Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Option IP address Unsuccessful on 1 of 2 SSIDs

Jump to Best Answer
  • 1.  Option IP address Unsuccessful on 1 of 2 SSIDs

    Posted May 14, 2013 10:24 AM

    I have two WLANs setup. Identical in everyway except one is secured and one is open. The secured one gets an IP on every device tried (with the proper key) and is fine. Trying t connect to the "open" one tries to obtain an IP 3 times then switches to the secured one.

    Obviously I am missing something simple.

    DHCP server Windows Server 2008 R2.

    Thoughts?

     



  • 2.  RE: Option IP address Unsuccessful on 1 of 2 SSIDs

    Posted May 14, 2013 10:26 AM

    Do you have an "ip helper-address" on the VLAN interface of the VLAN that is not working?  That would direct broadcast (DHCP) traffic to your DHCP server.

     



  • 3.  RE: Option IP address Unsuccessful on 1 of 2 SSIDs

    Posted May 14, 2013 10:43 AM

     

    You mention that both wlan profiles are setup the same way , Are you using the same VLAN for both setups ?

     

     

     

     

     

     

     



  • 4.  RE: Option IP address Unsuccessful on 1 of 2 SSIDs

    Posted May 14, 2013 10:48 AM

    Yes. Both on VLAN1. Both set to Tunnel.

     



  • 5.  RE: Option IP address Unsuccessful on 1 of 2 SSIDs

    Posted May 14, 2013 10:49 AM

    What is the role that a user on the new SSID end up in?  Is it allowing DHCP?

     



  • 6.  RE: Option IP address Unsuccessful on 1 of 2 SSIDs

    Posted May 14, 2013 10:55 AM

    AP-800 5.0.4.4.

    Guest. Changed to Authenticated but didn't seem to matter.

    DHCP does not seem to be individually controlled in this version. Or I am missing it. Set both up using the Wizard.

     

     

     



  • 7.  RE: Option IP address Unsuccessful on 1 of 2 SSIDs

    Posted May 14, 2013 10:56 AM

    Not sure what this is?

    QinQ Outer VLAN

     

     



  • 8.  RE: Option IP address Unsuccessful on 1 of 2 SSIDs

    Posted May 14, 2013 11:06 AM

     

     

    can you please share the following : show wlan virtual-ap <virtual-ap name> for the open and secure setup

     

     



  • 9.  RE: Option IP address Unsuccessful on 1 of 2 SSIDs

    Posted May 14, 2013 11:15 AM

    Cool! New command to learn! (for me, relative newbie)

     

    Virtual AP profile "MSDPT_Fast"
    -------------------------------
    Parameter                                       Value
    ---------                                       -----
    QinQ Outer VLAN                                 0
    Virtual AP enable                               Enabled
    Allowed band                                    all
    AAA Profile                                     MSDPT_Fast
    802.11K Profile                                 default
    SSID Profile                                    MSDPT_Fast
    VLAN                                            1
    Forward mode                                    tunnel
    Deny time range                                 N/A
    Mobile IP                                       Enabled
    HA Discovery on-association                     Enabled
    DoS Prevention                                  Disabled
    Station Blacklisting                            Enabled
    Blacklist Time                                  3600 sec
    Dynamic Multicast Optimization (DMO)            Disabled
    Dynamic Multicast Optimization (DMO) Threshold  6
    Authentication Failure Blacklist Time           3600 sec
    Multi Association                               Disabled
    Strict Compliance                               Disabled
    VLAN Mobility                                   Disabled
    Preserve Client VLAN                            Disabled
    Remote-AP Operation                             standard
    Drop Broadcast and Multicast                    Enabled
    Convert Broadcast ARP requests to unicast       Enabled
    Band Steering                                   Enabled
    Steering Mode                                   prefer-5ghz
    VLAN POOL SIZE                                  0
    WMM Traffic Management Profile                  N/A

     

    Virtual AP profile "MSDPT_Guest-vap_prof"
    -----------------------------------------
    Parameter                                       Value
    ---------                                       -----
    QinQ Outer VLAN                                 0
    Virtual AP enable                               Enabled
    Allowed band                                    all
    AAA Profile                                     MSDPT_Guest-aaa_prof
    802.11K Profile                                 default
    SSID Profile                                    MSDPT_Guest-ssid_prof
    VLAN                                            1
    Forward mode                                    tunnel
    Deny time range                                 N/A
    Mobile IP                                       Enabled
    HA Discovery on-association                     Enabled
    DoS Prevention                                  Disabled
    Station Blacklisting                            Enabled
    Blacklist Time                                  3600 sec
    Dynamic Multicast Optimization (DMO)            Disabled
    Dynamic Multicast Optimization (DMO) Threshold  6
    Authentication Failure Blacklist Time           3600 sec
    Multi Association                               Disabled
    Strict Compliance                               Disabled
    VLAN Mobility                                   Disabled
    Preserve Client VLAN                            Disabled
    Remote-AP Operation                             standard
    Drop Broadcast and Multicast                    Disabled
    Convert Broadcast ARP requests to unicast       Enabled
    Band Steering                                   Enabled
    Steering Mode                                   prefer-5ghz
    VLAN POOL SIZE                                  0
    WMM Traffic Management Profile                  N/A



