Wireless Access

Hi. I've been having a trouble since starting a new job. My google Nexus 7 tablet and HTC evo 3d cellphone cannot use the open guest network at work. It is the only wifi network available for use. The only thing the devices have in common is they both use ICS. I have reports from others that other android versions work just fine with the network.

The IT guys at work have been less than useful (they actually have been pretty rude). I've posted on a number of forums but no one really has an answer.

Specifically here's what I experience: the devices will connect to the network and hold the connection throughout without any issues. Normally on connection, the network should route you to a page where you accept the useage police and then can freely surf the net. However, with these 2 devices that page never comes up, even with making new tabs and new windows. Eventually all these new tabs time out saying the device has no internet connection. Even when I manually punch in the address of the acceptance page, it doesn't change anything. It will not bring up the acceptance page and so I can never actually use the wifi connection.

Recently I read somewhere that changing to a static IP address and adjusting the DNS settings to match what open DNS publishes for public use can help. I tried it. Now I can reliably get that page but it will never accept me (meaning after I push accept, it doesn't do anything and eventually the browser says there is no internet connection and times out)

Please help because I am at my wits end and probably going to sell both devices which I don't want to do as the device I have gives me a special rate which saves me like 600 dollars a year in cell phone bills easily.

What version of ArubaOS is this?

I really wouldn't know. The IT guys have kinda been very tight lipped on what is going on.

---

@Sunburn74 wrote:

I really wouldn't know. The IT guys have kinda been very tight lipped on what is going on.

---

Seems like the IT guys need to contact us.....

We're seeing a very similiar problem with our free internet offering for our customers. We're running aOS 5.0.4.1.

The issue has been seen  on Android versions 2.3.5, 4.0.3 and 4.1.1

We are seeing a number of reports from our stores that have been replicated on our test environment here at our office that Android phones are not able to use our customer WiFI, the symptoms are that the captive portal (we use an AmigoPOD) takes a noticeably longer time to load and after entering the customer’s details on the portal page the redirect that is part of the registration fails (server time out) and the Android phone is unable to get any further.  

During testing at the office I found that if the Android phone is restarted before the attempt to connect is made the connection works the first time but subsequent attempts to reconnect (after deleting the user and attempting to re-authenticate via the captive portal) always fail. On investigation it seems that at this point, for some reason I do not understand that in many cases the Android client has two IP addresses, one of the IP addresses being valid and within the DHCP scope offered by the Aruba controller, the 2nd IP address invariably being outside of the scope. (note the restart fixing the issue for the first connect was only seen on my phone, I did not have the oppurtunity to restart my colleague's android phones I borrowed for a quick test)

show user-table (I've changed the MAC addresses to try and protect the innocent and not so innocent testers ;)  )

10.88.252.230  1c:b0:94:4b:73:5f                                service-guest-logon-tnl          00:00:01                    5300_Test       Wireless            Free Internet/00:24:6d:45:c9:11/g  service-guest-tnl  tunnel

10.167.253.63  1c:b0:94:4b:73:5f                                service-guest-logon-tnl          00:00:01                    5300_Test       Wireless            Free Internet/00:24:6d:45:c9:11/g  service-guest-tnl  tunnel

10.88.253.14   18:87:96:83:12:aa                                service-guest-logon-tnl          00:00:03                    5300_Test       Wireless            Free Internet/00:24:6d:45:c9:11/g  service-guest-tnl  tunnel

10.88.253.221  b4:07:f9:c9:3b:3c                                service-guest-logon-tnl          00:00:06                    5300_Test       Wireless           

Free Internet/00:24:6d:45:c9:11/g  service-guest-tnl  tunnel

client 1c:b0:94:4b:73:5f has two IP addresses, 10.167.253.63 is outside the scope of the DHCP pool on the controller and 10.88.252.63 which is a valid IP address in the DHCP scope.

Regards

Nigel Brodt-Savage

The second IP address could be the "WAN" or wireless broadband ip address, and could cause the problem you mention. You can try enabling "Enforce DHCP" in the AAA profile.  Go to Configuration> Security> AAA profiles.  Find the AAA profile that corresponds to your WLAN and enable the "Enforce DHCP" option.  This will only work with ArubaOS 6.x and above.

Unfortuantly we're on aOS 5.0.4.1 and can't move at the moment due to budgetry reasons.

The alternative would be to manipulate the validuser ACL to only allow subnets that your users will be on.  What is validuser ACL and its uses? https://kb.arubanetworks.com/app/answers/detail/a_id/40

any    any    svc-sec-papi    permit    Low
any    any    any        permit    Low
any    any    any        permit    Low

However we use these controllers for a number of different WLANs, as I understand it changing this rule would potentially affect all WLANs and not just the Free Internet WLAN ?

---

@nbrodt_savage wrote:

any    any    svc-sec-papi    permit    Low
any    any    any        permit    Low
any    any    any        permit    Low

 

However we use these controllers for a number of different WLANs, as I understand it changing this rule would potentially affect all WLANs and not just the Free Internet WLAN ?

---

Correct.

The easiest way to do this is to summarize all of your networks that you use for WLAN and put it in the validuseracl.  So if you use all private networks you would say:

any network 172.16.0.0 255.255.0.0 any permit

any network 192.168.0.0 255.255.0.0 any permit

any network 10.0.0.0 255.0.0.0 any permit

You would then also remove the "any any any permit low" from the last line.  You should test during a period of downtime.

That's probably not something that I could implement .. Also I have seen the 2nd address fall into IP ranges we do use.

In the case of my phone I dont think this 2nd IP address is from the 3G data connection as my phone appears to be using ipv6 and not ipv4 for it's 3G data connection.

Try turning off the 3g part of the android device and see if you still have the same issue.  Before we make any changes, let us make sure that is the problem...

 Disabled mobile data, same symptoms;

 #show user-table | include 5300

10.167.251.157   18:87:96:43:62:fa                              service-guest-logon-tnl          00:00:03      5300_Test       Wireless            Free Internet/00:24:6c:4c:e9:16/g  service-guest-tnl  tunnel

10.88.253.14     18:87:96:43:62:fa                               service-guest-logon-tnl          00:00:00        5300_Test          Wireless            Free Internet/00:24:6c:4c:e9:16/g  service-guest-tnl  tunnel

nbrodt_savage, we're experience the same issue with Android on a couple of our customer sites with Android. It's the exact same scenario that you are mentioning, but without the double IP-adresses showing up since we have the "Force DHCP" enabled. IOS, OSX and Windows have no issues.

Currently only have Android 4.0.3 and 4.0.4 to test with, but they behave just like you describe. I believe it is related to the OS, but in what way I've not been able to figure out. On some networks it's ok, while on other it's not. Been trying to find a common config issue, but not able to yet.

I'd appreciate to hear from you if you somehow fixed this, or even if the problem is still there.