Wireless Access

HI,

 

I am working on this

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Using-GRE-Tunnels-to-centralize-L3-access/td-p/2831

 

The point I am stuck on is that I have assigned no IP address on VLAN2. I have tunneled it to the master controller. The tunnel is untrusted only at master controller bcoz I want all the authentication to be held at master controller.

 

Following the instrucations on the above link, I am able to get the IP from the DHCP which is at vlan 2 but i never get a captive portal page. How ever when I try to connect to APs on master controller, i have no issues in getting the clients authenticated. They are redirected to the captive portal page but on local controller they wont.

 

However I have noticed when I assign IP on the Vlan 2 interface I get the captive portal page. But this stops roaming between the clients since session of a client do not exist on master controller and when user roams from local to master controller they again gets the captive portal page to get authenticated which means their all application sessions are deleted.

 

I have found the instructions on the above link and completely followed it. But I am not getting the captive portpage on the clients which are connecting with local controller.

 

Kindly advise.

 

Farzan

First, make sure your clients can resolve DNS, which is crucial to them being able to bring up the page.

 

Second, if the master side of the tunnel is untrusted the clients get redirected to the "ip cp-redirect-address" on the master controller and that needs to be reachable.

 

Third, Make sure the AAA profile on either side does not have "Enforce DHCP" just as a troubleshooting step.

 

 

Hi Joseph,

 

Thank you for your response.

 

Answer to first question:

Yes clients are able to resolve the DNS and can also ping the domain names such as google.com or yahoo.com. But they do not get a captive portal until I define an IP on the Vlan interface. In my case I have an IP on vlan on both that is master controller and on local controller.

 

Answer to Second question:

Yes the clients can reach to cp-redirect-ip which is the master controller IP. I have also manually added cp-redirect-ip to my local controller which is the master controller IP. Do you think this could be because of PEF on local controller?

 

Answer to Third Question:

Enforce DHCP is disabled on both ends.

 

Thanks.

On the master controller, see if you can ping the client.  When the client is opening  a web page, do a "show datapath session table <ip address of client>" to see what it is doing at the time.

 

Do NOT point the ip cp-redirect of the local to the master.  That will only work for untrusted traffic at the local controller and should not be pointed to the master.

 

When you say PEF on the local controller, what do you mean?

 

 

Thanks for your prompt response.

 

I am not able to ping the client from the master controller. However I can see that client is maintaining a tunnel from local controller to master controller and hopefully the sessions are flowing from that tunnel. Also, I see that the roaming status is wired under master controller. Which again shows that the client data is flowing from master controller.

 

By PEF on local controller I mean that may be when I remove IP from the vlan interface, it is PEF which is blocking the captive portal page from the master controller to come up??

 

The command you told me, shall i try to run it now or after removing the IP from the vlan interface? And then try to connect to get the captive portal for authentication?

show datapath session table < ip address of client>

you should be able to ping the client from the master. You should see the client as wired on the master in the user table so that is correct. What is the role that the user gets on the master controller? Type " show rights <role>" to see what traffic should be allowed.

The previous command should be run while the client is attempting to bring up the page.

Hi,

 

When I do the datapath session command on master controller for that client i get nothing. But when I ran it on local controller on which client is connected, I got following

 

RC-Aruba-620) #show datapath session table 172.16.235.245

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
172.16.235.245 62.75.246.130 6 64914 5938 0/0 0 0 0 tunnel 19 c FDYC
172.16.235.245 74.125.237.136 6 64912 80 0/0 0 0 0 tunnel 19 20 NYCI
172.16.235.245 74.125.237.137 6 64915 80 0/0 0 0 0 tunnel 19 b NYCI
192.168.100.15 172.16.235.245 6 8080 64915 0/0 0 0 1 tunnel 19 b S
192.168.100.15 172.16.235.245 6 8080 64912 0/0 0 0 1 tunnel 19 20 S

 

 

 

192.168.100.15 is my local controller and 192.168.100.17 is master controller.

 

The initial user role is Hotspot-guest-logon

and rights are as follows:

 

Derived Role = 'Rosmini_Hotspot-guest-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 35/0
Max Sessions = 65535

Captive Portal profile = Rosmini_Hotspot-cp_prof

access-list List
----------------
Position Name Location
-------- ---- --------
1 logon-control
2 captiveportal

logon-control
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
captiveportal
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4

Expired Policies (due to time constraints) = 0

And yes the user role on master controller is authenticated and status is wired.

Thank you for your support Joseph. It is much appreciated.

No problem.

 

Hi Joseph,

 

I am now having another issue. I have removed the controllers and just operating one controller 3400. Now when my client move from an AP having an IP address 192.168.110.34 to an AP 192.168.110.55, roaming works. But when client moves from an AP having IP address 192.168.110.34 to an AP having an IP 192.168.109.80, browsing stops and there is no roaming between APs on different subnets.

