Controller Based WLANs

Environment  : Any Aruba Controller
Any Aruba Access Point
Any Aruba OS

Clients connected to bridge SSIDs can associate to wireless and get an IP address but unable to pass traffic.

Need to check ap-uplink-acl and validuser ACL.

For clients that are able to associate to bridge mode SSIDs but unable to pass traffic, we must ensure the "ap-uplink-acl" allows the desired user traffic and also ensure that the "validuser" ACL allows the user subnet so that the client is allowed in the user-table.  Symptom for each are as follows:

1) If the "ap-uplink-acl" denies traffic, we will see the client associating and getting a valid IP address but a deny (D) flag in the datapath session table for the client IP address indicates traffic is being blocked either in the user-role or in the ap-uplink-acl.
2) If user-role and "ap-uplink-acl" are both allowing user traffic, we must double check the "validuser" ACL allows the specific user-subnet.  As a symptom, we will see the user-entry missing from the user-table on the Controller.

For clients that are able to associate to bridge mode SSIDs but unable to pass traffic, we must ensure the "ap-uplink-acl" allows the desired user traffic and also ensure that the "validuser" ACL allows the user subnet so that the client is allowed in the user-table.  Symptom for each are as follows:

1) If the "ap-uplink-acl" denies traffic, we will see the client associating and getting a valid IP address but a deny (D) flag in the datapath session table for the client IP address indicates traffic is being blocked either in the user-role or in the ap-uplink-acl.
2) If user-role and "ap-uplink-acl" are both allowing user traffic, we must double check the "validuser" ACL allows the specific user-subnet.  As a symptom, we will see the user-entry missing from the user-table on the Controller.