Wireless Access

I'm trying to configure a captive portal. At the moment, DHCP isn't working at all though. If a user connects their device to the open SSID, they don't get any IP address assigned. It's not even making it to the captive portal page. I'm trying to assign the IPs via the internal DHCP server. Here is my configuration:

aaa authentication captive-portal Example-cp
default-role Example-user
user-logon
no guest-logon
server-group CP-Test

user-role Example-user
vlan 25
captive-portal "Example-cp"
access-list session global-sacl
access-list session apprf-Example-user-sacl
access-list session allowall

aaa profile Example-aaa
initial-role authenticated

wlan ssid-profile Example-ssid
essid "Example-CP"
opmode opensystem

wlan virtual-ap Example-vap
vlan 25
aaa-profile Example-aaa
ssid-profile Example-ssid

vlan 25

interface vlan 25
ip address 192.168.75.1 255.255.255.0
no ip routing
ip nat inside

ip dhcp pool vlan25
network 192.168.75.0 255.255.255.0
default-router 192.168.75.1
dns-server 8.8.8.8 8.8.8.9
domain-name example.com
authoritative

ip access-list session allowall
any any any permit

It is hard to tell what is wrong, because you picked certain portions of the configurtion to display, but it is not clear how they are related.

You should associate a client to the SSID, let it fail or get a .169 address and find out what role it is in.  After that, give us the output of "show rights <role>"

---

@cjoseph wrote:

It is hard to tell what is wrong, because you picked certain portions of the configurtion to display, but it is not clear how they are related.

 

You should associate a client to the SSID, let it fail or get a .169 address and find out what role it is in.  After that, give us the output of "show rights <role>"

---

Thanks for the response Colin.

I'm sorry this has taken so long. It seems like it is assigning the VLAN correctly. I would happily post the configuration, but it's quite large as it contains a few exprimental setups at the moment. Is there anymore of the configuration you'd need me to post?  

(device) #show rights Example-user

Derived Role = 'Example-user'
Up BW:No Limit   Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Assigned VLAN = 25
Periodic reauthentication: Disabled
DPI Classification: Enabled
Web Content Classification: Enabled
ACL Number = 102/0
Max Sessions = 65535

Check CP Profile for Accounting = TRUE
Captive Portal profile = Example-cp

Adding to Colin's earlier post, the following CLI data would be helpful to see what is the actual client status when DHCP is not working:

# check to ensure the client's MAC is learned in the VLAN

show datapath bridge | inc <client MAC in CAPS>

# check which role and VLAN the client has

show user-table verbose | inc <client mac>

# check the rights of the role

show rights <rolename>

# this will show which rules are being hit

show acl hits user-role <rolename>

It sounds like the bit we're missing is does the user land in the  Example-user role, and what does that role allow.

Thanks Shawn for your assistance. I discovered the solution on my own. 

I had two DHCP pools configured with more than 255 addresses. The Aruba 620 (running on 6.4.2.12) can not have more than 255 addresses assigned to DHCP pools and thus was not assigning more addresses to my new VLAN. 

I noticed this when I tried to delete all the configuration and re-add it. I got this error:

(device) (config) #ip dhcp pool vlan25
(device) (config-dhcp)# network 192.168.75.0 255.255.255.0
Failed to add pool vlan7 which has more than 256 addresses. Maximum addresses configurable is 256.

To fix this, I had to exclude some IP addresses from the existing DHCP range and exclude some from this range using the "ip dhcp excluded-address" command. 

Helpful: http://community.arubanetworks.com/t5/Wireless-Access/620-AOS-6-3-1-2-Failed-to-add-DHCP-pool-due-to-address-ranges/td-p/138267