Wireless Access

Hi All,

I'm having issues trying to set the VLAN a device is in via User Rules or User Roles. It hangs when connecting at "Obtaining IP Address".

The reason I'm attempting to do this is because of the following:

• Limited number of IP addresses on the corporate VLAN.
• The corporate user will be on an untrusted device so want them to be completely separate from corporate LAN

Essentially it's a BYOD situation where any non iOS device that connects to the corporate SSID gets put in the guest role and also a separate VLAN.

VLAN 99 is the guest VLAN
VLAN 2 is the corp VLAN

The 802.1x auth SSID had DHCP device  fingerprinting which I've used to attempt to set the VLAN that the device goes into. I've also tried setting it to be in the guest role then setting the Role VLAN ID to be the guest VLAN. 

Both of the above result in devices not gettting an IP address that hit this rule.

Here's what's in the network log:

Dec 5 15:38:34 :202546: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan99: OFFER 04:46:65:5c:de:d1 clientIP=192.168.99.254
Dec 5 15:38:37 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x40 opcode 0x5a ingress 0x1138 vlan 2 egress 0x2 src mac 04:46:65:5c:de:d1
Dec 5 15:38:37 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan2: DISCOVER 04:46:65:5c:de:d1 Options 3d:010446655cded1 39:05dc 3c:64686370636420342e302e3135 37:01792103061c333a3b
Dec 5 15:38:37 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x440 opcode 0x5a ingress 0x1138 vlan 99 egress 0x63 src mac 04:46:65:5c:de:d1
Dec 5 15:38:37 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan99: DISCOVER 04:46:65:5c:de:d1 Options 3d:010446655cded1 39:05dc 3c:64686370636420342e302e3135 37:01792103061c333a3b
Dec 5 15:38:37 :202523: <DBUG> |dhcpdwrap| |dhcp| dhcprelay: dev=eth1, length=300, from_port=68, op=1, giaddr=0.0.0.0
Dec 5 15:38:37 :202532: <DBUG> |dhcpdwrap| |dhcp| got 0 relay servers
Dec 5 15:38:37 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x0 vlan 99 egress 0x63 src mac 00:0b:86:6d:74:64
Dec 5 15:38:37 :202546: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan99: OFFER 04:46:65:5c:de:d1 clientIP=192.168.99.254
Dec 5 15:38:41 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x40 opcode 0x5a ingress 0x1138 vlan 2 egress 0x2 src mac 04:46:65:5c:de:d1
Dec 5 15:38:41 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan2: DISCOVER 04:46:65:5c:de:d1 Options 3d:010446655cded1 39:05dc 3c:64686370636420342e302e3135 37:01792103061c333a3b
Dec 5 15:38:41 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x440 opcode 0x5a ingress 0x1138 vlan 99 egress 0x63 src mac 04:46:65:5c:de:d1
Dec 5 15:38:41 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan99: DISCOVER 04:46:65:5c:de:d1 Options 3d:010446655cded1 39:05dc 3c:64686370636420342e302e3135 37:01792103061c333a3b
Dec 5 15:38:41 :202523: <DBUG> |dhcpdwrap| |dhcp| dhcprelay: dev=eth1, length=300, from_port=68, op=1, giaddr=0.0.0.0
Dec 5 15:38:41 :202532: <DBUG> |dhcpdwrap| |dhcp| got 0 relay servers
Dec 5 15:38:41 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x0 vlan 99 egress 0x63 src mac 00:0b:86:6d:74:64
Dec 5 15:38:41 :202546: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan99: OFFER 04:46:65:5c:de:d1 clientIP=192.168.99.254

Anyone shed some light on this for me?

Thanks
james 

Are you passing back a VLAN from the RADIUS server?  That would over-ride any previous VLAN setting.

No, I'm not passing a VLAN back from RADIUS server.

I just created a guest SSID using the same RADIUS server for auth and I am able to authenticate and get the guest role.

Ok, so lets make sure we are working on the right problem (I have a tendency to misunderstand and answer the wrong question!!!).

A coporate user brings in his/her own iPad.  They connect to the corp SSID using PEAP credentials.

You want the controller to identify the iOS device, put them in VLAN 99 and assign the guest role, right?

If so, where is breaking?  Is the iPad put in VLAN 99?  If so, is it in the guest role?  You can double check those questions by issuing the "show ap association | inc xx:xx:xx:xx:xx:xx" (xx.... is the MAC address of the iPad in question) and "show user | inc xx:xx:xx:xx:xx:xx".  The first will show that the user is in the right VLAN, the second should show the role (assuming the client has already passed authentication).

If both are OK, do you allow DHCP in the guest role?

Ok. We're not talking about iOS devices here, it's anything that isn't iOS based that I have a device fingerprint for,

I want to put corporate users into the guest VLAN and role when they authenticate against the 802.1x auth SSID when they connect with their own device.

