Wireless Access

I've been working on this all day and it shouldn't be this hard.

everything was working fine, then i ran up on the ap hardware limit for my 6.1.3.1 650 controller so i decided to upgrade to a 3200.

I added a 6.1.3.1 3200 in as a redundant master sync'd configs / dbs and the powered off the 650

all the aps swung over to the new master, happy days.

then i tried to use my windows 7 laptop. wifi local connection only, 169.254. pulled out my iphone. worked fine. pulled out my ipad. 169.254 address on wifi, pulled out macbook pro, local area only, 169.254

looking at the show user table, only a few iphones and appletv shows up.
looking at the station table, all my clients are there and authenticated in the correct role

this is a pretty simple setup. APs are on vlan 10, 10.1/16 subnet. Clients get assigned to same vlan 10 by way of the ssid, dhcp served by the controller.

troubleshooting today i have upgraded from 6.1.3.1 to 6.1.3.3, done a write erase all > reload > add lics > reload, read  a bunch of airheads posts, gone on a walk, used different clients, lots of show users/stations, moved users from psk networks to 1x network, built an open network, shouted, and tried more other machines. I can not get this simple psk network to work across all my clients. Like it was when it was working on the 650. Had no issues.

it's either something simple or something i haven't seen before and i'm going with the latter.

why would a client show up as a valid station (even the controller gui and airwave shows them as valid clients) but they dont get added to the user table?

keep your eye on 15:60, it's my work laptop running win7 and i move it back and forth between psk and 1x.

any help or ideas is appreciated. see below for

show ver

show rights

show run |  aaa profile

show user

show station

show auth-trace

show log all | inc mac

Jim-3200) (config) #show ver
Aruba Operating System Software.
ArubaOS (MODEL: Aruba3200-US), Version 6.1.3.3
Website: http://www.arubanetworks.com
Copyright (c) 2002-2012, Aruba Networks, Inc.
Compiled on 2012-06-20 at 09:28:49 PDT (build 34156) by p4build

ROM: System Bootstrap, Version CPBoot 1.1.4.0 (build 16250)
Built: 2007-09-20 16:14:24
Built by: p4build@re_client_16250

Switch uptime is 22 minutes 27 seconds
Reboot Cause: User reboot.
Supervisor Card
Processor XLR 508 (revision B2) with 857M bytes of memory.
32K bytes of non-volatile configuration memory.
512M bytes of Supervisor Card System flash (model=CF 512MB).

Jim-3200) (config) #show rights authenticated

Derived Role = 'authenticated'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 63/0
Max Sessions = 65535

access-list List
----------------
Position Name Location
-------- ---- --------
1 allowall
2 v6-allowall

allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any permit Low 4
2 any any any permit Low 6
v6-allowall
-----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any permit Low 6

Expired Policies (due to time constraints) = 0

Jim-3200) (config) #show run | begin 1x>auth

aaa profile "dot1x>authenticated"
initial-role "denied"
mac-default-role "denied"
authentication-dot1x "default"
dot1x-default-role "authenticated"
dot1x-server-group "nil"
!
aaa profile "psk>authenticated"
initial-role "authenticated"
mac-default-role "denied"
authentication-dot1x "default-psk"
dot1x-default-role "denied"
!

(Jim-3200) (config) #show us

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----
10.1.50.233 00:26:b0:82:09:54 authenticated 00:00:00 Jim-2F-MBR Wireless nil2/00:24:6c:80:31:30/g psk>authenticated tunnel iPhone
10.1.50.232 a4:67:06:6d:a5:58 authenticated 00:00:04 Jim-1F-Office Wireless nil2/00:1a:1e:16:df:f0/a-HT psk>authenticated tunnel iPad
10.1.50.242 d0:23:db:af:40:a2 authenticated 00:00:07 Jim-2F-MBR Wireless nil2/00:24:6c:80:31:30/g-HT psk>authenticated tunnel iPhone
10.1.50.247 58:55:ca:5f:8a:b6 authenticated 00:00:05 Jim-2F-MBR Wireless nil2/00:24:6c:80:31:3a/a-HT psk>authenticated tunnel AppleTV

