Wireless Access

last person joined: 19 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

DHCP enforcement and HP printers

This thread has been viewed 2 times

  • 1.  DHCP enforcement and HP printers

    Posted Apr 25, 2015 03:13 PM
    Hi
    I'm facing a problem when I set DHCP enforcement on RAP with HP printers.
    I found none of the HP printers were up to day from the firmware stand point in all sites. There are multiples issues reported by HP in regards to DHCP. Anyway I wasn't able to keep the rule to enforce DHCP and avoid users setting up on their own, I tried to add an static arp entry on the controller but didn't help.
    The only way to make the printers working is using fix IP and don't use this feature which I don't like.
    The issue seems to be related to the ArubaOS firmware ( my version is 6.4.2.5) as far as I see on a debug where the packets are dropped because the controller seems to believe the printer uses fix ip.
    Any other ideas that I should be looking into?

    Thanks
    #ALE


  • 2.  RE: DHCP enforcement and HP printers

    EMPLOYEE
    Posted Apr 25, 2015 07:02 PM

    Please start on page 10 of the document here:  http://community.arubanetworks.com/t5/Validated-Reference-Design/ArubaOS-DHCP-Fingerprinting/ta-p/155604 to turn on DHCP debugging to see what the HP printer does.  That will give you a starting point on what is happening.



  • 3.  RE: DHCP enforcement and HP printers

    EMPLOYEE
    Posted Apr 25, 2015 07:02 PM

    Please start on page 10 of the document here:  http://community.arubanetworks.com/t5/Validated-Reference-Design/ArubaOS-DHCP-Fingerprinting/ta-p/155604 to turn on DHCP debugging to see what the HP printer does.  That will give you a starting point on what is happening.



  • 4.  RE: DHCP enforcement and HP printers

    EMPLOYEE
    Posted Apr 25, 2015 07:02 PM

    Please start on page 10 of the document here:  http://community.arubanetworks.com/t5/Validated-Reference-Design/ArubaOS-DHCP-Fingerprinting/ta-p/155604 to turn on DHCP debugging to see what the HP printer does.  That will give you a starting point on what is happening.



  • 5.  RE: DHCP enforcement and HP printers

    EMPLOYEE
    Posted Apr 26, 2015 09:50 PM

    in addition to Colin's suggestions, what is your DHCP lease time versus the AAA user timeout and also the SSID STA Ageout ?  (show aaa timer, show wlan ssid-profile <the ssid profile>)

     

    if the DHCP renewal doesn't come before the controller ages out the user (which is by default 1000 seconds), then you can get stuck like this.  This assumes the printer is 100% silent on the wlan side, to check that please also capture "show ap debug client-table ap-name <ap>" when the printer is in idle mode. If no packets are seen from the printer to the AP, then this 1000 second timer is in play.

     

    regards

    -jeff

     



  • 6.  RE: DHCP enforcement and HP printers

    Posted May 04, 2015 08:21 AM

    Thanks for the answers. I've confgured a DHCP debug.

    In regards to the timers/lease:

    DHCP Lease time is configured to 8 days and the aaa timers are as follow:

    Global User idle timeout = 300 seconds
    Auth Server dead time = 10 minutes
    Logon user lifetime = 5 minutes
    User Interim stats frequency = 600 seconds

    How can I change the default value of 1000 second timer?

     

     

     



  • 7.  RE: DHCP enforcement and HP printers
    Best Answer

    EMPLOYEE
    Posted May 06, 2015 06:14 AM

    Hi Aboj

    you can adjust the 1000 seconds under the ssid profile, but you can also try increasing the aaa idle timeout for just the aaa profile being used by the printers.

     

    it would seem here that the printer is dead silent, perhaps until either 50% of lease time, or maybe even until the lease is about to expire - so you can try setting the idle timeout accordingly.

     

    regards

    -jeff

     

     



  • 8.  RE: DHCP enforcement and HP printers
    Best Answer

    Posted May 12, 2015 07:12 AM

    Hi jgoff

    Adjusting timers did the trick. The initial lease fro mthe DHCP servers was set to 8 days so I adjuted to 15 minutes and also I did the same for the user-idle timeout under the aaa profile to the 30 minutes.

