Wireless Access

Hi All,

I'm a very new user to Aruba equipment. I've got the basics down and I have an Aruba 3200 with 6 AP105's that are working just fine. The current environment is pretty standard and is in use by our internal employees and protected via WPA2 aes/tkip.

I'd like to add a guest network that is connected to the OPT port of my m0n0wall router, but I'm having some trouble getting it set up correctly. My reason for using the OPT port is because I'd like to have public traffic routed through a different static IP that my production network.

My router is configured at 192.168.x.1, DNS forwarding is enabled and pushing out to public addresses. If I plug my laptop directly into this interface and set a static address, I can browse just fine. I'm using the built in throttle options for the m0n0wall and they are tested and working fine on this interface.

DHCP was enabled for this network via the m0n0wall, but I have since disabled it to see if I could have the Aruba controller handle it.

I set up a VLAN per documentation, am pointing to the router as the default router address, have DHCP enabled on the subnet within the Aruba controller, and have the new SSID pointed to the correct VLAN. I have the VLAN pointing to Port 1, which is where my interface from my OPT network on my m0n0wall is connected to.

I can't even get a DHCP address issued when I successfully connect to the new SSID, that's even with the SSID tied to that VLAN.

Any thoughts or input?

- Dedicate a physical port and a VLAN on your Aruba Controller for guest traffic.

config t
vlan 1000
interface vlan 1000
interface gigabitethernet 1/0 <-----Physical port you would plug your router in
switchport access vlan 1000

- Plug the user (not the WAN) side of your firewall into that connection

- Give the Aruba controller an ip address on that VLAN in the range that the router would assign to clients

config t
interface vlan 1000
ip address 192.168.1.3 255.255.255.0

- Use the WLAN wizard to create an SSID that puts users on that VLAN

- Optionally, you can create a DHCP server within the Aruba Controller to supply your guest clients with ip addresses (the scope would have the router as the default gateway so that your clients can get out)

Hey Colin,

Thanks for the quick reply.

Here's my output with the actual IP masked

(Aruba3200-BOMF) #show vlan

VLAN CONFIGURATION
------------------
VLAN  Description  Ports           AAA Profile
----  -----------  -----           -----------
1     Default      GE1/0-3 Pc0-7   N/A

(Aruba3200-BOMF) #configure t
Enter Configuration commands, one per line. End with CNTL/Z

(Aruba3200-BOMF) (config) #vlan 1000
(Aruba3200-BOMF) (config) #interface vlan 1000
(Aruba3200-BOMF) (config-subif)#interface gigabitethernet 1/1
(Aruba3200-BOMF) (config-if)#switchport access vlan 1000
(Aruba3200-BOMF) (config-if)#configure t
Enter Configuration commands, one per line. End with CNTL/Z

(Aruba3200-BOMF) (config) #interface vlan 1000
(Aruba3200-BOMF) (config-subif)#ip address 192.168.x.150 255.255.255.0
(Aruba3200-BOMF) (config-subif)#

I then created a new SSID and mapped it to VLAN 1000. DHCP is enabled on the router (if I plug into that port directly in the router I get an address and all is well)... I have the OPT port (not WAN) plugged into gigabitethernet 1/1 as specified.

I still cannot seem to grab an IP address, nothing ever gets assigned.

Any other thoughts? Seems I was headed in the right direction but it's just not happening.

You do not grab an address if you do what?  If you create an open WLAN mapped to VLAN 1000, you should be able to get an ip address if the controller is providing DHCP, OR the router is providing dhcp for your clients.  Since VLAN 1000 is not attached to any other physical ports, none of the remaining wired ports can get an ip address from the router unless they were assigned to VLAN 1000.

When you created the role for the users that connect to that WLAN, the role should allow DHCP (any any service dhcp permit).

Hey Colin,

No, no such luck.

Can you clarify this for me?

"When you created the role for the users that connect to that WLAN, the role should allow DHCP (any any service dhcp permit)"

I have not created any users nor run that command.

I tested it an a wide open network and still do not pull an address from the controller.

I'm perplexed.

Here's a few more screenshots...

When users get on the wireless, what role are they assigned?  You need to see what firewall policies are assigned to that role.  Since users require an ip address, they will probably not show up in the user table until they get a 169 address.  When they do, look at th user table to see what role they have.  Then go to configuration> security> access control and see what firewall policies are assigned to that role.  If there are no firewall policies, add one that has no restrictions (allowall).

Hey Colin,

Thanks for all your help so far. I think we're getting closer. I've attached screenshots from both sections.

For what it's worth.. if I connect to our internal, working wifi, I get "logon" as the assignment, but it works fine.

Connecting to the open test network I also get logon.

What's the steps from here?

Oh, and yes I get an IP address when I plug into port 1/2 after assigning it.

