Security

Hi all

I have a really frustrating problem with the Guest network I have set up on our lab controller. We have a 3200 running OS 6.2.0.3. This is in our lab but has a public IP. I have an AP95 here at home that is connected correctly and working.

I have created two SSID's, one for dot1x testing and one for guest. Both SSIDs are set up to take IP addressing from DHCP on the controller, with a separate VLAN for both. 

The dot1x network works fine however the guest does not. Using my Android phone, I try and connect and the phone attempts connection, then stops. It will keep doing that until I give up. Occasionally, it will say its obtaining an IP address, but that times out. I set up debugging for the device and here is the latest output from an attempted connection:

Apr 30 21:15:20 :522246: <DBUG> |authmgr| Idle timeout should be driven by STM for MAC 98:0c:82:85:e6:35.
Apr 30 21:15:20 :522083: <DBUG> |authmgr| Skip User-Derivation, mba:0 udr_exist:0,default_role:guest-logon,pDefRole:0x0x109908e4
Apr 30 21:15:20 :522243: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35 Station Updated Update MMS: BSSID=00:24:6c:41:f0:01 ESSID=demo-guest VLAN=18 AP-name=Demo_AP
Apr 30 21:15:24 :501095: <NOTI> |stm| Assoc request @ 21:15:24.959200: 98:0c:82:85:e6:35 (SN 746): AP 192.168.1.14-00:24:6c:41:f0:01-Demo_AP
Apr 30 21:15:24 :501100: <NOTI> |stm| Assoc success @ 21:15:24.960806: 98:0c:82:85:e6:35: AP 192.168.1.14-00:24:6c:41:f0:01-Demo_AP
Apr 30 21:15:24 :522035: <INFO> |authmgr| MAC=98:0c:82:85:e6:35 Station UP: BSSID=00:24:6c:41:f0:01 ESSID=demo-guest VLAN=18 AP-name=Demo_AP
Apr 30 21:15:24 :522077: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35 ingress 0x0x10009 (tunnel 9), u_encr 1, m_encr 1, slotport 0x0x2040 , type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Apr 30 21:15:24 :522078: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35, wired: 0, vlan:18 ingress:0x0x10009 (tunnel 9), ingress:0x0x10009 new_aaa_prof: demo-guest-AAA-profile, stored profile: demo-guest-AAA-profile stored wired: 0 stored essid: demo-guest, stored-ingress: 0x0x10009
Apr 30 21:15:24 :522246: <DBUG> |authmgr| Idle timeout should be driven by STM for MAC 98:0c:82:85:e6:35.
Apr 30 21:15:24 :522083: <DBUG> |authmgr| Skip User-Derivation, mba:0 udr_exist:0,default_role:guest-logon,pDefRole:0x0x109908e4
Apr 30 21:15:24 :522243: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35 Station Updated Update MMS: BSSID=00:24:6c:41:f0:01 ESSID=demo-guest VLAN=18 AP-name=Demo_AP
Apr 30 21:15:28 :501095: <NOTI> |stm| Assoc request @ 21:15:28.696280: 98:0c:82:85:e6:35 (SN 787): AP 192.168.1.14-00:24:6c:41:f0:01-Demo_AP
Apr 30 21:15:28 :501100: <NOTI> |stm| Assoc success @ 21:15:28.697868: 98:0c:82:85:e6:35: AP 192.168.1.14-00:24:6c:41:f0:01-Demo_AP
Apr 30 21:15:28 :522035: <INFO> |authmgr| MAC=98:0c:82:85:e6:35 Station UP: BSSID=00:24:6c:41:f0:01 ESSID=demo-guest VLAN=18 AP-name=Demo_AP
Apr 30 21:15:28 :522077: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35 ingress 0x0x10009 (tunnel 9), u_encr 1, m_encr 1, slotport 0x0x2040 , type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Apr 30 21:15:28 :522078: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35, wired: 0, vlan:18 ingress:0x0x10009 (tunnel 9), ingress:0x0x10009 new_aaa_prof: demo-guest-AAA-profile, stored profile: demo-guest-AAA-profile stored wired: 0 stored essid: demo-guest, stored-ingress: 0x0x10009
Apr 30 21:15:28 :522246: <DBUG> |authmgr| Idle timeout should be driven by STM for MAC 98:0c:82:85:e6:35.
Apr 30 21:15:28 :522083: <DBUG> |authmgr| Skip User-Derivation, mba:0 udr_exist:0,default_role:guest-logon,pDefRole:0x0x109908e4
Apr 30 21:15:28 :522243: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35 Station Updated Update MMS: BSSID=00:24:6c:41:f0:01 ESSID=demo-guest VLAN=18 AP-name=Demo_AP
Apr 30 21:15:32 :501095: <NOTI> |stm| Assoc request @ 21:15:32.742959: 98:0c:82:85:e6:35 (SN 828): AP 192.168.1.14-00:24:6c:41:f0:01-Demo_AP
Apr 30 21:15:32 :501100: <NOTI> |stm| Assoc success @ 21:15:32.744456: 98:0c:82:85:e6:35: AP 192.168.1.14-00:24:6c:41:f0:01-Demo_AP
Apr 30 21:15:32 :522035: <INFO> |authmgr| MAC=98:0c:82:85:e6:35 Station UP: BSSID=00:24:6c:41:f0:01 ESSID=demo-guest VLAN=18 AP-name=Demo_AP
Apr 30 21:15:32 :522077: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35 ingress 0x0x10009 (tunnel 9), u_encr 1, m_encr 1, slotport 0x0x2040 , type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Apr 30 21:15:32 :522078: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35, wired: 0, vlan:18 ingress:0x0x10009 (tunnel 9), ingress:0x0x10009 new_aaa_prof: demo-guest-AAA-profile, stored profile: demo-guest-AAA-profile stored wired: 0 stored essid: demo-guest, stored-ingress: 0x0x10009
Apr 30 21:15:32 :522246: <DBUG> |authmgr| Idle timeout should be driven by STM for MAC 98:0c:82:85:e6:35.
Apr 30 21:15:32 :522083: <DBUG> |authmgr| Skip User-Derivation, mba:0 udr_exist:0,default_role:guest-logon,pDefRole:0x0x109908e4
Apr 30 21:15:32 :522243: <DBUG> |authmgr| MAC=98:0c:82:85:e6:35 Station Updated Update MMS: BSSID=00:24:6c:41:f0:01 ESSID=demo-guest VLAN=18 AP-name=Demo_AP

