Security

Hi,

I am looking into an issue with Web Auth'd Guests via CP. When the user roams the campus they are unable to reconnect. The scenario follows something like this:

ArubaOS (MODEL: Aruba3600), Version 6.3.1.5

1 - Client machine (iOS, Android, BB) connects to Guest SSID using PSK - Check.

2 - Client "obtains IP address" - Check.

3 - Client web authenticates against CP - Check.

4 - Client has desired access which is web only.

4 - Client roams to another part of the campus and client machine stuck in "obtaining IP address" and eventually times out.

Checks:

1 - IP Helpers in place.

2 - Good Wireless Signal.

3 - Band Steering disabled, using SLB in AP sys profile.

4 - DHCP lease healthy and can see lease to MAC on MS DHCP server.

5 - Use Idle time matches DHCP lease.

6 - "Forgetting" and reconnecting does not seem to have any effect, client still loses IP address (obtaining)

What I don't understand is why the client seems to forget this lease. The lease time is 1 hour for Guests. This forgetting of the IP address only seems to happen when the client machine roams. If the machine stays associated to the same AP, the client can connect each time. The Guest traffic is all tunnelled back to the controller.

Has anyone had experience of this? All the clients are using the latest OS's.

Is the DHCP ACL "any any svc-dhcp permit"?  Make sure it is not "user any svc-dhcp permit"

Thanks, was just looking at that:

ip access-list session logon-control
  user   alias CLEARPASS svc-https  permit
  user   alias CLEARPASS svc-http  permit
  user any udp 68  deny
  any any svc-icmp  permit
  any any svc-dns  permit
  any any svc-dhcp  permit
  any any svc-natt  permit
  any network 169.254.0.0 255.255.0.0 any  deny
  any network 240.0.0.0 240.0.0.0 any  deny

user-role guest-logon
 bw-contract GUESTBW  upstream
 bw-contract GUESTBW  downstream
 captive-portal "Guest_CP"
 access-list session ra-guard
 access-list session ocsp
 access-list session logon-control
 access-list session captiveportal
 access-list session v6-logon-control
 access-list session captiveportal6

ip access-list session dhcp-acl
  any any svc-dhcp  permit

Something is wrong.  You say that you are doing Captive Portal, but you are showing me an auth-tracebuf from a 802.1x client.  Make sure that all of your roles do NOT contain a specific VLAN.

No VLAN's are tied to the role:

user-role guest-logon
 bw-contract GUESTBW  upstream
 bw-contract GUESTBW  downstream
 captive-portal "Guest_CP"
 access-list session ra-guard
 access-list session ocsp
 access-list session logon-control
 access-list session captiveportal
 access-list session v6-logon-control
 access-list session captiveportal6
!
user-role guest
 bw-contract GUESTBW  upstream
 bw-contract GUESTBW  downstream
 max-sessions 200
 access-list session ra-guard
 access-list session guest

ip access-list session guest
  any any udp 68  deny
  any any svc-dhcp  permit
  any   alias Controller-Guest-ICMP svc-icmp  permit
  user   alias Public_DNS svc-dns  permit
  any any svc-dns  permit
  user   alias LAN_Printers any  permit
  user   alias "Phone Directory" svc-http  permit
  user   alias Websense_Redirect_Servers tcp 15871  permit
  user   alias Internal_Networks any  deny
  user   alias PUBLICLY-HOSTED-IPS any  deny
  user any any  permit

The deny on udp 68 does not look right to me when we have netwservice dhcp to:

netservice svc-dhcp udp 67 68 alg dhcp

I still don't understand why there is rekeying on a Captive Portal network.  I would turn on user debugging, not DHCP debugging to determine what is happening....

config t

logging level debugging user

show log user 50 | include <mac address>

Will do, thanks, I have updated the original post, that had debugging to a dot1x mac. Please ignore it.

So a good initial authentication, I see:

