Wireless Access

last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

DHCP Issue on clients 802.1x

This thread has been viewed 11 times

  • 1.  DHCP Issue on clients 802.1x

    Posted Oct 31, 2018 10:41 PM

    Hi All,

    we seem to be having issues with our AP's and clients receiving ip addresses.

    i have enabled a port with 802.1x where the AP is connected and as soon as i do that new clients stop receiving dhcp lease.

    when i console onto AP i am ble to ping both radius server and aruba central is able to communicate with cppm server as well.

    so whats the best way to troubleshoot this issue apart from wireshark as i am noob when it comes to reading wireshark logs.

    issue occurs to all devices



  • 2.  RE: DHCP Issue on clients 802.1x

    EMPLOYEE
    Posted Oct 31, 2018 11:58 PM

    What is the model number of the AP and switch?

     

     

    Check the authentication server to validate if the AP has passed authentcation.

    On the switch check if the AP has completed dot1x and if it has got the right role which allows DHCP.

     



  • 3.  RE: DHCP Issue on clients 802.1x

    Posted Nov 01, 2018 12:03 AM

    AP305 HP5400

    where and what commands should i be running.

    i am fairly new to aruba

    i have logged onto the AP is that were i need to run the commands from?



  • 4.  RE: DHCP Issue on clients 802.1x

    EMPLOYEE
    Posted Nov 01, 2018 02:11 AM

    Is this an IAP or controller based AP?

    Where is the dot1x enabled? (Switch / wireless)

    What is the authentication source.

     

    Check the below link which has different show commands which can be run on the switch to validate port access (if wired dot1x)

    http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch13s09.html

     

     



  • 5.  RE: DHCP Issue on clients 802.1x

    Posted Nov 06, 2018 12:44 PM

    Hi,

     

    if I understand right, you configured 802.1x on the switchport where the AP is connected.

    If you use "user based access control", then every user/client has to authenticate on that switchport. Which meeans, besides the AP, the wireless users also would have to authenticate at the switchport. Will not work, clients will not do two times 802.1x in a row (first authenticating at wireless infrasturcture and second at switch).

     

    Instead of this, you should use "port-based access control". The first client, which authenticates successfully, opens the port for all users/clients entering that switchport. That way, the AP will open the switchport after successfully authenticating also for all the witreless clients.

     

    Please consult "ArubaOS-Switch Access Security Guide". Chapter "Port-Based and User-Based Access Control (802.1X)".

     

    In short: Do not configure client limit. Do you have configured this?

     

    Regards, Jö



  • 6.  RE: DHCP Issue on clients 802.1x

    Posted Nov 06, 2018 05:02 PM

    yes i do have client limit configured for the AP on the switch port.

     

    where am  i meant to use port based access control on the switch port?

     



  • 7.  RE: DHCP Issue on clients 802.1x

    Posted Nov 07, 2018 05:10 AM

    Hi,

    first one thing I might've been to fast yesterday.
    In your first message you mention Aruba Central. Thus I'm assuming you are using Aruba Instant APs.
    This is important, because settings on switchports are only relevant for Controller based APs in bridge mode and for Instand APs. Not for APs tunneling traffic to a controller.

    So: Are you using Instant APs as I assumed?

    Now, lets say, you connected the AP to port A1 and configured Authentication for A1:

    aaa port-access authenticator A1 client-limit 1

    That way, the first client is authenticated. Traffic from all other clients seen by the switch will be dropped.

     

    If you set a higher limit instead:

    aaa port-access authenticator A1 client-limit 32

    Switch will authenticate up to 32 clients on port A1. But all clients have to authenticate successfully. Otherwise traffic gets dropped again.
    AP will be the first client and will be accepted. Client on (bridged/Instant) AP will also have to authenticate, but this will not work. They'll get dropped since they are unable to authenticate successfully.

     

    Now port-based:

    aaa port-access authenticator A1

    Now the AP authenticates and opens the port for all other clients coming in through the same port as the AP is connected to (A1 in that case).
    This is ok for security, since Clients will already be authenticated by wireless infrastructure.


    To change from user-based (with client-limit) to port-based (no client-limit) you can use:

    aaa port-access authenticator A1 client-limit

    (Just omit the number behind client-limit)


    Regards, Jö

     



  • 8.  RE: DHCP Issue on clients 802.1x

    Posted Nov 07, 2018 05:21 PM

    Hi Jo,

    appreciate such a detailed response.

    yes we do use aruba central for our IAP.

    below are the command that i have used so far for all ports

    aaa port-access authenticator
    aaa port-access authenticator tx-period 10
    aaa port-access authenticator supplicant-timeout 10
    aaa port-access authenticator client-limit 3
    aaa port-access mac-based
    aaa port-access mac-based addr-limit 2

     

    do i just need that 1 line or do i need the above as well minus client limit



  • 9.  RE: DHCP Issue on clients 802.1x

    Posted Nov 08, 2018 03:52 AM

    Hi,

     

    just removing the client limit should be fine.

    802.1x is has priority over mac-auth. I never tested, if this also true for the addr-limit. But I guess, you'll find out... ;-)

     

    Maybe you start simple, just enable port-based auth and leave the rest to default on a "AP test port". After that, you can add step by step other options, if needed. That way, you'll see, which single option brakes connectivity.

     

    Regards, Jö

     



  • 10.  RE: DHCP Issue on clients 802.1x

    Posted Nov 08, 2018 04:35 PM

    will do and advise how i go.

    thank you



  • 11.  RE: DHCP Issue on clients 802.1x

    Posted Nov 14, 2018 12:01 AM

    testing the solution now.

    will advise how i go



  • 12.  RE: DHCP Issue on clients 802.1x

    Posted Nov 14, 2018 04:50 PM

    AP is not even comin online now.

    aaa port-access authenticator(as soon as i put this command AP doesnt turn on.removing the command makes it work. any reason why?)
    aaa port-access authenticator tx-period 10
    aaa port-access authenticator supplicant-timeout 10
    aaa port-access mac-based addr-limit 2

     

    i am unable to remove addr-limit

    all the vlans are there but AP wont even come online :(



  • 13.  RE: DHCP Issue on clients 802.1x

    Posted Nov 14, 2018 03:55 AM

    DHCP error after implementation of 802.1x.

    After implementation of 802.1x, there are 2-4 devices a day which lose the DHCP assigned IP address. When it happens, most of the time 1 or 2 reboots will make it pick up the ip address again, but occasionally the Device needs a reset This also means the we needs to put this device in the 802.1x exception list because a reset also means 802.1x is disabled and the certificates have to be re-installed. 

    will anyone please suggest what i need to do, how to overcome from this issue.

    this happening when Device is in ideal state.

    @aruba_noob wrote:

    Hi All,

    we seem to be having issues with our AP's and clients receiving ip addresses.

    i have enabled a port with 802.1x where the AP is connected and as soon as i do that new clients stop receiving dhcp lease.

    when i console onto AP i am ble to ping both radius server and aruba central is able to communicate with cppm server as well.

    so whats the best way to troubleshoot this issue apart from wireshark as i am noob when it comes to reading wireshark logs.

    issue occurs to all devices