Security

Hi,

I have problems to connect to open network. This network has assigned a captive portal profile.

The aaa profile assigned to the vap has a role with dhcp and dns allowed,

There is a dhcp pool in the vlan assigned to the user, but I`ve never connected with some devices.

The show auth-tracebub command shows me :

Nov 21 13:39:57  station-data-ready     *  f0:e7:7e:a1:03:6b  00:00:00:00:00:00  400  405  
Nov 21 13:39:57  station-up             *  f0:e7:7e:a1:03:6b  00:1a:1e:c3:96:a1  -    -    open system
Nov 21 13:39:57  station-data-ready     *  f0:e7:7e:a1:03:6b  00:00:00:00:00:00  400  405  
Nov 21 13:39:58  station-data-ready     *  f0:e7:7e:a1:03:6b  00:00:00:00:00:00  400  405  
Nov 21 13:39:58  station-up             *  f0:e7:7e:a1:03:6b  00:1a:1e:c3:96:a1  -    -    open system
Nov 21 13:39:58  station-data-ready     *  f0:e7:7e:a1:03:6b  00:00:00:00:00:00  400  405  
Nov 21 13:39:58  station-down           *  f0:e7:7e:a1:03:6b  00:1a:1e:c3:96:a1  -    -   

Any ideas?

Thanks

Which devices are you have problems with?

Do the devices get an ip address?

Can you resolve DNS names with those devices?

Can you bring up the Captive Portal?

What does not work, from the questions above?

Thanks for your answer,

The client does not get an ip address.

I have an user role with vlan 405 and a firewall policie that permit the dhcp traffic.

I have a dhcp server defined for the interface vlan 405, but all devices are not able to connect to the network.

The firewall " any any svc-dhcp permit" is showed when I do "show acl hits", but it seems not work.

In test mode I put this rule for blacklist devices that match it, but it does not work.

This is that I can see:

#show auth-tracebuf mac  00:1b:77:cf:5c:76

Nov 21 15:27:40  station-up             *  00:1b:77:cf:5c:76  00:1a:1e:c3:96:a1  -    -    open system
Nov 21 15:27:40  station-data-ready     *  00:1b:77:cf:5c:76  00:00:00:00:00:00  400  405  
Nov 21 15:27:40  station-down           *  00:1b:77:cf:5c:76  00:1a:1e:c3:96:a1  -    -    
Nov 21 15:27:41  station-data-ready     *  00:1b:77:cf:5c:76  00:00:00:00:00:00  400  405  
Nov 21 15:27:41  station-up             *  00:1b:77:cf:5c:76  00:1a:1e:c3:96:a1  -    -    open system
Nov 21 15:27:41  station-data-ready     *  00:1b:77:cf:5c:76  00:00:00:00:00:00  400  405  
Nov 21 15:27:41  station-down           *  00:1b:77:cf:5c:76  00:1a:1e:c3:96:a1  -    -   

#show acl hits | i congresos

congresos     logon-control-congresos-II  any   any              svc-dhcp       permit                        3         5           906

What is the DHCP server?

The dhcp server is the controller..

Okay.

Is it enabled?

Does the "Network" portion of the DHCP server pool match an ip interface on the controller?

Yes, it is enabled and there is an ip address for interface vlan 405.

# sh ip inter brief

vlan 405                  192.168.75.1 / 255.255.255.0     up      up

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

It´s pretty starnge, because I am watching in a live capture some DHCP NAK and some DHCP offer.

The pc is getting an ip address that is not defined in the controller as dhcp server.

It was defined in the past for other network.

I see that I can restart the dhcp service, but I am thinking of doing a reload.

Thanks

I would turn on network dhcp debugging and watch:

config t
logging level debugging network subcat dhcp
logging level debugging network process dhcpd