(UKTHEOALC1) #show user mac 5c:0a:5b:27:c0:5a

Name: bob123, IP: 10.147.11.11, MAC: 5c:0a:5b:27:c0:5a, Role: guest, ACL: 3/0, Age: 00:01:06 Authentication: Yes, status: started, method: Web, protocol: PAP, server: Internal Bandwidth contract = GUESTBW (100000000 bits/sec) Bandwidth contract = GUESTBW (100000000 bits/sec) Role Derivation: Matched server rule VLAN Derivation: Default VLAN Idle timeout (profile guest-aaa-profile'): 3600 seconds, Age: 00:00:00 Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0 Flags: internal=0, trusted_ap=0, l3auth=1, mba=0, vpnflags=0, u_stm_ageout=1 Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0 IP User termcause: 0 phy_type: g-HT-20, l3 reauth: 0, BW Contract: up:1 down:1, user-how: 14 Vlan default: 1411, Assigned: 1411, Current: 1411 vlan-how: 1 DP assigned vlan:0 Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0 SlotPort=0x2100, Port=0x101ab (tunnel 427) Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role: n/a     Current Role name: guest, role-how: 2, L2-role: guest-logon, L3-role: guest Essid: Guest, Bssid: 00:0b:86:77:ae:61 AP name/group: UKTHEOF01C1E-ORM158D-AP3/UKLONWH Phy-type: g-HT-20 RadAcct sessionID:n/a RadAcct Traffic In 18075/8236132 Out 14393/9260957 (0:18075/0:0:125:44132,0:14393/0:0:141:20381) Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: ) Profiles AAA:guest-aaa-profile, dot1x:guest-dot1x-profile, mac: CP: def-role:'guest-logon' sip-role:'' via-auth-profile:'' ncfg flags udr 0, mac 0, dot1x 1, RADIUS interim accounting 0 IP Born: 1397730861 (Thu Apr 17 10:34:21 2014) Core User Born: 1397730859 (Thu Apr 17 10:34:19 2014) Upstream AP ID: 0, Downstream AP ID: 0 Device Type: Mozilla/5.0 (Linux; U; Android 4.3; en-gb; GT-I9300 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Saf L3-Auth Session Timeout from Radius: 0 Mac-Auth Session Timeout Value from Radius: 0 Dot1x Session Timeout Value from Radius: 0 CoA Session Timeout Value from Radius: 0 Dot1x Session Term-Action Value from Radius: Default Reauth-interval from role: 0 Number of reauthentication attempts: mac reauth 0, dot1x reauth 0 Address is from DHCP: yes Per-user-log pointer 0x11784cc4 (id 3168), num logs 56

(UKTHEOALC1) #show log user 50 | include 5c:0a:5b:27:c0:5a
Apr 17 11:36:39 :522038:  <INFO> |authmgr|  username=bob123 MAC=5c:0a:5b:27:c0:5a IP=10.147.11.11 Authentication result=Authentication Successful method=Web server=Internal
Apr 17 11:36:39 :522017:  <INFO> |authmgr|  MAC=5c:0a:5b:27:c0:5a IP=?? Derived role 'guest' from server rules: server-group=internal, authentication=Web
Apr 17 11:36:39 :522049:  <INFO> |authmgr|  MAC=5c:0a:5b:27:c0:5a,IP=10.147.11.11 User role updated, existing Role=guest-logon/guest-logon, new Role=guest-logon/guest, reason=User authenticated wie
Apr 17 11:36:39 :522050:  <INFO> |authmgr|  MAC=5c:0a:5b:27:c0:5a,IP=10.147.11.11 User data downloaded to datapath, new Role=guest/3, bw Contract=16385/16385, reason=Download driven by user role s0
Apr 17 11:36:39 :527000:  <DBUG> |mdns|  mdns_parse_auth_userrole_message 287 Auth User ROLE: MAC:5c:0a:5b:27:c0:5a, NAME:bob123, ROLE_NAME:guest
Apr 17 11:36:39 :522008:  <NOTI> |authmgr|  User Authentication Successful: username=bob123 MAC=5c:0a:5b:27:c0:5a IP=10.147.11.11 role=guest VLAN=1411 AP=UKTHEOF01C1E-ORM158D-AP3 SSID=Guest AAAl
Apr 17 11:36:43 :522138:  <DBUG> |authmgr|  Sibyte-5c:0a:5b:27:c0:5a/10.147.11.11 : User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-gb; GT-I9300 Build/JSS15J) AppleWebKit/534.30 (KHTML

I am now having the user roam and try and reconnect.

.

vlan-how: 1

 A vlan-how of 1 means that you derived the VLAN from a user derivation rule.  Do you have a user derivation rule present?

No, not within guest-aaa-profile.

We have:

GUEST-POOL            Hash             1410-1414

I would change your guest authenticated role to something will "allowall" and start from there.  It could take hours to guess what is wrong here.

So it seems removing the deny 68 cleared the issue:

ip access-list session guest
  any any udp 68  deny <<<<<<<<<<<<<<< Removed
  any any svc-dhcp  permit
  any   alias Controller-Guest-ICMP svc-icmp  permit
  user   alias Public_DNS svc-dns  permit
  any any svc-dns  permit
  user   alias LAN_Printers any  permit
  user   alias "Phone Directory" svc-http  permit
  user   alias Websense_Redirect_Servers tcp 15871  permit
  user   alias Internal_Networks any  deny
  user   alias PUBLICLY-HOSTED-IPS any  deny
  user any any  permit

I had the user roam, could see new associations on the controller and never lost an extended ping to the client.

What still doesn't make sense is why the client has to broadcast again for it's DHCP server and lease when it should keep one per the DHCP server shouldn't it?

Google:

site:http://arubanetworks.com "any any udp 68  deny"

Use "user" not "any". The ACL is designed to stop a host turning up in the air running a DHCP server.

Thanks for your input though.