Higher Education

So as some of you may have been reading here on the Higher Education boards, I am trying to twerk out my WIFI, get this right, make people happy and set the universe into balance for our environment. That being said I have been testing on a single building and have set the recommendations up as per a PDF that was linked to me in another thread.

 

Things seem to be good for Laptops/notebooks and tablets. Smart phones though (iPhone/Android) now have issues. Those issues being that they get nowhere on the wireless. Like that great kids toy from the '70s, they just Sit'n'Spin and never go anywhere.

 

I have:

- verified DHCP and all address/DNS information is correct on the devices

- tried statically assigning a smart phone, no difference

- verified that the devices are getting on the correct VLAN for their ROLE (this is a dot1x secure environment)

- verified that their authentication via ClearPass is correct and users are authenticating properly

- confirmed that Darth Vader is indeed Luke's father

- verified the quality of the physical wireless connections

      - no ton of retransmits or anything of that nature

      - SNR looks good

- have tested in multiple locations throughout the building and confirmed that its not happening on just a single AP (environment is a mix of AP93s, 105s and 225s)

 

So I could use some help here gang on what/where to troubleshoot next...

#AP225

1. Chill out & take a deep breath

2. Are you allowing access in your role? If Internet access is the issue, is your edge firewall allowing access?

3. What does the datapath session table for the client tell you?

 

Just a few random thoughts...

@ bosborne@liberty.edu

 

1 - breath... breath... breath...

2 - yes, I am allowing access on this role. Its the same role that the other device types get which is why I am so puzzled on this one, but I see where you are coming from.

3 - I have not gone all CLI commando yet as I am not sure specifically I need to be looking at. I'll take a look at that since you suggested it, thanks :-)

Keep it simple and go through the steps of connectivity.

Associated?
802.1X auth successful?
AES key exchange complete?
Does client send DHCPDISCOVER?
Does DHCP server receive discover?
Does dhcp server send offer?
Does client receive offer?
Client have address?
Client have default gateway ip?
ARP entry on client for router?
ARP entry on router for client?
Can client ping default gateway IP?
DNS servers on client?
Can client ping DNS servers?

It probably breaks somewhere above. Pinpoint it and then we can dive deeper.

@ Ryan - and away we go.......

 

Associated? - Yes
802.1X auth successful? - Yes
AES key exchange complete? - Yes
Does client send DHCPDISCOVER? - Yes
Does DHCP server receive discover? - Yes
Does dhcp server send offer? - Yes
Does client receive offer? - Yes
Client have address? - Yes
Client have default gateway ip? - Yes
ARP entry on client for router? - Yes
ARP entry on router for client? - will get with our Palo Alto admin
Can client ping default gateway IP? - Yes
DNS servers on client? - Yes
Can client ping DNS servers? - Yes

 

I found a great little tool pack on the Google Play store called, amazingly enough, PING Tools. It shows all for your Androids WIFI IP info and will also PING and run trace routes, port scans and four or five other utilities. It is also very easy to use.

 

Anyway, I can ping the:

- gateway

- both DNS servers

- the DHCP server

 

and then the weirdness starts:

- cannot ping Google BUT it does resolve its address

- trace route stops at the gateway

- cannot get to any website on the WIFI

 

So yes, its looking like a possible Palo Alto issue BUT laptops and iPads (don't know about Android tabs, don't have one to test with) do not have a problem, they get out to the Universe just fine...

 

Oh, it's also worth mentioning that my laptop, my iPad and my Android all get the same role via ClearPass, laptop & iPad work fine, smart phone has the issues (like many other iPhones and Androids on campus)

I think we may have solved this one.

 

A little while back we migrated the VLANs for our dot1x environment off of our core switch to our Palo Alto 5050. It appears that in that transition we left the address for this particular VLAN on the core as well as putting it on the P.A. box. Once this was corrected, smart phones consistently began to work properly. So in essence it was an IP conflict which would explain its intermittent nature. Now why laptops still worked fine during all of this is still a mystery to me, but I'm not one to look a gift horse in the mouth so to speak.

 

So, so far so good!

 

On the plus side all of my actual wireless configurations have been vindicated!  :-)

 

Thanks to Ryan for all the help, much appreciated!

That's great news. My list should have been preceded with "has anything changed recently" :). I also wasn't aware it was just one of your networks/vlans with the issue. I guess I glossed over that detail.

Thank you for sharing the solution!