(host) (config) #show log network 20

Nov 17 16:50:47 :209801:  <WARN> |fpapps|  Physical link down: port 1/3
Nov 17 16:51:33 :209801:  <WARN> |fpapps|  Physical link down: port 1/3
Nov 21 10:10:42 :202086:  <INFO> |dhcpdwrap|  netlink_arp_changed(): ker_mac 00:23:6c:90:05:11 pkt_mac 00:23:6c:90:05:11 cip 1.1.1.250 
Nov 21 10:11:11 :202085:  <DBUG> |dhcpdwrap|  No arp entry for ip address 192.168.1.72 eth1.1
Nov 21 10:11:17 :202086:  <INFO> |dhcpdwrap|  netlink_arp_changed(): ker_mac 00:23:6c:90:05:11 pkt_mac 00:23:6c:90:05:11 cip 1.1.1.250 
Nov 21 10:11:38 :202541:  <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x40 opcode 0x5a ingress 0x108c vlan 1000 egress 0x0 src mac 00:23:6c:90:05:11
Nov 21 10:11:38 :202536:  <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1000: REQUEST 00:23:6c:90:05:11 reqIP=1.1.1.250 Options 37:0103060f775ffc2c2e2f 39:05dc 3d:0100236c900511 33:0076a700
Nov 21 10:11:38 :202541:  <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x440 opcode 0x5a ingress 0x108c vlan 1000 egress 0x0 src mac 00:23:6c:90:05:11
Nov 21 10:11:38 :202536:  <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1000: REQUEST 00:23:6c:90:05:11 reqIP=1.1.1.250 Options 37:0103060f775ffc2c2e2f 39:05dc 3d:0100236c900511 33:0076a700
Nov 21 10:11:38 :202523:  <DBUG> |dhcpdwrap| |dhcp| dhcprelay: dev=eth1, length=300, from_port=68, op=1, giaddr=0.0.0.0
Nov 21 10:11:38 :202513:  <DBUG> |dhcpdwrap| |dhcp| Could not find interface and/or vlan for ip=1.1.1.250, could be reply to mobility message.
Nov 21 10:11:38 :202532:  <DBUG> |dhcpdwrap| |dhcp| got 2 relay servers
Nov 21 10:11:38 :202533:  <DBUG> |dhcpdwrap| |dhcp| Relayed: DISCOVER server=192.168.1.32 giaddr=1.1.1.1 MAC=00:23:6c:90:05:11
Nov 21 10:11:38 :202533:  <DBUG> |dhcpdwrap| |dhcp| Relayed: DISCOVER server=192.168.1.31 giaddr=1.1.1.1 MAC=00:23:6c:90:05:11
Nov 21 10:11:38 :202541:  <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x0 vlan 1000 egress 0x108c src mac 00:0b:86:6d:20:30
Nov 21 10:11:38 :202086:  <INFO> |dhcpdwrap|  netlink_arp_changed(): ker_mac 00:23:6c:90:05:11 pkt_mac 00:23:6c:90:05:11 cip 1.1.1.250 
Nov 21 10:11:38 :202544:  <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1000: ACK 00:23:6c:90:05:11 clientIP=1.1.1.250
Nov 21 10:11:38 :202523:  <DBUG> |dhcpdwrap| |dhcp| dhcprelay: dev=eth1, length=300, from_port=67, op=1, giaddr=1.1.1.1
Nov 21 10:11:38 :202541:  <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x0 vlan 1 egress 0x1043 src mac 00:0b:86:6d:20:30
Nov 21 10:11:38 :202536:  <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:23:6c:90:05:11 reqIP=1.1.1.250 Options 37:0103060f775ffc2c2e2f 39:05dc 3d:0100236c900511 33:0076a700

Suddenly I can connect with my laptop, but I can´t see the dhcp offer for other devices:

Nov 21 17:27:28 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:1b:77:cf:5c:76 clientIP=192.168.75.254
Nov 21 17:27:29 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:1b:77:cf:5c:76 clientIP=192.168.75.254
Nov 21 17:27:29 :202536:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: REQUEST 00:1b:77:cf:5c:76 reqIP=192.168.75.254
Nov 21 17:27:29 :202544:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: ACK 00:1b:77:cf:5c:76 clientIP=192.168.75.254
Nov 21 17:27:30 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:30 :202536:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: REQUEST 00:21:5c:08:3f:0b reqIP=192.168.75.251
Nov 21 17:27:30 :202544:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: ACK 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:30 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:1b:77:cf:5c:76 clientIP=192.168.75.254
Nov 21 17:27:35 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:39 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:39 :202536:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: REQUEST 00:21:5c:08:3f:0b reqIP=192.168.75.251
Nov 21 17:27:39 :202544:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: ACK 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:40 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:46 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:46 :202536:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: REQUEST 00:21:5c:08:3f:0b reqIP=192.168.75.251
Nov 21 17:27:46 :202544:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: ACK 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:46 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:49 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:21:5c:08:3f:0b clientIP=192.168.75.251
Nov 21 17:27:49 :202546:  <DBUG> |dhcpd| |dhcp| Datapath vlan405: OFFER 00:21:5c:08:3f:0b clientIP=192.168.75.251

Disconnect them and try to reconnect them one by one...

If need be, turn on user debugging:

config t
logging level debug user

show log user 50

Hi,

 I am trying to recconect some client devices and that I can see is the vlan assigment, but I can´t understand the derived vlan...