 

Any ideas?

 

Farzan

You probably now need to have all of your access points in the same ap group, so that all clients end up on the same VLAN.  If a client roams, he assumes that he is on the same VLAN and does not re-initiate DHCP.  Try putting all APs in the same ap-group and see if that makes a difference.

 

APs are already in same AP group....  :(

 

Any suggestions?

type "show ap essid" to make sure that your WLANs are only putting users in one VLAN at a time.

 

Hi

 

When i ran the command i got the following output:

 

 

ESSID Summary
-------------
ESSID APs Clients VLAN(s) Encryption
----- --- ------- ------- ----------
Network_Guest 18 0 2 Open
Network_Hotspot 18 1 2 Open
Network_Wireless 18 19 200,201 WPA2 8021X AES
KIOSK 16 1 200 WPA2 PSK AES
Num ESSID:4

 

 

And the clients which are not able to roam are in vlan 2...

 

Why is it happening?

 

 

 

 

 

 

T

type "show vlan status" to see if VLAN2 is even connected to any port...  If not, you need to change that VLAN or assign VLAN2 to a port...or have the controller server up dhcp for that vlan..

Yes VLAN2 is connected to a port and there is an external DHCP which is serving the DHCP requests. I have assigned a helper address on VLAN2. Do you think that I am using an external DHCP server for VLAN2 and that is the reason I am having roaming issues?

 

Please help to solve this roaming issue :(

Has this ever worked?  If it has not, change the VLAN in the Virtual AP to a VLAN that does work.

 

It never worked. But I dont want the traffic of DMZ users to go inside from our internal network. I want to keep them isolated from the internal network.

 

Is there any work around to this? For other vlans..roaming works..but not for DMZ vlan that is VLAN 2 in my case.

Okay.

Vlan 2 is connected to a physical port on the controller, then? Does the controller have an ip address on this vlan ?
What Is the default gateway of vlan 2?

Yes it is connected to a port and it has an IP.

The default gateway is the firewall IP.

Can the controller ping the DHCP server?  Does the DHCP server have a scope setup in the range of VLAN2?  On what interface is the helper address?

 

Yes controller can ping the DHCP server.

Yes the scope is defined on DHCP server for VLAN 2.

 

On VLAN 2 there is a helper address which points to the dhcp running on firewall.

 

Similarly on other vlans on which roaming is working, the dhcp helper address points to the dhcp inside the internal network.

---

admin@rosmini.school.nz wrote:

Yes controller can ping the DHCP server.

Yes the scope is defined on DHCP server for VLAN 2.

 

On VLAN 2 there is a helper address which points to the dhcp running on firewall.

 

Similarly on other vlans on which roaming is working, the dhcp helper address points to the dhcp inside the internal network.

---

if you are just bridging traffic to an existing VLAN, and that VLAN is on the firewall, why do you need a helper address?  The firewall on should just be providing dhcp, if it is the default gateway.

 

 

Yes you are right. Even if I remove helper address clients will get an IP. And I can do it no issues. 

 

But again the issue comes for the roaming of clients.

Okay.  Let's take this a step back.  What SSID are you having the problems with?

 

Its is the HOTSPOT and GUEST network SSIDs. Both SSIDs are mapped to VLAN2.

So you are having problems with one or both SSIDs?  Are all APs in your infrastructure in the same AP-Group?

 

Issue is with the BOTH SSIDs.

Yes APs are in the same AP group. 

 

Does this matter that my APs are on 192.168.x.x network and my clients on hotspot and guest are on 172.16.x.x

 

I have noticed that when client move between APs haveing IPs from same subnet, roaming works on hotspot and guest.

Suppose an AP-1 on 192.168.110.65 and AP-2 is on 192.168.110.55. If client roams between these two APs, roaming works but if he moves onto an AP having IP 192.168.109.80, there is no roaming in such case and browsing stops. The role of the user remain authenticated until idle time out matches the condition.

1.  Turn on user debugging

 

config t

logging level debugging user

 

2.  Associate a client to a good AP and then roam to a bad one

 

3.  Look at the log when this happens:

 

show log user all | include <mac address of client>

 

 

I will do it and get back to you. 

Thanks :)

Hi I have done the testing.

 

It seems everything has started working like a dream itself :)

 

I ran the debugging log command on the mac address for the client I am using. I got the logs for the authentication process. Once authentication is done and I am moving between APs, I cant see any logs under debug command. Why is it so?

 

I will keep monitoring for the next few days and will see if it is really working.

 

Thanks again for your help.

---

admin@rosmini.school.nz wrote:

Hi I have done the testing.

 

It seems everything has started working like a dream itself :)

 

I ran the debugging log command on the mac address for the client I am using. I got the logs for the authentication process. Once authentication is done and I am moving between APs, I cant see any logs under debug command. Why is it so?

 

I will keep monitoring for the next few days and will see if it is really working.

 

Thanks again for your help.