Jim-3200) (config) #show station-table

Station Entry
-------------
MAC Name Role Age(d:h:m) Auth AP name Essid Phy Remote Profile
------------ ------ ---- ---------- ---- ------- ----- --- ------ -------
58:55:ca:5f:8a:b6 authenticated 00:00:31 No Jim-2F-MBR nil2 a-HT No psk>authenticated
90:27:e4:4d:cc:9e authenticated 00:00:31 No Jim-1F-Office nil2 g-HT No psk>authenticated
00:1e:8c:91:15:60 jim authenticated 00:00:09 Yes Jim-1F-Office nil g No dot1x>authenticated
00:26:b0:82:09:54 authenticated 00:00:15 No Jim-2F-MBR nil2 g No psk>authenticated
d0:23:db:af:40:a2 authenticated 00:00:22 No Jim-2F-MBR nil2 g-HT No psk>authenticated
a4:67:06:6d:a5:58 authenticated 00:00:31 No Jim-1F-Office nil2 a-HT No psk>authenticated

Jim-3200) (config) #show auth-tracebuf | include 15:60
Jul 20 00:29:46 station-up * 00:1e:8c:91:15:60 00:24:6c:80:31:31 - - wpa2 aes
Jul 20 00:29:46 eap-id-req <- 00:1e:8c:91:15:60 00:24:6c:80:31:31 1 5
Jul 20 00:29:46 eap-start -> 00:1e:8c:91:15:60 00:24:6c:80:31:31 - -
Jul 20 00:29:46 eap-id-req <- 00:1e:8c:91:15:60 00:24:6c:80:31:31 1 5
Jul 20 00:29:46 eap-id-resp -> 00:1e:8c:91:15:60 00:24:6c:80:31:31 1 19 jim
Jul 20 00:29:46 rad-req -> 00:1e:8c:91:15:60 00:24:6c:80:31:31 2 186
Jul 20 00:29:46 eap-id-resp -> 00:1e:8c:91:15:60 00:24:6c:80:31:31 1 19 jim
Jul 20 00:29:46 rad-resp <- 00:1e:8c:91:15:60 00:24:6c:80:31:31/dc1 2 90
Jul 20 00:29:46 eap-req <- 00:1e:8c:91:15:60 00:24:6c:80:31:31 2 6
Jul 20 00:29:46 eap-resp -> 00:1e:8c:91:15:60 00:24:6c:80:31:31 2 155
Jul 20 00:29:46 rad-req -> 00:1e:8c:91:15:60 00:24:6c:80:31:31/dc1 3 360
Jul 20 00:29:46 rad-resp <- 00:1e:8c:91:15:60 00:24:6c:80:31:31/dc1 3 232
Jul 20 00:29:46 eap-req <- 00:1e:8c:91:15:60 00:24:6c:80:31:31 3 148
Jul 20 00:29:46 eap-resp -> 00:1e:8c:91:15:60 00:24:6c:80:31:31 3 69
Jul 20 00:29:46 rad-req -> 00:1e:8c:91:15:60 00:24:6c:80:31:31/dc1 4 274
Jul 20 00:29:46 rad-resp <- 00:1e:8c:91:15:60 00:24:6c:80:31:31/dc1 4 191
Jul 20 00:29:46 eap-req <- 00:1e:8c:91:15:60 00:24:6c:80:31:31 6 107
Jul 20 00:29:46 eap-resp -> 00:1e:8c:91:15:60 00:24:6c:80:31:31 6 107
Jul 20 00:29:46 rad-req -> 00:1e:8c:91:15:60 00:24:6c:80:31:31/dc1 5 312
Jul 20 00:29:46 rad-accept <- 00:1e:8c:91:15:60 00:24:6c:80:31:31/dc1 5 230
Jul 20 00:29:46 eap-success <- 00:1e:8c:91:15:60 00:24:6c:80:31:31 6 4
Jul 20 00:29:46 station-data-ready * 00:1e:8c:91:15:60 00:00:00:00:00:00 10 -
Jul 20 00:29:46 wpa2-key1 <- 00:1e:8c:91:15:60 00:24:6c:80:31:31 - 117
Jul 20 00:29:46 wpa2-key2 -> 00:1e:8c:91:15:60 00:24:6c:80:31:31 - 117
Jul 20 00:29:46 wpa2-key3 <- 00:1e:8c:91:15:60 00:24:6c:80:31:31 - 151