 I put some examples:

Nov 22 09:29:31 :522037:  <INFO> |authmgr|  MAC=00:1b:77:cf:5c:76 IP=0.0.0.0 Assign VLAN 405, Default=400 Current=400 BSSID=00:1a:1e:c3:96:a1
Nov 22 09:29:31 :522004:  <DBUG> |authmgr|  00:1b:77:cf:5c:76: Sending STM new vlan info: vlan 405, AP 00:1a:1e:c3:96:a1
Nov 22 09:29:31 :522004:  <DBUG> |authmgr|  MAC=00:1b:77:cf:5c:76 def_vlan 400 derive vlan: 405 auth_type 0 auth_subtype 0
Nov 22 09:29:31 :522037:  <INFO> |authmgr|  MAC=00:1b:77:cf:5c:76 IP=0.0.0.0 Assign VLAN 405, Default=400 Current=400 BSSID=00:1a:1e:c3:96:a1
Nov 22 09:29:31 :522004:  <DBUG> |authmgr|  00:1b:77:cf:5c:76: Sending STM new vlan info: vlan 405, AP 00:1a:1e:c3:96:a1
Nov 22 09:29:31 :522004:  <DBUG> |authmgr|  MAC=00:1b:77:cf:5c:76 def_vlan 400 derive vlan: 405 auth_type 0 auth_subtype 0
Nov 22 09:29:31 :522004:  <DBUG> |authmgr|  MAC=00:1b:77:cf:5c:76 def_vlan 400 derive vlan: 405 auth_type 0 auth_subtype 0
Nov 22 09:29:32 :522037:  <INFO> |authmgr|  MAC=00:1b:77:cf:5c:76 IP=0.0.0.0 Assign VLAN 405, Default=400 Current=400 BSSID=00:1a:1e:c3:96:a1
Nov 22 09:29:32 :522004:  <DBUG> |authmgr|  00:1b:77:cf:5c:76: Sending STM new vlan info: vlan 405, AP 00:1a:1e:c3:96:a1
Nov 22 09:29:32 :522004:  <DBUG> |authmgr|  MAC=00:1b:77:cf:5c:76 def_vlan 400 derive vlan: 405 auth_type 0 auth_subtype 0

With other device:

Nov 22 09:32:51 :522037:  <INFO> |authmgr|  MAC=f0:e7:7e:a1:03:6b IP=0.0.0.0 Assign VLAN 405, Default=400 Current=400 BSSID=00:1a:1e:c3:96:a1
Nov 22 09:32:51 :522004:  <DBUG> |authmgr|  f0:e7:7e:a1:03:6b: Sending STM new vlan info: vlan 405, AP 00:1a:1e:c3:96:a1
Nov 22 09:32:51 :522004:  <DBUG> |authmgr|  MAC=f0:e7:7e:a1:03:6b def_vlan 400 derive vlan: 405 auth_type 0 auth_subtype 0
Nov 22 09:32:51 :522004:  <DBUG> |authmgr|  MAC=f0:e7:7e:a1:03:6b def_vlan 400 derive vlan: 405 auth_type 0 auth_subtype 0
Nov 22 09:32:52 :522037:  <INFO> |authmgr|  MAC=f0:e7:7e:a1:03:6b IP=0.0.0.0 Assign VLAN 405, Default=400 Current=400 BSSID=00:1a:1e:c3:96:a1
Nov 22 09:32:52 :522004:  <DBUG> |authmgr|  f0:e7:7e:a1:03:6b: Sending STM new vlan info: vlan 405, AP 00:1a:1e:c3:96:a1
Nov 22 09:32:52 :522004:  <DBUG> |authmgr|  MAC=f0:e7:7e:a1:03:6b def_vlan 400 derive vlan: 405 auth_type 0 auth_subtype 0

Thanks

Is your user role being assigned in the Virtual AP or in the role or both?  What type of authentication are you using, if any?

The user role is assigned in the virtual ap aaa profile.

Then the user has a vlan (405) and captive portal profile,

Once that the user is connected, it should authenticate in internal database and captive portal web.

Regards

Create a new WLAN that is open with VLAN 450 on the Virtual AP using the WLAN Wizard and see if users can attach and get an ip address.  We probably want to eliminate the network issue before the other things you mentioned.

Hi Cjoseph and many thanks for your help,

I had to change to M3 card to upgrade the software to the lastest OS version by other factors.

With the new version (6.1.3.2) I had the same problem, but I could see that the controller was deauthenticating the users.

In the IDS unauthorized profile there are enabled some protections as "Require WPA" or "Privacy" .

I disabled it and it began to work.

Really, I don´t undertand it, because it was working in the past without any ids change.

In any case, it is working.

Thank you very much