Wireless Access

 View Only
last person joined: 2 days ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

issues testing WPA3-Enterprise - client gets IP address but sees no traffic even though controller firewall shows traffic to/from device

This thread has been viewed 7 times
  • 1.  issues testing WPA3-Enterprise - client gets IP address but sees no traffic even though controller firewall shows traffic to/from device

    MVP EXPERT
    Posted 10 days ago
    Hi
    I'm testing use of WPA3-enterprise using the following equipment and although everything seems to work, my WPA3 clients can't ping each other, other devices on the same lan or have internet access. Strangely enough they can ping the default gateway. Devices on a WPA2-enterprise equivalent have no problem even though they are both using the same configs and client vlan
    Clients

    iPhone running 16.1.1
    macOS running 12.6.1

    Setup

    Arubaos 8.10.0.5 MM (VM) and 7210 MC running in FIPS mode
    Sufficient licenses installed on controller.
    L2 blocking disabled (deny inter-user-traffic ) drop broadcast and multicast is enabled and convert broadcast ARP request to unicast is enabled on all SSIDs
    ClearPass 6.10.7 onboarding certificates for edge clients to authenticate using eap-tls ( also performed. by ClearPass)


    The setup supports

    1) open guest wifi SSID using ClearPass captive portal
    2) WPA2-enterprise network with clients using EAP-TLS
    3) WPA2-PSK network with ClearPass authenticating / authorising clients and using device fingerprinting to allow connectivity
    4) WPA2-psk network just using a shared key (legacy)

    The WPAx networks (2) (3)  also use Downloadable User Roles to grant an "Allow All" ACL and specify the numeric destination VLAN and hence the address space to place devices in.

    DHCP performed by ISC DHCP server on a different subnet. UDP helpers forward DHCP requests to both the DHCP server and ClearPass

    AP/AP Groups

    AP group of 303H APs supporting all the above SSIDS
    AP group with 1 503H AP - Used to test wired auth connectivity but also for WPA3 testing
    AP group with 2 335 APs just to test WPA3 connectivity


    Two additional SSIDs created with same names/ authentication as (2) & (3) but with WPA3 text appended to SSID names

    5) WPA3-enterprise network ( CSNA suite enabled)
    6).ClearPass captive portal with enhanced open

    (5) uses the same client VLAN as (2), (6) the same VLAN as (3)

    So for example an iPhone connected to (2) obtains an IP address in the address space 192.168.230.x. Same iPhone connected to (5) with random mac address generation obtains a different IP address in the same 192.168.230.x address range
    A Macbook Air cannot do mac address randomisation so it has the same IP address when connected to either (2) or (5)

    With DHCP requests, WPA2 seem to see just one request, it responds and client obtains an IP address. With WPA3 I see multiple DHCP Discover /Offer entries in the server dhcp log until eventually the client obtains an ip address

    Anything connected to (1) - (4) just works. Profiles are downloaded, you can see them assigned to the client and each client has the network access its supposed to have.


    When connecting to (5) however although the client obtains an IP address and can ping the default gateway ( 192.168.230.1-  same  as (2) its the same VLAN) it can't ping anything else. Two devices connected to (5) cannot ping each other or devices connected to (2) which are on the same network.

    ClearPass authenticates every device and downloads the role
    The controller can see every device, which role is applied and what its IP address is


    Looking at Traffic analysis / sessions I can see traffic to/from remote IP addresses for  the WPA3 clients along with everything else, just the MacBook thinks that its not connected or seeing any traffic

    Flip the Air over to SSID (2) … everything is ok

    At a loss as to what is going on


  • 2.  RE: issues testing WPA3-Enterprise - client gets IP address but sees no traffic even though controller firewall shows traffic to/from device

    MVP EXPERT
    Posted 10 days ago
    Course I’m assuming here that an iPhone SE 2020 and a MacBook Air 2020 support WPA3-Enterprise




  • 3.  RE: issues testing WPA3-Enterprise - client gets IP address but sees no traffic even though controller firewall shows traffic to/from device

    MVP EXPERT
    Posted 10 days ago
    An as for enhanced open …. iPhone 2020 SE can see and. Connect to guest wifi using enhanced open…… MacBook Air M1 2020 sitting next to phone can’t evens see the SSID


    Perhaps the issues are with the clients …




  • 4.  RE: issues testing WPA3-Enterprise - client gets IP address but sees no traffic even though controller firewall shows traffic to/from device

    MVP EXPERT
    Posted 10 days ago
    Dropping the SSID to using wap-aes-ccs-128 and the MacBook drops to wpa2-enterprise immediately and everything works

    So looks as if its client stuff for both the iPhone and the MacBook Air




  • 5.  RE: issues testing WPA3-Enterprise - client gets IP address but sees no traffic even though controller firewall shows traffic to/from device

    MVP EXPERT
    Posted 10 days ago
    Gah!


    802.11ax APs. Dropped the SSIDS off the 335’s leaving it on the 503H …. And MacBook Air connects using wpa3 cnsa. iPhone SE 2020 still doesn’t work on it though


    So ok with correct AP and a MacBook Air M1 2020 stuff works




  • 6.  RE: issues testing WPA3-Enterprise - client gets IP address but sees no traffic even though controller firewall shows traffic to/from device

    EMPLOYEE
    Posted 9 days ago
    Can you please open a TAC case for this? I've seen some cases in the past where APs not capable of doing WPA3 fallback to WPA2, which may be the reason that clients will not connect. But as far as I can see, the AP-335 should support WPA3.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------