Wireless Access

 View Only
  • 1.  RAP Setup - Clients do not get an IP

    Posted Nov 08, 2024 03:58 AM
    Edited by MPieper Nov 08, 2024 04:52 AM

    I saw the other post about RAPs, but my issue is different. At least i think so.

    We have a Conductor Cluster, and added a dedicated new virtual Controller (single Controller for now) to terminate RAPs.

    The new Controller has two interfaces: One as access in the DMZ, that is reachable from external via NAT and firewall, and another that is a Trunk interface, using a selection of internal VLANs that Clients connected to the RAP should get assigned to.

    The RAP itself connects to the controller. I see it online, i can configure it, it takes any configuration changes. So i think the RAP tunnel is working.

    Wireless Networks are enabled and work, Clients can connect, ClearPass authentication and VLAN assignment work. I got the same working for wired clients conencted to the RAP as well.

    But clients do not get an IP.

    In addition, there is one thing that is very confusing to me: All the internal devices that are in one of the VLANs assigned to the Trunk port appear as wired clients on the Controller. These are clients that should be totally unrelated to the controller. Wired devices on our switches distributed across our campus.

    This is very odd to me, since we have trunk ports with a bunch of VLANs on all of our other internal controllers. The only difference i can think of is that here we have the management VLAN on a separate interface from the client VLANs, whereas on all other controller they use the same trunk interface.

    Can someone help or give any pointers?

    EDIT:
    One additional datapoint: The MAC Address of a client connected to the RAP (either wired or wireless) does appear in the MAC Cache of our core switch. But there is nothing in the logs of the DHCP server.



  • 2.  RE: RAP Setup - Clients do not get an IP

    Posted Nov 08, 2024 05:15 AM

    If you see entries in the controller, that means that the client is seen on an untrusted port or untrusted VLAN on a port. That applies either to the wired ports on the controller, as well to wired ports on a Remote AP (assuming the wired profile assigned is tunneled).

    What role do these clients show up with on the controller?

    It's unclear to me if you want the users to be authenticated or not; if you don't want them authenticated make sure port and VLAN are marked as trusted.

    This trusted/untrusted is basic operations on how the controller works, and part of standard training.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: RAP Setup - Clients do not get an IP

    Posted Nov 08, 2024 07:29 AM

    Amazing, you pointed me in the right direction yet again :)

    I had indeed not enabled trust on the separated interface. That was until now never an issue for us, since we always only ever used one interface/port channel, and that had the Trust enabled by default.

    I have to admit i was not aware of the implication of that setting.

    I enabled Trust, and for good measure also rebooted the controler: The clients get IP addresses, and the spurious wired clients are gone.