Here's show ap association

(cust3200) #show ap association | include 04:46:65:5c:de:d1
A4 d8:c7:c8:ad:a0:b0 04:46:65:5c:de:d1 y y 1 10 CORP-ENT 2 0x113c g-HT-20-1ss 0s 1 WAB

(cust3200) #show ap association | include 04:46:65:5c:de:d1
A4 d8:c7:c8:ad:a0:b0 04:46:65:5c:de:d1 y y 1 10 CORP-ENT 99 0x113c g-HT-20-1ss 1s 1 WAB

(cust3200) #show ap association | include 04:46:65:5c:de:d1
A4 d8:c7:c8:ad:a0:b0 04:46:65:5c:de:d1 y y 1 10 CORP-ENT 99 0x113c g-HT-20-1ss 2s 1 WAB

(cust3200) #show ap association | include 04:46:65:5c:de:d1
A4 d8:c7:c8:ad:a0:b0 04:46:65:5c:de:d1 y y 1 10 CORP-ENT 99 0x113c g-HT-20-1ss 1s 1 WAB

(cust3200) #show ap association | include 04:46:65:5c:de:d1
A4 d8:c7:c8:ad:a0:b0 04:46:65:5c:de:d1 y y 1 10 CORP-ENT 99 0x113c g-HT-20-1ss 2s 1 WAB

(cust3200) #show ap association | include 04:46:65:5c:de:d1

(cust3200) #show ap association | include 04:46:65:5c:de:d1
A4 d8:c7:c8:ad:a0:b0 04:46:65:5c:de:d1 y y 1 10 CORP-ENT 2 0x113c g-HT-20-1ss 0s 1 WAB

(cust3200) #show ap association | include 04:46:65:5c:de:d1
A4 d8:c7:c8:ad:a0:b0 04:46:65:5c:de:d1 y y 1 10 CORP-ENT 99 0x113c g-HT-20-1ss 2s 1 WAB

The user is not showing in user-table.

You can see from the above that when the user connects they are in VLAN 2 which is the default VLAN for that SSID then device fingerprinting puts them in the guest role which should move them to VLAN 99 where they should get an IP address.

Very strange.  I see from the your first post that the client is offered 192.168.99.254.  If the client is offered that IP, it should have already passed authentication.

Can you do "logging level debug user-debug <mac address>"?  Then, try it again and check out "show log user-debug all".

That SHOULD shed some light on why this is happening.

I want to go ahead and say that you cannot change VLANs via DHCP fingerprinting.

Consider this:

The device that connects is on a VLAN and sends a DHCP request.  Once the controller sees the request, he changes the VLAN based on the user-rule, but the device does not see the VLAN change, because the link has not dropped.  The controller has switched his VLAN and he does not get a response from his DHCP server.  End result: no ip address.  DHCP fingerprinting should only be used to change roles and not vlans, because the client is not aware of the DHCP switch.

The best way you can accomplish what I think you are trying to accomplish is "Enforce Machine Authentication".  Make the machine authentication user role the guest VLAN so that devices that have NOT machine authenticated are forced into the guest role/VLAN right after authentication.  Devices that are domain computers will fully pass 802.1x and end up in the default 802.1x role.

But... if his devices are iOS (the ones he is letting on), machine auth wont work unless he puts all of the MAC addresses in the RADIUS server or in the local DB.

Since the client doesn't know what VLAN he is on, shouldnt the controller changing the VLAN be transparent?  The client just sends a DHCP broadcast to the AP.  The AP tunnels it to the controller and the controller is responsible for putting it in the right VLAN.  The client is not doing any VLAN tagging.

Typically, the DHCP fingerprint would place the MAC into a specific role that uses the same VLAN as the VAP.  I haven't seen it work (or tried to make it work) since the updated role has a hard coded VLAN.  This may not be a supported function.

Agree that  DHCP Fingerprint can also be used to assign a VLAN to a device. This AOS feature instructs the stateful firewall to change the VLAN on the very first DHCP packet from the client before forwarding it to the DHCP server. All subsequent DHCP packets are also tagged with the same VLAN. When a client initially connects to a network it issues a DHCP DISCOVER message. On subsequent connections, it issues DHCP REQUEST message requesting a specific IP address that it had previously received. Changing the VLAN tag on the DHCP DISOVER or REQUEST packet ensures that the DHCP server can respond from the appropriate DHCP address scope.

Ok thanks for all the replies.

So what's the consensus? Some say yes it can be done and some say no? 

Has anyone actually got this feature working on 6.1.2.5?

Gonna speak to TAC next week when I'm onsite again.

James 

There seems to be an issue and when i tested it , it didn't work. I wasn't able to get a DHCP. This might very well be a bug. 

The consensus seems to be that it "should" work, but doesn't.  I would classify this as a bug.

If you want to do this while Aruba fixes the bug (or gives us a work around), you could add both VLAN 2 and 99 to the VAP (so you don't face the DHCP depletion issue) and use the DHCP fingerprint fuction to change the role of non-iOS devices to only allow DHCP, DNS and HTTP/HTTPS to non-internal networks (or what evern policy you want to enforce).  If you did that, you would have iOS devices in VLAN 2 and 99 in a role where they were permitted to do what they needed to do and non-iOS devices in VLAN 2 and 99 that were restricted.

This is all assuming you dont have VLAN 99 using a default gateway that pushes it directly out to the Internet.  If that is the case, this may not be doable.