---

If it is a dream, don't wake up!!

 

Let us know.

 

 

Following are the logs which I got once my connection dropped as client (ipad) gone sleep.

It says fastroaming disabled. Why is it so?

 

RCW-CORE-3400) #show log user all | include 1c:ab:a7:c7:4f:b8
Mar 28 01:22:40 :501109: <NOTI> |AP Library (00:24:6c:c2:af:b9)@192.168.109.114 stm| Auth request: 1c:ab:a7:c7:4f:b8: AP 192.168.109.114-00:24:6c:aa:fb:99-Library (00:24:6c:c2:af:b9) auth_alg 0
Mar 28 01:22:40 :501093: <NOTI> |AP Library (00:24:6c:c2:af:b9)@192.168.109.114 stm| Auth success: 1c:ab:a7:c7:4f:b8: AP 192.168.109.114-00:24:6c:aa:fb:99-Library (00:24:6c:c2:af:b9)
Mar 28 01:22:40 :501095: <NOTI> |stm| Assoc request @ 01:22:40.199057: 1c:ab:a7:c7:4f:b8 (SN 2): AP 192.168.109.114-00:24:6c:aa:fb:99-Library (00:24:6c:c2:af:b9)
Mar 28 01:22:40 :501095: <NOTI> |AP Library (00:24:6c:c2:af:b9)@192.168.109.114 stm| Assoc request @ 01:22:40.196761: 1c:ab:a7:c7:4f:b8 (SN 2): AP 192.168.109.114-00:24:6c:aa:fb:99-Library (00:24:6c:c2:af:b9)
Mar 28 01:22:40 :501100: <NOTI> |stm| Assoc success @ 01:22:40.200423: 1c:ab:a7:c7:4f:b8: AP 192.168.109.114-00:24:6c:aa:fb:99-Library (00:24:6c:c2:af:b9)
Mar 28 01:22:40 :501100: <NOTI> |AP Library (00:24:6c:c2:af:b9)@192.168.109.114 stm| Assoc success @ 01:22:40.197484: 1c:ab:a7:c7:4f:b8: AP 192.168.109.114-00:24:6c:aa:fb:99-Library (00:24:6c:c2:af:b9)
Mar 28 01:22:40 :501065: <DBUG> |stm| Sending STA 1c:ab:a7:c7:4f:b8 message to Auth and Mobility Unicast Encr Open Multicast Encr Open VLAN 0x2, wmm:0, rsn_cap:0
Mar 28 01:22:40 :500511: <DBUG> |mobileip| Station 1c:ab:a7:c7:4f:b8, 0.0.0.0: Received association on ESSID: Rosmini_Hotspot Mobility service ON, HA Discovery on Association ON, Fastroaming Disabled, AP: Name Library (00:24:6c:c2:af:b9) Group default BSSID 00:24:6c:aa:fb:99, phy a, VLAN 2
Mar 28 01:22:40 :522035: <INFO> |authmgr| MAC=1c:ab:a7:c7:4f:b8 Station UP: BSSID=00:24:6c:aa:fb:99 ESSID=Rosmini_Hotspot VLAN=2 AP-name=Library (00:24:6c:c2:af:b9)
Mar 28 01:22:40 :522004: <DBUG> |authmgr| MAC=1c:ab:a7:c7:4f:b8 ingress 0x10f5 (tunnel 117), u_encr 1, m_encr 1, slotport 0x1041 , type: local, FW mode: 0, AP IP: 0.0.0.0
Mar 28 01:22:40 :522004: <DBUG> |authmgr| MAC=1c:ab:a7:c7:4f:b8, wired: 0, vlan:2 ingress:0x10f5 (tunnel 117), new_aaa_prof: Rosmini_Hotspot-aaa_prof, stored profile: Rosmini_Hotspot-aaa_prof stored wired: 0 stored essid: Rosmini_Hotspot
Mar 28 01:22:40 :522004: <DBUG> |authmgr| MAC=1c:ab:a7:c7:4f:b8 def_vlan 2 derive vlan: 0 auth_type 1 auth_subtype 1

What is the role that the device gets when it is associated and authenticated?

 

show us the output of "show rights <role>"

 

The role is Logon and following are the rights

 

Okay.  After a user authenticates to the captive portal, what role to they end up in?

 

They end being with a role "guest"

"Okay.  Let's see "show rights guest"

I am trying to paste the guest rights in this text box but it says I am exceeding limit of characters. see attached file...

Okay.  That is your problem.

 

You need to allow "any any dhcp permit" in your guest role.  When the device wakes back up and it is in the "guest" role or it roams, it does not receive an ip address, according to the log.  Try adding the "dhcp-acl" to the top of your guest role.

 

Ok I will do it and see how it goes. Will get back to you.

Made the changes. Hopefully this will work. I can see the matches on the acl.

Will let you know how it goes.

 

Thanks a lot.