Wireless Access

             Well first let me break up the wireless network design for you.  Essentially I am replacing our current Sonicwall setup due to poor performance and no L3 provisioning capabilities.  We are getting rid of our NSA 3500 and the WLC is the last piece.  I have configured an HP MSM 720 WLC with 3 VSC's (Public, Private, Employee).  Everything works great.  Public is Open with an HTML Authentication page, Employee uses WPA2-Personal and Private is setup with EAP-TLS.  

             My issues are as follows:  Due to my boss not wanting any traffic from Public and Employee traversing our network, he wouldn't let me use the DHCP relay option, which apparently is an all or nothing deal on the WLC, not per VSC.  Which seems weird to me, as to why you can't have a guest VSC get an IP from the controller and have your private get one from a DHCP server.  So I set up each VSC with their own DHCP like so: 10.0.0.0/23(Employee) 10.0.2.0/23(Guest) 10.0.4.0/23(Private).  I have no issue with Employee or Guest.  They can't access anything internal due to my ACL which is perfect .  Private though can access everything internal, but nothing internal can access it.  If I have a laptop with an IP of 10.0.4.40 I cannot ping that laptop from any wired machine, but I can ping it from other laptops on the same WiFi.  I can successfully ping the Default Gateway (on the WLC) from a wired PC so I know I am not having routing issues, and the WLC can obviously ping the laptop.  So I assume it is a firewall issue on the WLC, but I turned the firewall off and still couldn't access it.  I have it set to allow traffic between all clients on the VSC.   I have also disabled the firewalls on the clients to ensure that wasn't an issue.

             My 2nd issue is also with the Private VSC.  With Sonicwall, I used it as a DHCP server and even though I assigned the IP to private of 172.16.200.X/24 I could assign a DNS server of 172.16.1.5/1.8 for primary and secondary.  So the wireless clients would register in our DNS.  That doesn't seem to be possible with the HP.  Anytime I try to change the DNS server on the VSC to 172.16.1.5 it says it is not in the subnet, so it can't be used.  Seems crappy that you can't do that so I was hoping someone had a work around.  The WLC has it's DNS set to 1.5 and 1.8 so when someone connects to private they can ping and access stuff from the host-names, but they never register themselves to where I can access them.  Once again I can't use DHCP relay to assign IP's/Scope Options from my Windows server so I am hoping HP has a work around.  Any ideas guys?  Thanks I appreciate any help.  If you need further clarification or screenshots  please let me know as I am new to the HP side of wireless.

The firewall resides between Internet and Access interfaces, so that isn't a likely reason. As it's a new config, I'd suggest picking up the implementation guide from http://tinyurl.com/qz29mhk and choosing a suitable implementation from there. That should get you up'n running.

Thanks Arimo, I actually ended up solving it right after I posted this message.  The issue was within my config/VLANs.  I ended up creating an Interface Vlan on my L3 switch and using IP helper-address to go to my DHCP server.  Then I unchecked Access Control from my Private VSC.  Worked like a charm.

I do have another question though.  If I need to start another post please let me know.  But I am having issues getting DHCP L3 provisioning to work.  The DHCP server is on the same subnet as the AP so there is no DHCP Relay.  I followed the directions of creating the DHCP Scope option MSC/Colubris.  I also tried the whole DNS hostname cnsrv1 mapped to my Access Network IP address but it just isn't working.  The weird thing is I don't even see the AP requesting an IP from my DHCP server.  Nothing shows up in leases and the AP is brand new out of the box.

Thanks for your help.

Nevermind, my issue seems to be with the POE injectors we are using.  I was running a wireshark and noticed I wasn't seeing any DHCP requests or any traffic from that AP at all.  I got to looking at the switch and noticed it showed no link light, but yet the POE injector worked with my test phone just fine.  I took a different AP and tried a POE injector on another switch at our main location and had the exact same issue.  We just aren't going to use AP's at that location since it will be torn down in 3 months and has no POE switches.  I will just roll out to all our other locations that have POE switches.