Wireless Access

last person joined: 10 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

client not able to connect and obtain an IP address

  • 1.  client not able to connect and obtain an IP address

    Posted Jun 12, 2019 03:08 AM

    hello experts, 

     

    please help me with the troubleshooting of the wireless client which is not able to connect to the ssid "SCCorp", i am attaching the client debug and configuration of the ssid as well, the ssid has mac filtering + bandwidth contracts of 2 mbps.

     

    i am aslo seeing this error message ":bd:ad:7f:e1 (vlan:702) Detecting Wireless-user AAA-Profile mismatch 

     

    (UAM-COCL1-MB00MDF-WC01) #show local-userdb


    User Summary
    ------------
    Name Password Role E-Mail Enabled Expiry Status Sponsor-Name Remote-IP Grantor-Name
    ---- -------- ---- ------ ------- ------ ------ ------------ --------- ------------

    28:B2:BD:AD:7F:E1 ******** SCCorp-user-role Yes Active 0.0.0.0 admin

     

    the mac address of the client is 28:B2:BD:AD:7F:E1

     

    Attachment(s)

    txt
    aruba-debug.txt   63 KB 1 version
    txt
    SCCorp-config.txt   2 KB 1 version


  • 2.  RE: client not able to connect and obtain an IP address

    Posted Jun 12, 2019 03:09 AM

    my topology looks like below

     

    ap <<<<<< controller <<<<< core switch (which has the svi for ssid vlan and ip helpers are defined) <<<<<< WAN <<<<< mpls <<<<< remote dhcp server.



  • 3.  RE: client not able to connect and obtain an IP address

    Posted Jun 12, 2019 03:28 AM
    Hi,

    Whats is your initial role in the aaa profile and what policy and rules is used by that role?


  • 4.  RE: client not able to connect and obtain an IP address

    Posted Jun 12, 2019 03:37 AM

    there you go , some outputs that you might be interested in.

    the client only gets seen in "show station-table" and in the login role only, it is not seen in the "show user-table " output

     

    (UAM-COCL1-MB00MDF-WC01) #show aaa profile aaa-pf-SCCorp

    AAA Profile "aaa-pf-SCCorp"
    ---------------------------
    Parameter Value
    --------- -----
    Initial role SCCorp-logon-role
    MAC Authentication Profile mac-auth-pf-SCCorp
    MAC Authentication Default Role SCCorp-user-role
    MAC Authentication Server Group sg-SCCorp
    802.1X Authentication Profile dot1x-auth-pf-SCCorp
    802.1X Authentication Default Role guest
    802.1X Authentication Server Group N/A
    Download Role from CPPM Disabled
    Set username from dhcp option 12 Disabled
    L2 Authentication Fail Through Disabled
    Multiple Server Accounting Disabled
    User idle timeout N/A
    Max IPv4 for wireless user 2
    RADIUS Accounting Server Group N/A
    RADIUS Roaming Accounting Disabled
    RADIUS Interim Accounting Disabled
    XML API server N/A
    RFC 3576 server N/A
    User derivation rules N/A
    Wired to Wireless Roaming Enabled
    SIP authentication role N/A
    Device Type Classification Enabled
    Enforce DHCP Enabled
    PAN Firewall Integration Disabled
    Open SSID radius accounting Disabled

     

     

    (UAM-COCL1-MB00MDF-WC01) #show rights SCCorp-logon-role

    Valid = 'Yes'
    CleanedUp = 'No'
    Derived Role = 'SCCorp-logon-role'
    Up BW:No Limit Down BW:No Limit
    L2TP Pool = default-l2tp-pool
    PPTP Pool = default-pptp-pool
    Number of users referencing it = 0
    Periodic reauthentication: Disabled
    DPI Classification: Enabled
    Youtube education: Disabled
    Web Content Classification: Enabled
    IP-Classification Enforcement: Enabled
    ACL Number = 102/0
    Openflow: Disabled
    Max Sessions = 65535

    Check CP Profile for Accounting = TRUE

    Application Exception List
    --------------------------
    Name Type
    ---- ----

    Application BW-Contract List
    ----------------------------
    Name Type BW Contract Id Direction
    ---- ---- ----------- -- ---------

    access-list List
    ----------------
    Position Name Type Location
    -------- ---- ---- --------
    1 global-sacl session
    2 apprf-SCCorp-logon-role-sacl session
    3 denyall session

    global-sacl
    -----------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
    apprf-SCCorp-logon-role-sacl
    ----------------------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
    denyall
    -------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
    1 any any any deny Low 4
    2 any any any-v6 deny Low 6