It seems to be joining the network fine but then going nowhere. Initially I had created my own pre-auth guest role but as that wasnt working, I reverted to using the default guest-logon role but still no change.

I have tried connecting using a Windows machine and an iPhone and they fail too. It's not a tricky config and its one I've used for hundreds of customers, but I just cannot get it to work.

Any ideas?

Does the controller have an IP on the VLAN that you are trying to give to the guests?   Since you know the VLAN works for your 802.1X network, have you configured the guest virtual AP to use that VLAN?  Does it work and get an IP?

Hi Clembo

I've just set both VAPs to use the same (working) dot1x VLAN and it hasn't made a difference.

Please confirm the role the guest gets put into upon connection and run the following command and share the output:

show rights <Name-of-Role>

Currently they are going into the default guest-logon role. Note that no CP is currently applied here, but before I had them going into a guest-preauth-role that had the logon-control and cp policies applied and had a CP profile set, but this had the same issue. 

(Aruba3200) # show rights guest-logon

Derived Role = 'guest-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 6/0
Max Sessions = 65535

Captive Portal profile = default

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 logon-control session
2 captiveportal session
3 v6-logon-control session
4 captiveportal6 session

logon-control
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
captiveportal
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4
v6-logon-control
----------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 6
2 any any svc-v6-icmp permit Low 6
3 any any svc-v6-dhcp permit Low 6
4 any any svc-dns permit Low 6
captiveportal6
--------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user controller6 svc-https captive Low 6
2 user any svc-http captive Low 6
3 user any svc-https captive Low 6
4 user any svc-http-proxy1 captive Low 6
5 user any svc-http-proxy2 captive Low 6
6 user any svc-http-proxy3 captive Low 6

Expired Policies (due to time constraints) = 0

How do you have the DHCP setup for this?

Are you doing any natting on the VLAN ?

Are you using the internal captive portal or Clearpass/Amigopod ?

Please check this doc :

http://www.arubanetworks.com/wp-content/uploads/aos_guestacccess-appnote.pdf 

DHCP setup:

ip dhcp pool demo-guest-dhcp-pool
default-router 192.168.18.1
dns-server 8.8.8.8
lease 1 0 0 0
network 192.168.18.0 255.255.255.0
authoritative
!
service dhcp

Yes, we have ip nat-inside on the VLAN as well as on the dot1x VLAN. Currently the landing page is on the controller. I have read the pdf and think I'm doing everything right!

Can you confirm what forwarding mode the virtual AP for the guests is in?  tunnel, bridge, split-tunnel?

Both VAPs are configured in tunnel mode.

Do you have an ip nat pool setup ? or you are doing the natting at the border ?

Just using the default nat pool:

ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0

You need to define the public IP address that the 192.168.x.x will be natted to

I've done that and it hasn't changed anything, but I'm not sure this is the issue. The guest users aren't getting an IP anyway to start the whole captive portal process. In fact, it doesn't look like any communication happens at all. 

The dot1x network NATs as well and that is fine.

I finally worked out what was going on here. I had put v6.2 on a non XM 3200. I noticed something more serious was up when I wasn't getting the full screen render working. 

Annoyingly, when I rolled back to 6.1.3.8, I had to recreate all the guest roles and aaa profiles as that had all gone pear shaped as well.