Wireless Access

Bridge forwarding mode SSID clients only receiving DHCP from gateway which is the firewall at this location

Firewall is the gateway and DHCP it's tagged 251 to a Aruba 2920 layer 2 switch and AP 275 tagged 251

SSID has vlan 251

Eth 0 bridged forward - native 1, tagged 251 (same throughout the set up)

Clients connect get dhcp but have no access to anything else not even ping. did packet tracing and see things coming through but they are lost

Only Arp allowed

the switch sees the Mac addresses of the clients on the SSID the firewall also see the same.

Any thoughts???

As I understand correctly the client doesn't get an IP address.
Do you see a DHCP offer for the client from the firewall?

Client does receive DHCP

It will receive an IP address default gateway and DNS

EDIT:  someone else answered.

And what is not working?

The SSID clients who receive a DHCP address are not able to reach the internet (8.8.8.8),ping their gateway (fw) or devices on the vlan.

The firewall which gave them the DHCP address is not able to ping them either.

Could this be a user role issue?

Even though they are bridged and not tunneling back to the controller , does initial user role apply here?

Yes the initial role is here also applied

I'm going to make the use a role authenticated , I'll see what happens here

This did not work

Which role is applied now?
Please check this also with the command show user-table

Solution!

Found an policy entry was put in the valid user table denying that vlan

Removed the deny from the valid user table.

Clients are now connected to network and internet

Does the client have an ARP entry for the firewall?
Is there any firewall rule configured within the user role?
Do you see some traffic reaching the firewall?

Yes we see ARP entries

Rules to allow any any

Firewall only sees ARP traffic