  • 10.  RE: Option IP address Unsuccessful on 1 of 2 SSIDs
    Best Answer

    Posted May 14, 2013 11:28 AM

     

    Are you trying to configure as a guest with a captive portal ? if that's not what you are trying to do  and you are not trying to do anything special under that ssid then do the following:

     

    Your issue might be related to the setup under the aaa config 

     

    Do the following :

     

    (controller) (config) #aaa profile MSDPT_Guest-aaa_prof

     

    (controller) (config) #(AAA Profile "(AAA Profile "MSDPT_Guest-aaa_prof #") #initial-role authenticated (unless you already using this role for something else then just create a new one) - Try this as a test first and then customize it to whatever you are trying to accomplish

     

    But if you want to restrict the user behind that ssid then you need to create another user-role and apply all the restrictions under that role :

     

    (controller) (config) #user-role OPEN-AUTH

     

     



  • 11.  RE: Option IP address Unsuccessful on 1 of 2 SSIDs

    Posted May 14, 2013 12:40 PM

    No captive portal. We use Lightspeed as a content filter. After getting an IP, before getting on the internet, it captures the traffic for a login (unless there is a client already installed).

    Nothing special.

    Both now set to Authenticated as the initial role and guest on the MAC authentication.

    No change.

    Tried to compare to other working controllers, but they are all at 6+.

    Any reason they can't use the same "authenticated" role in 5?

     



  • 12.  RE: Option IP address Unsuccessful on 1 of 2 SSIDs

    Posted May 16, 2013 07:33 AM

    Decided to delete the Guest profile and start over. It won't let me. Claims it is used by the secure profile. I don't find anywhere that the secured setup references the guest setup. Database error?



  • 13.  RE: Option IP address Unsuccessful on 1 of 2 SSIDs

    Posted May 16, 2013 08:19 AM

     

     

    You can use the show references command to determine where that particular profile is being use 

     

    (controller) #show  references ?
    aaa                     Show AAA profile references
    ap                      Show AP profile references
    ap-group                Show references to an AP group
    ap-name                 Show references to an AP name
    control-plane-security  Control Plane Security profile
    guest-access-email      Guest-Access Email configuration
    ids                     Show IDS profile references
    interface-profile       Show interface profile references
    lcd-menu                Enable or disable LCD menus
    policer-profile         Show references to a Policer Profile
    qos-profile             Show references to a QoS Profile
    rf                      Show RF profile references
    service                 Configure services
    user-role               Show access rights for user role
    valid-network-oui-pro.. Show references to the Valid Equipment OUI profile
    voice                   Voice configuration
    web-server              Web server configuration
    wlan                    Show WLAN profile references


  • 14.  RE: Option IP address Unsuccessful on 1 of 2 SSIDs

    Posted May 16, 2013 08:38 AM

    References to AAA Profile "MSDPT_Guest-aaa_prof"
    ------------------------------------------------
    Referrer                                            Count
    --------                                            -----
    wlan virtual-ap "MSDPT_Guest-vap_prof" aaa-profile  1
    Total References:1



  • 15.  RE: Option IP address Unsuccessful on 1 of 2 SSIDs

    Posted May 16, 2013 08:51 AM

    Getting conflicting information between the GUI and CLI.

    GUI shows an additional WLAN named Aruba-AP and claims the others reference it and therefore it cannot be delete.

    CLI doesn't show it:

    Virtual AP profile List
    -----------------------
    Name                  References  Profile Status
    ----                  ----------  --------------
    default               1
    MSDPT_Fast            1
    MSDPT_Guest-vap_prof  1
    MSDPT_S2              1

    Can't post a screenshot, right?

    In the WLAN wizard at the profiles are grayed out and there is an "error" message at the bottom, in red, stating a reference to one of the others. Like:

    MSDPT_Guest has been modified such that it is no longer editable from this Wizard. REASON: Dot 1x profile(MSDPT_Guest-aaa_prof) is also referenced by another AAA AP profile(MSDPT_S2)..
    Use the full Configuration user interface to edit it.

     

    This does not appear to be true in either the GUI full config or the CLI show references.

     



  • 16.  RE: Option IP address Unsuccessful on 1 of 2 SSIDs

    Posted May 16, 2013 07:42 AM

    Next I decided to just disable that guest profile and make a new one, with the Wizard. Goes through all the steps, no errors, but does not create the WLAN. No SSID, Profile, AAA... nothing! Tried twice.

    Perplexed.

     



  • 17.  RE: Option IP address Unsuccessful on 1 of 2 SSIDs

    Posted May 14, 2013 10:47 AM

    Yes. Building level layer 3 has ip-helper on vlan. Does it need to be in the Aruba somewhere?