    Initially wasn't working as expected due to the fact the printer didn't take the new lease until I made some changes from fix to DHCP which trigger a new DHCP proccess.

    I haven't lost the comunication with the printer since, thanks for the advise and support.

    Printer also goes to sleep mode after some time so in order to re-enable it, you have to send a print job or generate some traffic but the printer is still reacheble and the controller doens't recognize the IP as fix ip address. Do you know anyway to send some traffic from the controller to keep it alive?

     

    Thanks again for your support

    Aboj

     



  • 9.  RE: DHCP enforcement and HP printers

    EMPLOYEE
    Posted May 12, 2015 07:23 AM

    hi Aboj

    good to hear it's working better. there is no way for the controller to generate L3 traffic towards the client, perhaps you can install some monitoring software on a server somewhere that does a ping - or just use crontab on a linux box + some sort of subnet pinger like fping or hping to genrate a ping to each host on the subnet

    regards

    -jeff



  • 10.  RE: DHCP enforcement and HP printers

    Posted May 05, 2015 04:18 AM

    Yesterday our admin changed the DHCP lease to 1 hour and printer was up and running until just now.

    According to the logs ( printer details 172.20.208.13/00:21:5a:96:51:46), traffic was dropped because is not assigned via DHCP Altought I have the printer working in DHCP. After I deactivated the DHCP enforcement, the printer was starting to work again

     

    "May  5 09:05:06  authmgr[3629]: <522141> <DBUG> |authmgr|  00:21:5a:96:51:46 IP 172.20.208.13: drop pkt as ip not assigned through dhcp."

     

     

     