Jul 20 00:29:46 wpa2-key4 -> 00:1e:8c:91:15:60 00:24:6c:80:31:31 - 95
Jul 20 00:30:35 station-down * 00:1e:8c:91:15:60 00:24:6c:80:31:31 - -
Jul 20 00:30:35 station-up * 00:1e:8c:91:15:60 00:1a:1e:16:df:e0 - - wpa2 psk aes
Jul 20 00:30:35 station-data-ready * 00:1e:8c:91:15:60 00:00:00:00:00:00 10 -
Jul 20 00:30:35 wpa2-key1 <- 00:1e:8c:91:15:60 00:1a:1e:16:df:e0 - 117
Jul 20 00:30:35 wpa2-key2 -> 00:1e:8c:91:15:60 00:1a:1e:16:df:e0 - 117
Jul 20 00:30:35 wpa2-key3 <- 00:1e:8c:91:15:60 00:1a:1e:16:df:e0 - 151
Jul 20 00:30:35 wpa2-key4 -> 00:1e:8c:91:15:60 00:1a:1e:16:df:e0 - 95
Jul 20 00:47:08 station-down * 00:1e:8c:91:15:60 00:1a:1e:16:df:e0 - -
Jul 20 00:52:07 station-up * 00:1e:8c:91:15:60 00:1a:1e:16:df:e1 - - wpa2 aes
Jul 20 00:52:07 eap-id-req <- 00:1e:8c:91:15:60 00:1a:1e:16:df:e1 1 5
Jul 20 00:52:07 eap-start -> 00:1e:8c:91:15:60 00:1a:1e:16:df:e1 - -
Jul 20 00:52:07 eap-id-req <- 00:1e:8c:91:15:60 00:1a:1e:16:df:e1 1 5
Jul 20 00:52:07 eap-id-resp -> 00:1e:8c:91:15:60 00:1a:1e:16:df:e1 1 19 jim
Jul 20 00:52:07 rad-req -> 00:1e:8c:91:15:60 00:1a:1e:16:df:e1 19 189
Jul 20 00:52:07 eap-id-resp -> 00:1e:8c:91:15:60 00:1a:1e:16:df:e1 1 19 jim
Jul 20 00:52:07 rad-resp <- 00:1e:8c:91:15:60 00:1a:1e:16:df:e1/dc1 19 90
Jul 20 00:52:07 eap-req <- 00:1e:8c:91:15:60 00:1a:1e:16:df:e1 2 6
Jul 20 00:52:07 eap-resp -> 00:1e:8c:91:15:60 00:1a:1e:16:df:e1 2 155
Jul 20 00:52:07 rad-req -> 00:1e:8c:91:15:60 00:1a:1e:16:df:e1/dc1 20 363
Jul 20 00:52:07 rad-resp <- 00:1e:8c:91:15:60 00:1a:1e:16:df:e1/dc1 20 232
Jul 20 00:52:07 eap-req <- 00:1e:8c:91:15:60 00:1a:1e:16:df:e1 3 148
Jul 20 00:52:07 eap-resp -> 00:1e:8c:91:15:60 00:1a:1e:16:df:e1 3 69
Jul 20 00:52:07 rad-req -> 00:1e:8c:91:15:60 00:1a:1e:16:df:e1/dc1 21 277
Jul 20 00:52:07 rad-resp <- 00:1e:8c:91:15:60 00:1a:1e:16:df:e1/dc1 21 191
Jul 20 00:52:07 eap-req <- 00:1e:8c:91:15:60 00:1a:1e:16:df:e1 6 107
Jul 20 00:52:07 eap-resp -> 00:1e:8c:91:15:60 00:1a:1e:16:df:e1 6 107
Jul 20 00:52:07 rad-req -> 00:1e:8c:91:15:60 00:1a:1e:16:df:e1/dc1 22 315
Jul 20 00:52:07 rad-accept <- 00:1e:8c:91:15:60 00:1a:1e:16:df:e1/dc1 22 230
Jul 20 00:52:07 eap-success <- 00:1e:8c:91:15:60 00:1a:1e:16:df:e1 6 4
Jul 20 00:52:07 station-data-ready * 00:1e:8c:91:15:60 00:00:00:00:00:00 10 -
Jul 20 00:52:07 wpa2-key1 <- 00:1e:8c:91:15:60 00:1a:1e:16:df:e1 - 117
Jul 20 00:52:07 wpa2-key2 -> 00:1e:8c:91:15:60 00:1a:1e:16:df:e1 - 117
Jul 20 00:52:07 wpa2-key3 <- 00:1e:8c:91:15:60 00:1a:1e:16:df:e1 - 151
Jul 20 00:52:07 wpa2-key4 -> 00:1e:8c:91:15:60 00:1a:1e:16:df:e1 - 95

