Wireless Access

Hello,

 

I'm trying to set up a DHCP Server linked to a wireless connection, the server is up, but when a client authenticates to the same server SSID, the client is unable to get an ip.

Seems like the controller doesn't send DHCP DISCOVER messages from the client to the server in the same SSID.

I have reviewed both Broadcast supression at VAP, also wireless client communication  is allowed.

I have checked that client can authenticate, but once it does, it can't get ip from DHCP.

 

Someone can help me about this issue??

Please share the role details for the client.    Find out what role the client is in after connecting (show user).  Then issue a show rights <name-of-role> to view that policies are set and to ensure DHCP is allowed.

 

Also, is the VLAN that the user is being put onto a VLAN trunked on the controller?    Do you have/need IP Helpers for the DHCP server?

 

To troubleshoot the DHCP request, enable DHCP debugging and view the logs:

 

config t

logging level debugging network subcat dhcp

show log network | include <mac-of-client>

 

Disable debugging when done:

no logging level debugging network subcat dhcp

It's very strange, the wireless client authenticates, don't get ip and the controller says there is no user.

Attached you have the logs, the user is umhnet\jramon, the wireless client mac is 00:1c:bf:82:aa:25

 

Thank you

jgarciav,

 

what is the output of "show station-table | include 00:1c:bf:82:aa:25"

 

Is this the only device that cannot get an ip address on VLAN 102?

What are the ACLs in the role "corporativo"?  Does the role corporativo have a VLAN in it?

 

Type "show rights corporativo" and give us the output.

Hello,

 

Any device can get ip address, we connect to SSID linked to vlan 100 not 102.

Role corporativo doesn't have Vlan attached to it, it's SSID "congreso" which is linked to Vlan 100.

 

For clarification, the DHCP server is one laptop also connected by wireless to SSID "congreso" and whithout DHCP, it has the manual ip configured, we try to get ips from this DHCP for wireless clients also connected to SSID "congreso".

Both clients and DHCP server are in the air, all connected to SSID "congreso".

 

Here you have the commands:

 

(aruba_master) #show station-table | include 00:1c:bf:82:aa:25
00:1c:bf:82:aa:25 umhnet\jramon corporativo 00:00:01 Yes ap-E06.1.04_sw10.102_p0/46 congreso g No aaa_perfil_dot1x

 

 

(aruba_master) #show rights corporativo

Derived Role = 'corporativo'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 68/0
Max Sessions = 65535

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 denegar_acceso_aruba session
2 permitir_dhcp session
3 allowall session

denegar_acceso_aruba
--------------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 192.168.18.6 any any permit Low 4
2 192.168.18.5 any any permit Low 4
3 192.168.133.4 any any permit Low 4
4 any direcciones aruba any deny Yes Low Yes 4
permitir_dhcp
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any svc-dhcp permit Low 4
allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any permit Low 4

Expired Policies (due to time constraints) = 0

(aruba_master) #

 

 

 

 

Put the "allowall" acl to the top of corporativo and try again.

 

You have a laptop providing DHCP?

Hi again

 

I have tried but still don't get ip.

 

(aruba_master) #show rights corporativo

Derived Role = 'corporativo'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 68/0
Max Sessions = 65535

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 allowall session
2 denegar_acceso_aruba session
3 permitir_dhcp session

allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any permit Low 4
denegar_acceso_aruba
--------------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 192.168.18.6 any any permit Low 4
2 192.168.18.5 any any permit Low 4
3 192.168.133.4 any any permit Low 4
4 any direcciones aruba any deny Yes Low Yes 4
permitir_dhcp
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any svc-dhcp permit Low 4

Expired Policies (due to time constraints) = 0

 

 

 

Yes, I have a laptop connected by wireless as DHCP server, and others laptops connected to the same SSID as clients.

 

It's worth mention that VLAN 100 has an external router as default gateway, then if I configure a dhcp helper at the router  (ip helper address ) with the DHCP ip then the others laptops get ip.

 

I mean, the DHCP DISCOVER packet is going out the controller to the external router, then it converts it from broadcast to unicast and send it to DHCP, then the client can get ip.

Thank you

 

If your dhcp server is wireless, I might not be able to help you, because that is not a scenario we encounter.

You mention the DHCP laptop is also wireless; when you do a show user on the controller, is that laptop in the same role as the client or a different role?   Also, have you doublechecked that the DHCP service on the laptop is bound to the proper interface (listening on the Wi-Fi interface)?

 

 

Laptop is in the same role as client, both of them are in "corporativo" role.
Yes, rhe dhcp server is bound to wireless adapter.

The question is that it seems like the controller don't send the Discover broadcast back to the same gre tunnel to the AP where both the dhcp server and the client are associate.
Also, I don't know why the client is authenticated but don't appear as valid with its role.

Jgarciav,

Imagine if a wireless client started serving up dhcp addresses to your users....

Let me check to see if that was removed...

Hi joseph,
The purpose of setting up a wireless dhcp server is just test some configuration like deny udp 68 in acl or some firewall configuration to deny or avoid having a dhcp server on the air. This is why I'm trying to make this lab, to have a valid config to avoid it, even the case some valid wireless client has the idea to damage our network.

Please if you confirm me that Discover dhcp can't be sent to wireless let me know

Thank you

jgarciav,

 

What version of ArubaOS is this?

 

6.3.1.3

jgarcia v,

 

do you have "drop broadcast and multicast" disabled on the Virtual AP profile?

 

Yes, both options are unchecked in gui

Making a sniffing on DHCP server, I can't see any DHCP DISCOVER packet when we try to get ip from client.

 

Is there some way to see if packets are getting dropped at controller?

 

Thank you

What role are the users getting?

Can you run:

 

show rights <user-role-name>

Attached you have the role, we also have tried with "allowall" first position

I had this same exact issue with a cent os box running dhcp. It was wired to the controller however. i called aruba support and the anwser they gave me was to run dhcp on the controller. We could not figure out why the controller would not pass dhcp replies to clients. my setup was working fine for a month, and then one day the entire guest network was down. So just know this is an actual issue. I was on a 3200 controller with 6.1.0.11 I believe. 

This is slightly different, in this case the DHCP server is not wired to the controller but it's on the air associate to a virtual AP, the question here is that DHCP DISCOVER sent by another wireless client is not coming to the dhcp server "on the air".

 

According to aruba, there is some configs guide to avoid wireless dhcp servers offering ip to clients "on the air" for example make some ALC entry like "user any udp 68 deny" just to avoid sending DHCP OFFER from server in the air to anyone, but the question is that even DHCP DISCOVER can't reach the potential wireless DHCP server.

 

I don't know if someone have tested this config.