Hi Colin,

No, this unit was sold to my agency before my employment and the reseller did not seem to be very up on Aruba products when I was put in contact with them. I was intially sold the unit with no licensing for AP's, but was able to acquire those.. and those are all the licenses that are installed.

Is this causing my problems?

You should be able to create an open ssid without needing the license.

On the commandline, type "show user-table verbose" to see what vlan those users are being assigned in parenthesis.

Hmmm, not seeing the VLAN assignment...

BOMF_WIFI is production (and working)

There's only one entry in BOMF_TEST.. the 169 address...

(Aruba3200-BOMF) >enable
Password:**********
(Aruba3200-BOMF) #show user-table verbose

Users
-----
    IP              MAC            Name     Role         Age(d:h:m)  Auth                                                                                                   VPN link  AP name            Roaming             Essid/Bssid/Phy                                                                                                           Profile             Forward mode  Type     Server    Vlan  Bwm
----------     ------------       ------    ----         ----------  ----                                                                                                   --------  -------            -------             ---------------                                                                                                           -------             ------------  ----     ------    ----  ---
192.168.4.58   00:00:00:00:00:00            sys-ap-role  01:01:44    TRANSPORT-V                                                                                        PN            N/A                                                                                                                                                                                  tunnel                           1
192.168.4.59   00:00:00:00:00:00            sys-ap-role  01:01:44    TRANSPORT-V                                                                                        PN            N/A                                                                                                                                                                                  tunnel                           1
192.168.4.63   00:00:00:00:00:00            sys-ap-role  01:01:43    TRANSPORT-V                                                                                        PN            N/A                                                                                                                                                                                  tunnel                           1
192.168.4.64   00:00:00:00:00:00            sys-ap-role  01:01:44    TRANSPORT-V                                                                                        PN            N/A                                                                                                                                                                                  tunnel                           1
192.168.4.65   00:00:00:00:00:00            sys-ap-role  01:01:44    TRANSPORT-VPN            N/A                                                                                          tunnel                           1
192.168.4.84   00:00:00:00:00:00            sys-ap-role  43:21:34    TRANSPORT-VPN            N/A                                                                                          tunnel                           1
192.168.4.100  18:3d:a2:b4:b6:e0            logon        00:00:52                             9c:1c:12:c9:4a:55  Associated(Remote)  BOMF_WIFI/9c:1c:12:14:a5:50/g-HT  BOMF_WIFI-aaa_prof  bridge        Win 7              1
192.168.4.95   00:10:40:74:28:0f            logon        00:00:03                             9c:1c:12:c9:4a:55  Associated(Remote)  BOMF_WIFI/9c:1c:12:14:a5:50/g-HT  BOMF_WIFI-aaa_prof  bridge                           1
192.168.4.85   b4:b6:76:f0:62:84            logon        01:01:43                             9c:1c:12:c9:4a:51  Associated(Remote)  BOMF_WIFI/9c:1c:12:14:a5:18/a-HT  BOMF_WIFI-aaa_prof  bridge        Win 7              1
192.168.4.72   e8:50:8b:55:1e:30            logon        00:00:18                             9c:1c:12:c9:4a:5e  Associated(Remote)  BOMF_WIFI/9c:1c:12:14:a5:e0/g-HT  BOMF_WIFI-aaa_prof  bridge        Android            1
192.168.4.62   78:4b:87:4d:fa:e7            logon        00:00:29                             9c:1c:12:c9:49:e9  Associated(Remote)  BOMF_WIFI/9c:1c:12:14:9e:90/g-HT  BOMF_WIFI-aaa_prof  bridge        Android            1
192.168.4.90   fc:c2:de:47:19:22            logon        00:00:10                             9c:1c:12:c9:4a:55  Associated(Remote)  BOMF_WIFI/9c:1c:12:14:a5:50/g-HT  BOMF_WIFI-aaa_prof  bridge        Android            1
169.254.176.8  fc:f8:ae:6b:f5:3a            logon        00:00:00                             9c:1c:12:c9:4a:55  Associated(Remote)  BOMF_TEST/9c:1c:12:14:a5:59/a-HT  BOMF_TEST-aaa_prof  bridge        Win 7              1000
192.168.4.94   5c:8d:4e:79:95:1e            logon        00:00:05                             9c:1c:12:c9:4a:55  Associated(Remote)  BOMF_WIFI/9c:1c:12:14:a5:50/g-HT  BOMF_WIFI-aaa_prof  bridge        iPhone             1

User Entries: 14/14

(Aruba3200-BOMF) #
(Aruba3200-BOMF) #

Oops, I didn't scroll far enough.. I see the 1000 association.

BINGO!!! You nailed it! Thanks for staying along with me this past hour or more.. much appreciated!!

I've secured the SSID, set it to tunnel and all is well. Thank you so much!