Security

I identified an issue yesterday whereby after authenticating, my device was given an IP address by our external DHCP server but not able to access any resources.  Upon inspection of the user list, there was already a client that appeared to be using that address, and my device appeared with its external data network IP.  The DHCP logs show that the second device released its lease and that my device took the address several minutes later.

 

I guess there is a lag between release of the IP when disconnecting, and removing it from the user table, effectively allowing DHCP to offer addresses that the controller still thinks are in use.

 

Is this situation a case for using aaa user fast age?

Yes, or "enforce dhcp" in the AAA profile.

I was under the impression 'Enforce DHCP' simply prevented statically assigned IP addresses?  This is not the case here as both device got the address from the DHCP server, but the controller failed to acknowledge the disconnect/release in time.

 

The odd thing is, under the client list in the GUI, the entry for the IP address that my device had been given, showed my access point, but the other user's name and device.  Is this a bug?

If you have a user that is getting another device's ip address via DHCP, I would make sure that your DHCP lease is at least 15 minutes long to prevent that.

 

Enforce DHCP only allows a device that gets an ip address from a DHCP conversation that the controller has seen to enter the user table.  The controller does not use a DHCP release in any DHCP enforcement.

 

I do not have your logs, so I cannot comment on the display being a bug.  If you open a case with TAC they might be able to provide clarity.

The lease is set to 1 day.  The issue is that the user is not removed from the list of users on the conrtroller quickly enough once it disconnects.  This allows a different client to legitimately re-use the IP address, but not be able to connect through the controller.

What is the output of "show aaa timers"? 

Global User idle timeout = 3600 seconds
Auth Server dead time = 10 minutes
Logon user lifetime = 5 minutes
User Interim stats frequency = 300 seconds

Joecarter,

Is there a reason the idle-timeout is 3600? It is typically 300. If your lease is one day it should not matter, but I would try AAA user fast age before adjusting the timer back to the defaults.

how do you change the AAA fast age? I could not find anywere.

config t

aaa user fast-age

 

 

Thanks. what is the command to show what I configured.

(Aruba7005-US) (config) #show aaa state configuration 

Authentication State
--------------------
Name                            Value
----                            -----
Switch IP                       192.168.1.3
Switch IPv6                     
Master IP                       192.168.1.3
Switch Role                     master
Current/Max/Total IPv4 Users    11/16/220
Current/Max/Total IPv6 Users    0/0/0
Current/Max/Total User Entries  11/16/228
Current/Max/Total Stations      8/13/222
Pending Station Deletes         0
Captive Portal Users            0
802.1x Users                    3
VPN Users                       3
MAC Users                       0
Stateful 802.1x Users           0
Tunneled users                  0
Configured user roles           10
Configured session ACL          49
Configured destinations         25
Configured services             96
Configured Auth servers         3
Auth server in service          3
Radius server timeouts          0

Successful authentications
--------------------------
Web  MAC  VPN  802.1x  Krb  RadAcct  SecureID  Stateful-802.1x  Management
---  ---  ---  ------  ---  -------  --------  ---------------  ----------
0    0    6    501     0    0        0         0                0

Failed authentications
----------------------
Web  MAC  VPN  802.1x  Krb  RadAcct  SecureID  Stateful-802.1x  Management
---  ---  ---  ------  ---  -------  --------  ---------------  ----------
0    0    0    0       0    0        0         0                0

Idled users              = 202
fast age                 = Enabled <--------------
per-user log             = Enabled
Bandwith contracts       = 0/0
IP takeovers             = 0
Ping/SYN/Sess/CP attacks = 0/0/0/0
ARP/GratARP attacks      = 0/0

Thank you very much for the information. 

 

please see my AAA state and log messages. Do you think AAA fast-age will resolve my  issues showing in my log messages (duplicate on 172.16.4.0, etc)?

 

Also were the idle users of 132305 too big?