    May  5 09:05:03  authmgr[3629]: <522096> <DBUG> |authmgr|  00:21:5a:96:51:46: Sending STM new Role ACL : 83, and Vlan info: 610, action : 10, AP IP: 192.168.200.162, flags : 0 idle-timeout: 300
    May  5 09:05:03  authmgr[3629]: <522096> <DBUG> |authmgr|  00:21:5a:96:51:46: Sending STM new Role ACL : 83, and Vlan info: 610, action : 10, AP IP: 192.168.200.162, flags : 0 idle-timeout: 300
    May  5 09:05:03  authmgr[3629]: <522096> <DBUG> |authmgr|  00:21:5a:96:51:46: Sending STM new Role ACL : 83, and Vlan info: 610, action : 10, AP IP: 192.168.200.162, flags : 0 idle-timeout: 300
    May  5 09:05:03  authmgr[3629]: <522096> <DBUG> |authmgr|  00:21:5a:96:51:46: Sending STM new Role ACL : 83, and Vlan info: 610, action : 10, AP IP: 192.168.200.162, flags : 0 idle-timeout: 300
    May  5 09:05:03  authmgr[3629]: <522141> <DBUG> |authmgr|  00:21:5a:96:51:46 IP 172.20.208.13: drop pkt as ip not assigned through dhcp.
    May  5 09:05:03  authmgr[3629]: <522141> <DBUG> |authmgr|  00:21:5a:96:51:46 IP 172.20.208.13: drop pkt as ip not assigned through dhcp.
    May  5 09:05:03  authmgr[3629]: <522143> <DBUG> |authmgr|  user_miss from RAP:192.168.200.162, (Wired) user IP:172.20.208.13, VLAN:610, BSSID:00:0b:86:9d:5b:24:AP:Barcelona, flags=0x0.
    May  5 09:05:03  authmgr[3629]: <522143> <DBUG> |authmgr|  user_miss from RAP:192.168.200.162, (Wired) user IP:172.20.208.13, VLAN:610, BSSID:00:0b:86:9d:5b:24:AP:Barcelona, flags=0x0.
    May  5 09:05:03  authmgr[3629]: <522254> <DBUG> |authmgr|  VDR - mac 00:21:5a:96:51:46 rolename logon fwdmode 3 derivation_type Initial Role Contained vp not present.
    May  5 09:05:03  authmgr[3629]: <522254> <DBUG> |authmgr|  VDR - mac 00:21:5a:96:51:46 rolename logon fwdmode 3 derivation_type Initial Role Contained vp not present.
    May  5 09:05:03  authmgr[3629]: <522254> <DBUG> |authmgr|  VDR - mac 00:21:5a:96:51:46 rolename rap_corporate fwdmode 3 derivation_type MBA Role Contained vp not present.
    May  5 09:05:03  authmgr[3629]: <522254> <DBUG> |authmgr|  VDR - mac 00:21:5a:96:51:46 rolename rap_corporate fwdmode 3 derivation_type MBA Role Contained vp not present.
    May  5 09:05:03  authmgr[3629]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for 00:21:5a:96:51:46 vlan 610 fwdmode 3 derivation_type Current VLAN updated.
    May  5 09:05:03  authmgr[3629]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for 00:21:5a:96:51:46 vlan 610 fwdmode 3 derivation_type Current VLAN updated.
    May  5 09:05:03  authmgr[3629]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for 00:21:5a:96:51:46 vlan 610 fwdmode 3 derivation_type Current VLAN updated.
    May  5 09:05:03  authmgr[3629]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for 00:21:5a:96:51:46 vlan 610 fwdmode 3 derivation_type Current VLAN updated.
    May  5 09:05:03  authmgr[3629]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for 00:21:5a:96:51:46 vlan 610 fwdmode 3 derivation_type Default VLAN.
    May  5 09:05:03  authmgr[3629]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for 00:21:5a:96:51:46 vlan 610 fwdmode 3 derivation_type Default VLAN.
    May  5 09:05:03  authmgr[3629]: <522258> <DBUG> |authmgr|  "VDR - Add to history of user user 00:21:5a:96:51:46 vlan 0 derivation_type Reset VLANs for Station up index 27.
    May  5 09:05:03  authmgr[3629]: <522258> <DBUG> |authmgr|  "VDR - Add to history of user user 00:21:5a:96:51:46 vlan 0 derivation_type Reset VLANs for Station up index 28.
    May  5 09:05:03  authmgr[3629]: <522259> <DBUG> |authmgr|  "VDR - Do Role Based VLAN Derivation user 00:21:5a:96:51:46 role rap_corporate authtype 2 rolehow default for authentication type MAC.
    May  5 09:05:03  authmgr[3629]: <522259> <DBUG> |authmgr|  "VDR - Do Role Based VLAN Derivation user 00:21:5a:96:51:46 role rap_corporate authtype 2 rolehow default for authentication type MAC.
    May  5 09:05:03  authmgr[3629]: <522260> <DBUG> |authmgr|  "VDR - Cur VLAN updated 00:21:5a:96:51:46 mob 0 inform 1 remote 1 wired 1 defvlan 610 exportedvlan 0 curvlan 610.
    May  5 09:05:03  authmgr[3629]: <522260> <DBUG> |authmgr|  "VDR - Cur VLAN updated 00:21:5a:96:51:46 mob 0 inform 1 remote 1 wired 1 defvlan 610 exportedvlan 0 curvlan 610.