    Expired Policies (due to time constraints) = 0

    (UAM-COCL1-MB00MDF-WC01) #

     

     

    (UAM-COCL1-MB00MDF-WC01) #show rights SCCorp-user-role

    Valid = 'Yes'
    CleanedUp = 'No'
    Derived Role = 'SCCorp-user-role'
    Up BW contract = SCCorp-bw-ctr (2000000 bits/sec) Down BW contract = SCCorp-bw-ctr (2000000 bits/sec)
    L2TP Pool = default-l2tp-pool
    PPTP Pool = default-pptp-pool
    Number of users referencing it = 0
    Periodic reauthentication: Disabled
    DPI Classification: Enabled
    Youtube education: Disabled
    Web Content Classification: Enabled
    IP-Classification Enforcement: Enabled
    ACL Number = 104/0
    Openflow: Disabled
    Max Sessions = 65535

    Check CP Profile for Accounting = TRUE

    Application Exception List
    --------------------------
    Name Type
    ---- ----

    Application BW-Contract List
    ----------------------------
    Name Type BW Contract Id Direction
    ---- ---- ----------- -- ---------

    access-list List
    ----------------
    Position Name Type Location
    -------- ---- ---- --------
    1 global-sacl session
    2 apprf-SCCorp-user-role-sacl session
    3 logon-control session
    4 allowall session

    global-sacl
    -----------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
    apprf-SCCorp-user-role-sacl
    ---------------------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
    logon-control
    -------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
    1 user any udp 68 deny Low 4
    2 any any svc-icmp permit Low 4
    3 any any svc-dns permit Low 4
    4 any any svc-dhcp permit Low 4
    5 any any svc-natt permit Low 4
    6 any 169.254.0.0 255.255.0.0 any deny Low 4
    7 any 240.0.0.0 240.0.0.0 any deny Low 4
    allowall
    --------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
    1 any any any permit Low 4
    2 any any any-v6 permit Low 6

    Expired Policies (due to time constraints) = 0

    (UAM-COCL1-MB00MDF-WC01) #



  • 5.  RE: client not able to connect and obtain an IP address

    Posted Jun 12, 2019 03:58 AM
    Your initial role SCCorp-logon-role got a deny policy in it that block any traffic on rule 3.

    access-list List
    ----------------
    Position Name Type Location
    -------- ---- ---- --------
    1 global-sacl session
    2 apprf-SCCorp-logon-role-sacl session
    3 denyall session


  • 6.  RE: client not able to connect and obtain an IP address

    Posted Jun 12, 2019 04:56 AM

    thanks for enlightening me on this one, i edited the logon rule now .

    i hope it will work now , correct ?

     

    (UAM-COCL1-MB00MDF-WC01) (config) #show rights SCCorp-logon-role

    Valid = 'Yes'
    CleanedUp = 'No'
    Derived Role = 'SCCorp-logon-role'
    Up BW:No Limit Down BW:No Limit
    L2TP Pool = default-l2tp-pool
    PPTP Pool = default-pptp-pool
    Number of users referencing it = 0
    Periodic reauthentication: Disabled
    DPI Classification: Enabled
    Youtube education: Disabled
    Web Content Classification: Enabled
    IP-Classification Enforcement: Enabled
    ACL Number = 102/0
    Openflow: Disabled
    Max Sessions = 65535

    Check CP Profile for Accounting = TRUE

    Application Exception List
    --------------------------
    Name Type
    ---- ----

    Application BW-Contract List
    ----------------------------
    Name Type BW Contract Id Direction
    ---- ---- ----------- -- ---------

    access-list List
    ----------------
    Position Name Type Location
    -------- ---- ---- --------
    1 global-sacl session
    2 apprf-SCCorp-logon-role-sacl session
    3 allowall session

    global-sacl
    -----------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
    apprf-SCCorp-logon-role-sacl
    ----------------------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
    allowall
    --------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
    1 any any any permit Low 4
    2 any any any-v6 permit Low 6

    Expired Policies (due to time constraints) = 0



  • 7.  RE: client not able to connect and obtain an IP address

    Posted Jun 12, 2019 07:38 AM
    Seems fine, good for testing. But reminder you want bring some extra acl’s for example block controller access for guests. or not allow guest to run a dhcp server on their client. Default use the “logon” role if no enhancements are needed.


  • 8.  RE: client not able to connect and obtain an IP address

    Posted Jun 12, 2019 08:15 AM

    well this ssid is just for connecting handheld scanners , who will use a simple pre-shared key to connect to this ssid.

     

    we are mac filtering for this , so that no other machines could connect.

    i will test the ssid and will let you know how it goes.