 

thanks,

 

 

(aruba02) #show aaa state configuration

Authentication State
--------------------
Name Value
---- -----
Switch IP 10.80.25.25
Switch IPv6
Master IP 10.80.25.7
Switch Role master
Current/Max/Total IPv4 Users 1334/1446/836558
Current/Max/Total IPv6 Users 0/0/0
Current/Max/Total User Entries 1574/1752/579764
Current/Max/Total Stations 1376/1559/578379
Pending Station Deletes 35
Captive Portal Users 13
802.1x Users 388
VPN Users 116
MAC Users 0
Stateful 802.1x Users 0
Tunneled users 0
Configured user roles 23
Configured session ACL 68
Configured destinations 30
Configured services 100
Configured Auth servers 5
Auth server in service 5
Radius server timeouts 49604

Successful authentications
--------------------------
Web MAC VPN 802.1x Krb RadAcct SecureID Stateful-802.1x Management
--- --- --- ------ --- ------- -------- --------------- ----------
1360 0 782 134199 0 62 0 0 0

Failed authentications
----------------------
Web MAC VPN 802.1x Krb RadAcct SecureID Stateful-802.1x Management
--- --- --- ------ --- ------- -------- --------------- ----------
836 442 0 38799 0 0 0 0 0

Idled users = 132305
fast age = Enabled
per-user log = Enabled
Bandwith contracts = 0/0
IP takeovers = 0
Ping/SYN/Sess/CP attacks = 0/0/0/0
ARP/GratARP attacks = 0/0

 

show log network 50

 

Aug 12 18:48:18 :299801: <DBUG> |dhcpd| Abandoning IP address 172.16.4.93: pinged before offer
Aug 12 18:50:03 :202084: <WARN> |dhcpdwrap| Pool 172.16.4.0/24 has abandoned lease(s)
Aug 12 18:52:07 :299801: <DBUG> |dhcpd| uid lease 172.16.4.200 for client 28:57:67:41:2c:ac is duplicate on 172.16.4.0/24
Aug 12 19:40:28 :299801: <DBUG> |dhcpd| uid lease 172.16.4.232 for client fc:c2:de:c5:67:49 is duplicate on 172.16.4.0/24
Aug 12 19:47:59 :299801: <DBUG> |dhcpd| uid lease 172.16.3.54 for client 68:05:71:3f:9c:0b is duplicate on 172.16.3.0/24
Aug 12 19:53:03 :299801: <DBUG> |dhcpd| uid lease 172.16.3.232 for client 68:05:71:3f:9c:0b is duplicate on 172.16.3.0/24
Aug 13 00:29:43 :299801: <DBUG> |dhcpd| uid lease 172.16.3.138 for client fc:c2:de:c2:98:9a is duplicate on 172.16.3.0/24
Aug 13 06:58:25 :299801: <DBUG> |dhcpd| parse_option_buffer: malformed option dhcp.<unknown> (code 83): option length exceeds option buffer length.
Aug 13 07:05:31 :299801: <DBUG> |dhcpd| Abandoning IP address 172.16.4.131: pinged before offer
Aug 13 07:30:11 :299801: <DBUG> |dhcpd| Abandoning IP address 172.16.4.227: pinged before offer
Aug 13 07:30:58 :202084: <WARN> |dhcpdwrap| Pool 172.16.4.0/24 has abandoned lease(s)
Aug 13 07:34:13 :299801: <DBUG> |dhcpd| uid lease 172.16.3.78 for client c0:bd:d1:16:72:56 is duplicate on 172.16.3.0/24
Aug 13 07:50:22 :299801: <DBUG> |dhcpd| uid lease 172.16.3.221 for client ac:5a:14:1e:d4:52 is duplicate on 172.16.3.0/24
Aug 13 07:58:13 :299801: <DBUG> |dhcpd| Abandoning IP address 172.16.3.155: pinged before offer
Aug 13 07:59:02 :202084: <WARN> |dhcpdwrap| Pool 172.16.3.0/24 has abandoned lease(s)
Aug 13 07:59:20 :299801: <DBUG> |dhcpd| uid lease 172.16.3.34 for client ac:5a:14:1e:d4:52 is duplicate on 172.16.3.0/24
Aug 13 08:16:55 :299801: <DBUG> |dhcpd| uid lease 172.16.4.179 for client f0:25:b7:ac:ee:39 is duplicate on 172.16.4.0/24
Aug 13 08:19:56 :299801: <DBUG> |dhcpd| uid lease 172.16.3.102 for client f4:09:d8:f2:84:e5 is duplicate on 172.16.3.0/24
Aug 13 08:48:57 :299801: <DBUG> |dhcpd| uid lease 172.16.4.106 for client 78:4b:87:f5:8f:5f is duplicate on 172.16.4.0/24
Aug 13 08:49:40 :299801: <DBUG> |dhcpd| uid lease 172.16.3.139 for client f4:09:d8:f2:84:e5 is duplicate on 172.16.3.0/24
Aug 13 09:07:21 :299801: <DBUG> |dhcpd| Abandoning IP address 172.16.3.200: pinged before offer
Aug 13 10:20:03 :299801: <DBUG> |dhcpd| uid lease 172.16.4.175 for client 24:db:ed:92:a4:0b is duplicate on 172.16.4.0/24
Aug 13 10:21:51 :299801: <DBUG> |dhcpd| client 24:db:ed:92:a4:0b has duplicate leases on 172.16.4.0/24
Aug 13 10:35:59 :299801: <DBUG> |dhcpd| uid lease 172.16.3.163 for client 1c:99:4c:b9:f5:55 is duplicate on 172.16.3.0/24
Aug 13 10:36:01 :299801: <DBUG> |dhcpd| client 1c:99:4c:b9:f5:55 has duplicate leases on 172.16.3.0/24
Aug 13 11:00:03 :299801: <DBUG> |dhcpd| Abandoning IP address 172.16.3.231: pinged before offer
Aug 13 11:24:58 :299801: <DBUG> |dhcpd| Abandoning IP address 172.16.4.93: pinged before offer
Aug 13 11:25:50 :202084: <WARN> |dhcpdwrap| Pool 172.16.4.0/24 has abandoned lease(s)

