me understand couple of points here,

     

    1. Is your AP connected over trunklink ?

    2. Is your SSID on Tunnel mode or Bridge mode ?

    3. If it is on the tunnel mode what is the gateway for your clients Controller or any other ? and check whether IP helper address is configured or not.

     

    Please clarify above points and feel free for any further help on this.



  • 12.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Jan 30, 2015 01:21 PM

    APs are not trunked, just the controller port to switch.

    SSID are all tunneled

    Gateway set on each vlan (see attached 'doc' file).

    ip helper is on layer 3 switch

    Clients do get an IP in the same range as the APs, but trying to segment them by SSID to different vlans so they are easier to manage in DHCP.

    BYOD & 1:1 greatly increased devices.

     

    To get a client MAC I believe I'll need to go to that school. I don't see it in the controller. Am I overlooking where to find it?

     

     



  • 13.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Jan 30, 2015 01:26 PM

    To find out what is going wrong with your client(s), you need a mac address so that you can start debugging to see what happens to that client.  yes, you will need a mac address from a test device.

     

    You probably need someone to go over your configuration to make sure you have everything in place.  If this is critical, I would open up a case with support so that they can get you straightened out.

     

     



  • 14.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Jan 30, 2015 03:36 PM

    Would if I could. Alas, a poor school district with a one person network staff and no funds for training or support contracts. Forum has been a blessing in the past for that reason. I really appreciate the effort you all put into it.

     

    I have compared two 3400's side by side. (same code version) I find nothing different so why one works and the other doesn't remains a mystery at this. There has to be something...

     

    I'll dig into it more next week.

     

    Have a wonderful weekend!

     



  • 15.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Jan 31, 2015 03:48 AM

    with something like a show user-table you already get a whole list of client MAC addresses. or did you mean with going to the school you don't have remote access to the controller?

     

    the reason can be several things, do you actual put you clients in the different VLAN? if you don't it will use the default controller VLAN, which might be 1.

     

    can you post config snippits? virtual ap config would be the first useful one. together with IP and VLAN config.



  • 16.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Feb 02, 2015 07:20 AM

    301 = "Fast"

    302 = "S2"

    303 = "MSDPT" (open)

     

    Excerpts:

    ----------------------------

    controller-ip vlan 1
    interface mgmt
    shutdown
    !

    --------------------------

    vlan 301
    vlan 302
    vlan 303

    -------------------------------------

    interface gigabitethernet 1/0
    description "GE1/0"
    trusted
    trusted vlan 1-4094
    switchport mode trunk
    spanning-tree portfast
    !

    ---------------------------------

    interface vlan 1
    ip address 10.44.1.60 255.255.0.0
    !

    ip default-gateway 10.44.1.1
    uplink disable

    ----------------------------------

    wlan virtual-ap "default"
    no vap-enable
    !
    wlan virtual-ap "MSDPT-vap_prof"
    aaa-profile "MSDPT-aaa_prof"
    ssid-profile "MSDPT-ssid_prof"
    vlan 303
    ha-disc-onassoc
    vlan-mobility
    broadcast-filter all
    band-steering
    !
    wlan virtual-ap "MSDPT_Fast-vap_prof"
    aaa-profile "MSDPT_Fast-aaa_prof"
    ssid-profile "MSDPT_Fast-ssid_prof"
    vlan 1
    ha-disc-onassoc
    broadcast-filter all
    band-steering
    !
    wlan virtual-ap "MSDPT_S2-vap_prof"
    allowed-band g
    aaa-profile "MSDPT_S2-aaa_prof"
    ssid-profile "MSDPT_S2-ssid_prof"
    vlan 1
    broadcast-filter all
    !
    ap provisioning-profile "default"
    !
    ap spectrum local-override
    !
    ap-group "default"
    virtual-ap "MSDPT_S2-vap_prof"
    virtual-ap "MSDPT_Fast-vap_prof"
    virtual-ap "MSDPT-vap_prof"
    !



  • 17.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Feb 02, 2015 07:23 AM

    rmiddleton,

     

    Please open a case with TAC.  There are quite a few other things, like server derivation rules and radius attributes that are not included in your output, but can affect the VLAN that users are placed into.



  • 18.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Feb 02, 2015 07:48 AM

    Thank you. Not an option, but thank you for trying.

    Doing a side by side comparison of one that works against this one that isn't. Same code version. Does order matter? Finding several segments that are the same, but in a different order.

     

    3400 working properly with vlans:

    ip access-list session v6-icmp-acl
    ipv6 any any svc-v6-icmp permit
    !
    ip access-list session control
    user any udp 68 deny
    any any svc-icmp permit
    any any svc-dns permit
    any any svc-papi permit
    any any svc-sec-papi permit
    any any svc-cfgm-tcp permit
    any any svc-adp permit
    any any svc-tftp permit
    any any svc-dhcp permit
    any any svc-natt permit
    !
    ip access-list session allow-diskservices
    any any svc-netbios-dgm permit
    any any svc-netbios-ssn permit
    any any svc-microsoft-ds permit
    any any svc-netbios-ns permit
    !

     

    3400 not getting desired IPs on vlans:

    ip access-list session allow-diskservices
    any any svc-netbios-dgm permit
    any any svc-netbios-ssn permit
    any any svc-microsoft-ds permit
    any any svc-netbios-ns permit
    !
    ip access-list session control
    user any udp 68 deny
    any any svc-icmp permit
    any any svc-dns permit
    any any svc-papi permit
    any any svc-sec-papi permit
    any any svc-cfgm-tcp permit
    any any svc-adp permit
    any any svc-tftp permit
    any any svc-dhcp permit
    any any svc-natt permit
    !
    ip access-list session v6-icmp-acl
    ipv6 any any svc-v6-icmp permit
    !

     

     



  • 19.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Feb 02, 2015 08:23 AM

    rmiddleton,

     

    Without a live client to debug, it will be difficult to understand where your problem is.

     



  • 20.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Feb 02, 2015 08:33 AM

    Pretty sure it is user Role authentication. Seeing some differences in code, but not used the CLI enough to be sure what I am seeing. Checking back & forth to GUI. 

    Example:
    Not Working:
    user-role guest
     vlan 1
     access-list session http-acl
    ...
    user-role authenticated
     vlan 1
     access-list session allowall
     access-list session v6-allowall
    ....
     
    Working:
    user-role guest
     access-list session http-acl
    ...
    user-role authenticated
     access-list session allowall
     access-list session v6-allowall
    ...

     



  • 21.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Feb 03, 2015 04:19 AM

    you keep ignoring certain questions.

     

    this document explain how IPs are assigned:

    http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Content/ArubaFrameStyles/Network_Parameters/About_VLAN_Assignments.htm

     

    go through it and go through clients that fail, somewhere you should understand the cause. like cjospeh said, look at actual clients. just some basic config comparision might help, but isn't certain.



  • 22.  RE: Clients get IP from incorrect DHCP range. Aruba 3400 v6.1.3.7

    Posted Feb 03, 2015 10:02 AM

    Not meaning to ignore anything, maybe I missed reading something...

    What am I missing on the debug statement / syntax? 

    I can get the MAC now, but not debug the client detail.

     

    (DM-Controller) #show user-table essid MSDPT

    Users
    -----
    IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
    ---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----
    10.44.92.91 30:3a:64:6c:0a:b1 guest 00:00:00 AP-DM-315-p71 Wireless MSDPT/d8:c7:c8:f7:60:29/a MSDPT-aaa_prof tunnel Win 7