(Jim-3200) (config) #

(Jim-3200) (config) #show log all | include 15:60
Jul 20 00:29:46 authmgr[1575]: <522035> <INFO> |authmgr| MAC=00:1e:8c:91:15:60 Station UP: BSSID=00:24:6c:80:31:31 ESSID=nil VLAN=10 AP-name=Jim-2F-MBR
Jul 20 00:29:46 mobileip[1583]: <500010> <NOTI> |mobileip| Station 00:1e:8c:91:15:60, 0.0.0.0: Mobility trail, on switch 172.16.0.6, VLAN 10, AP Jim-2F-MBR, nil/00:24:6c:80:31:31/g
Jul 20 00:29:46 stm[1576]: <501095> <NOTI> |stm| Assoc request @ 00:29:46.976396: 00:1e:8c:91:15:60 (SN 25): AP 10.1.50.238-00:24:6c:80:31:31-Jim-2F-MBR
Jul 20 00:29:46 stm[1576]: <501100> <NOTI> |stm| Assoc success @ 00:29:46.982102: 00:1e:8c:91:15:60: AP 10.1.50.238-00:24:6c:80:31:31-Jim-2F-MBR
Jul 20 00:29:47 authmgr[1575]: <522029> <INFO> |authmgr| MAC=00:1e:8c:91:15:60 Station authenticate: method=802.1x, role=authenticated//, VLAN=10/10/0/0/0, Derivation=1/0, Value Pair=1
Jul 20 00:29:47 authmgr[1575]: <522038> <INFO> |authmgr| username=jim MAC=00:1e:8c:91:15:60 IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=dc1
Jul 20 00:29:47 authmgr[1575]: <522044> <INFO> |authmgr| MAC=00:1e:8c:91:15:60 Station authenticate(start): method=802.1x, role=denied//, VLAN=10/10/0/0/0, Derivation=10/0, Value Pair=1
Jul 20 00:29:47 authmgr[1575]: <522049> <INFO> |authmgr| MAC=00:1e:8c:91:15:60,IP=N/A User role updated, existing Role=denied/none, new Role=authenticated/none, reason=Station Authenticated with auth type: 4
Jul 20 00:29:47 authmgr[1575]: <522050> <INFO> |authmgr| MAC=00:1e:8c:91:15:60,IP=N/A User data downloaded to datapath, new Role=authenticated/63, bw Contract=0/0,reason=Download driven by user role setting
Jul 20 00:30:35 authmgr[1575]: <522035> <INFO> |authmgr| MAC=00:1e:8c:91:15:60 Station UP: BSSID=00:1a:1e:16:df:e0 ESSID=nil2 VLAN=10 AP-name=Jim-1F-Office
Jul 20 00:30:35 authmgr[1575]: <522036> <INFO> |authmgr| MAC=00:1e:8c:91:15:60 Station DN: BSSID=00:24:6c:80:31:31 ESSID=nil VLAN=10 AP-name=Jim-2F-MBR
Jul 20 00:30:35 mobileip[1583]: <500010> <NOTI> |mobileip| Station 00:1e:8c:91:15:60, 0.0.0.0: Mobility trail, on switch 172.16.0.6, VLAN 10, AP Jim-1F-Office, nil2/00:1a:1e:16:df:e0/g
Jul 20 00:30:35 mobileip[1583]: <500010> <NOTI> |mobileip| Station 00:1e:8c:91:15:60, 255.255.255.255: Mobility trail, on switch 172.16.0.6, VLAN 10, AP Jim-2F-MBR, nil/00:24:6c:80:31:31/g
Jul 20 00:30:35 stm[1576]: <501080> <NOTI> |stm| Deauth to sta: 00:1e:8c:91:15:60: Ageout AP 10.1.50.238-00:24:6c:80:31:31-Jim-2F-MBR STA has left and is deauthenticated
Jul 20 00:30:35 stm[1576]: <501095> <NOTI> |stm| Assoc request @ 00:30:35.213668: 00:1e:8c:91:15:60 (SN 62): AP 10.1.50.246-00:1a:1e:16:df:e0-Jim-1F-Office
Jul 20 00:30:35 stm[1576]: <501100> <NOTI> |stm| Assoc success @ 00:30:35.223804: 00:1e:8c:91:15:60: AP 10.1.50.246-00:1a:1e:16:df:e0-Jim-1F-Office
Jul 20 00:30:35 stm[608]: <501093> <NOTI> |AP Jim-1F-Office@10.1.50.246 stm| Auth success: 00:1e:8c:91:15:60: AP 10.1.50.246-00:1a:1e:16:df:e0-Jim-1F-Office
Jul 20 00:30:35 stm[608]: <501095> <NOTI> |AP Jim-1F-Office@10.1.50.246 stm| Assoc request @ 00:30:35.527281: 00:1e:8c:91:15:60 (SN 62): AP 10.1.50.246-00:1a:1e:16:df:e0-Jim-1F-Office