    May  5 09:05:03  authmgr[3629]: <522292> <DBUG> |authmgr|  Auth GSM : MAC_USER notify for mac 00:21:5a:96:51:46 vlan 610
    May  5 09:05:03  authmgr[3629]: <522292> <DBUG> |authmgr|  Auth GSM : MAC_USER notify for mac 00:21:5a:96:51:46 vlan 610
    May  5 09:05:03  authmgr[3629]: <524124> <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:00:21:5a:96:51:46, pmkid_present:False, pmkid:N/A
    May  5 09:05:03  authmgr[3629]: <524124> <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:00:21:5a:96:51:46, pmkid_present:False, pmkid:N/A
    May  5 09:05:03  authmgr[3629]: <524141> <DBUG> |authmgr|  clr_pmkcache_ft():988: MAC:00:21:5a:96:51:46 BSS:01:80:c2:00:00:03
    May  5 09:05:03  authmgr[3629]: <524141> <DBUG> |authmgr|  clr_pmkcache_ft():988: MAC:00:21:5a:96:51:46 BSS:01:80:c2:00:00:03
    May  5 09:05:06  authmgr[3629]: <522035> <INFO> |authmgr|  MAC=00:21:5a:96:51:46 Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/a VLAN=610 AP-name=Barcelona
    May  5 09:05:06  authmgr[3629]: <522077> <DBUG> |authmgr|  MAC=00:21:5a:96:51:46 ingress 0x0x1005e (tunnel 94), u_encr 1, m_encr 1, slotport 0x0x2104 wired, type: remote, FW mode: 3, AP IP: 192.168.200.162 mdie 0 ft_complete 0
    May  5 09:05:06  authmgr[3629]: <522078> <DBUG> |authmgr|  MAC=00:21:5a:96:51:46, wired: 1, vlan:610 ingress:0x0x1005e (tunnel 94), ingress:0x0x1005e new_aaa_prof: rap_corporate_wired_noDHCP, stored profile: rap_corporate_wired_noDHCP stored wired: 1 stored essid:  , stored-ingress: 0x0x1005e
    May  5 09:05:06  authmgr[3629]: <522083> <DBUG> |authmgr|  Skip User-Derivation, mba:1 udr_exist:0,default_role:logon,pDefRole:0x0x110c62c
    May  5 09:05:06  authmgr[3629]: <522096> <DBUG> |authmgr|  00:21:5a:96:51:46: Sending STM new Role ACL : 83, and Vlan info: 610, action : 10, AP IP: 192.168.200.162, flags : 0 idle-timeout: 300
    May  5 09:05:06  authmgr[3629]: <522096> <DBUG> |authmgr|  00:21:5a:96:51:46: Sending STM new Role ACL : 83, and Vlan info: 610, action : 10, AP IP: 192.168.200.162, flags : 0 idle-timeout: 300
    May  5 09:05:06  authmgr[3629]: <522141> <DBUG> |authmgr|  00:21:5a:96:51:46 IP 172.20.208.13: drop pkt as ip not assigned through dhcp.
    May  5 09:05:06  authmgr[3629]: <522143> <DBUG> |authmgr|  user_miss from RAP:192.168.200.162, (Wired) user IP:172.20.208.13, VLAN:610, BSSID:00:0b:86:9d:5b:24:AP:Barcelona, flags=0x0.
    May  5 09:05:06  authmgr[3629]: <522254> <DBUG> |authmgr|  VDR - mac 00:21:5a:96:51:46 rolename logon fwdmode 3 derivation_type Initial Role Contained vp not present.
    May  5 09:05:06  authmgr[3629]: <522254> <DBUG> |authmgr|  VDR - mac 00:21:5a:96:51:46 rolename rap_corporate fwdmode 3 derivation_type MBA Role Contained vp not present.
    May  5 09:05:06  authmgr[3629]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for 00:21:5a:96:51:46 vlan 610 fwdmode 3 derivation_type Current VLAN updated.
    May  5 09:05:06  authmgr[3629]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for 00:21:5a:96:51:46 vlan 610 fwdmode 3 derivation_type Current VLAN updated.
    May  5 09:05:06  authmgr[3629]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for 00:21:5a:96:51:46 vlan 610 fwdmode 3 derivation_type Default VLAN.
    May  5 09:05:06  authmgr[3629]: <522258> <DBUG> |authmgr|  "VDR - Add to history of user user 00:21:5a:96:51:46 vlan 0 derivation_type Reset VLANs for Station up index 29.
    May  5 09:05:06  authmgr[3629]: <522259> <DBUG> |authmgr|  "VDR - Do Role Based VLAN Derivation user 00:21:5a:96:51:46 role rap_corporate authtype 2 rolehow default for authentication type MAC.
    May  5 09:05:06  authmgr[3629]: <522260> <DBUG> |authmgr|  "VDR - Cur VLAN updated 00:21:5a:96:51:46 mob 0 inform 1 remote 1 wired 1 defvlan 610 exportedvlan 0 curvlan 610.
    May  5 09:05:06  authmgr[3629]: <522292> <DBUG> |authmgr|  Auth GSM : MAC_USER notify for mac 00:21:5a:96:51:46 vlan 610
    May  5 09:05:06  authmgr[3629]: <524124> <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:00:21:5a:96:51:46, pmkid_present:False, pmkid:N/A
    May  5 09:05:06  authmgr[3629]: <524141> <DBUG> |authmgr|  clr_pmkcache_ft():988: MAC:00:21:5a:96:51:46 BSS:01:80:c2:00:00:03