 

 

- What is the lease time for those pools?

- What is your output of "show aaa timers"?

 

- The output of the idled users depends on environment.

The lease time for two networks in the pool is 8 hours. please see the timers below. 

 

# Guest-WiFi-01
subnet 172.16.3.0 netmask 255.255.255.0 {
default-lease-time 28800;
max-lease-time 28800;
option vendor-class-identifier "ArubaAP";
option vendor-encapsulated-options "10.80.25.7";
option domain-name-servers 172.16.2.1;
option routers 172.16.3.1;
range 172.16.3.11 172.16.3.254;
authoritative;
}
# Guest-WiFi-02
subnet 172.16.4.0 netmask 255.255.255.0 {
default-lease-time 28800;
max-lease-time 28800;
option vendor-class-identifier "ArubaAP";
option vendor-encapsulated-options "10.80.25.7";
option domain-name-servers 172.16.2.1;
option routers 172.16.4.1;
range 172.16.4.11 172.16.4.254;
authoritative;
}

(aruba02) #show aaa timers

Global User idle timeout = 300 seconds
Auth Server dead time = 10 minutes
Logon user lifetime = 5 minutes
User Interim stats frequency = 600 seconds

Two Questions:

 

Is this a guest network?  If yes, you can try reducing the DHCP lease to 30 minutes and see if that fixes your issue.  You will brobably have to remove your users with "aaa user delete role <guest role>" when you do this so that they can get new leases.

 

You can also type "show ip dhcp statistics" to see how you are on  leases.

 

Hi Team, 

 

Could someone explain what does "pending station deletes" in show aaa state configuration" ? 

 

 

Stations that should be deleted from the station table, but have not been removed completely for whatever reason.  They are typically removed shortly thereafter.

 

Closing this thread because it is five years old.