Jul 20 00:30:35 stm[608]: <501100> <NOTI> |AP Jim-1F-Office@10.1.50.246 stm| Assoc success @ 00:30:35.528332: 00:1e:8c:91:15:60: AP 10.1.50.246-00:1a:1e:16:df:e0-Jim-1F-Office
Jul 20 00:47:09 authmgr[1575]: <522036> <INFO> |authmgr| MAC=00:1e:8c:91:15:60 Station DN: BSSID=00:1a:1e:16:df:e0 ESSID=nil2 VLAN=10 AP-name=Jim-1F-Office
Jul 20 00:47:09 mobileip[1583]: <500010> <NOTI> |mobileip| Station 00:1e:8c:91:15:60, 255.255.255.255: Mobility trail, on switch 172.16.0.6, VLAN 10, AP Jim-1F-Office, nil2/00:1a:1e:16:df:e0/g
Jul 20 00:47:09 stm[1576]: <501114> <NOTI> |stm| Deauth from sta: 00:1e:8c:91:15:60: AP 10.1.50.246-00:1a:1e:16:df:e0-Jim-1F-Office Reason 255
Jul 20 00:47:09 stm[608]: <501080> <NOTI> |AP Jim-1F-Office@10.1.50.246 stm| Deauth to sta: 00:1e:8c:91:15:60: Ageout AP 10.1.50.246-00:1a:1e:16:df:e0-Jim-1F-Office Denied: AP Ageout
Jul 20 00:47:09 stm[608]: <501106> <NOTI> |AP Jim-1F-Office@10.1.50.246 stm| Deauth to sta: 00:1e:8c:91:15:60: Ageout AP 10.1.50.246-00:1a:1e:16:df:e0-Jim-1F-Office handle_sapcp
Jul 20 00:52:07 authmgr[1575]: <522035> <INFO> |authmgr| MAC=00:1e:8c:91:15:60 Station UP: BSSID=00:1a:1e:16:df:e1 ESSID=nil VLAN=10 AP-name=Jim-1F-Office
Jul 20 00:52:07 mobileip[1583]: <500010> <NOTI> |mobileip| Station 00:1e:8c:91:15:60, 0.0.0.0: Mobility trail, on switch 172.16.0.6, VLAN 10, AP Jim-1F-Office, nil/00:1a:1e:16:df:e1/g
Jul 20 00:52:07 stm[1576]: <501095> <NOTI> |stm| Assoc request @ 00:52:07.756715: 00:1e:8c:91:15:60 (SN 88): AP 10.1.50.246-00:1a:1e:16:df:e1-Jim-1F-Office
Jul 20 00:52:07 stm[1576]: <501100> <NOTI> |stm| Assoc success @ 00:52:07.761820: 00:1e:8c:91:15:60: AP 10.1.50.246-00:1a:1e:16:df:e1-Jim-1F-Office
Jul 20 00:52:07 stm[608]: <501093> <NOTI> |AP Jim-1F-Office@10.1.50.246 stm| Auth success: 00:1e:8c:91:15:60: AP 10.1.50.246-00:1a:1e:16:df:e1-Jim-1F-Office
Jul 20 00:52:07 stm[608]: <501095> <NOTI> |AP Jim-1F-Office@10.1.50.246 stm| Assoc request @ 00:52:10.167476: 00:1e:8c:91:15:60 (SN 88): AP 10.1.50.246-00:1a:1e:16:df:e1-Jim-1F-Office
Jul 20 00:52:07 stm[608]: <501100> <NOTI> |AP Jim-1F-Office@10.1.50.246 stm| Assoc success @ 00:52:10.168633: 00:1e:8c:91:15:60: AP 10.1.50.246-00:1a:1e:16:df:e1-Jim-1F-Office
Jul 20 00:52:07 stm[608]: <501109> <NOTI> |AP Jim-1F-Office@10.1.50.246 stm| Auth request: 00:1e:8c:91:15:60: AP 10.1.50.246-00:1a:1e:16:df:e1-Jim-1F-Office auth_alg 0
Jul 20 00:52:08 authmgr[1575]: <522029> <INFO> |authmgr| MAC=00:1e:8c:91:15:60 Station authenticate: method=802.1x, role=authenticated//, VLAN=10/10/0/0/0, Derivation=1/0, Value Pair=1
Jul 20 00:52:08 authmgr[1575]: <522038> <INFO> |authmgr| username=jim MAC=00:1e:8c:91:15:60 IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=dc1
Jul 20 00:52:08 authmgr[1575]: <522044> <INFO> |authmgr| MAC=00:1e:8c:91:15:60 Station authenticate(start): method=802.1x, role=denied//, VLAN=10/10/0/0/0, Derivation=10/0, Value Pair=1
Jul 20 00:52:08 authmgr[1575]: <522049> <INFO> |authmgr| MAC=00:1e:8c:91:15:60,IP=N/A User role updated, existing Role=denied/none, new Role=authenticated/none, reason=Station Authenticated with auth type: 4
Jul 20 00:52:08 authmgr[1575]: <522050> <INFO> |authmgr| MAC=00:1e:8c:91:15:60,IP=N/A User data downloaded to datapath, new Role=authenticated/63, bw Contract=0/0,reason=Download driven by user role setting

(Jim-3200) (config) #

First, let me preface this by saying my situation yielded the same symptoms, but was with wired 802.1x, but thought I'd share in case it gave you some thoughts.

In that particular configuration snippet you provided, try changing the initial-role of the dot1x>authenticated AAA profile to "logon" and test to see if you can get an IP.   I had experienced client DHCP issues in the past when I set the initial-role to a denyall type policy, despite passing and showing as in another role (in your case "authenticated").    Again, in my case, it was wired 802.1x.   In order to get DHCP addresses on those problem clients while using the denyall initial-role, I had to run the following:

aaa authentication wired
profile default

From the config, the PSK portions look OK.   Does the Win7 machine you reference get an IP on the PSK network?

i rebuilt the controller from scratch this morning. The ipad started getting an IP sometime last night during troubleshooting, macbookpro came online this morning after controller rebuild, and my win7 laptop... apparently if you turn on windows bridging, it removes all protocols from the wireless card, so it wasn't even running ipv4 or anything else. Really stupid. There was still something odd about yesterday when the ipad and the macbook wouldn't connect though. gonna watch for oddities for the next couple of days...

here is the denied role, just a deny all.

(Jim-3200) (config) #show rights denied

Derived Role = 'denied'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 55/0
Max Sessions = 65535

access-list List
----------------
Position Name Location
-------- ---- --------
1 denied

denied
------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any deny Low 4

Expired Policies (due to time constraints) = 0

(Jim-3200) (config) #