Wireless Access

I've got a guest network that I connect my handset (Droid Bionic) to via MAC authentication. This has happened with other handsets, iPod Touches and iPads. I've even seen it happen with Windows machines (although these authenticate through the captive portal rather than MAC auth). Sometimes clients works great, sometimes not. When not, I'll see e.g. my Droid try to associate with the guest network, get to 'obtaining IP address'; then it fails and tries again. This will continue until I do the following:

I log into the controller (6000) and do a

(6000-2) #show user

Users
-----
    IP               MAC            Name              Role                       Age(d:h:m)  Auth  VPN link  AP name  Roaming     Essid/Bssid/Phy                      Profile
----------      ------------       ------             ----                       ----------  ----  --------  -------  -------     ---------------                      -------
10.167.224.208  98:4b:4a:53:d2:3a  98:4b:4a:53:d2:3a  natickssc-open-guest-role  00:00:05    MAC             1.1.10   Associated  NatickSSC-Guest/00:0b:86:ac:87:90/g  natickssc-guest-aaa-profile
172.16.1.31     44:2a:60:a3:62:e7  44:2a:60:a3:62:e7  natickssc-open-guest-role  00:01:06    MAC             1.1.10   Associated  NatickSSC-Guest/00:0b:86:ac:87:90/g  natickssc-guest-aaa-profile
172.16.1.66     98:4b:4a:53:d2:3a  98:4b:4a:53:d2:3a  natickssc-open-guest-role  00:00:06    MAC             1.1.10   Associated  NatickSSC-Guest/00:0b:86:ac:87:90/g  natickssc-guest-aaa-profile
172.16.1.124    18:e7:f4:19:31:aa  18:e7:f4:19:31:aa  natickssc-open-guest-role  00:01:57    MAC             1.1.10   Associated  NatickSSC-Guest/00:0b:86:ac:87:90/g  natickssc-guest-aaa-profile
172.16.1.182    00:26:ba:43:28:d0  00:26:ba:43:28:d0  natickssc-open-guest-role  00:01:57    MAC             1.1.10   Associated  NatickSSC-Guest/00:0b:86:ac:87:90/g  natickssc-guest-aaa-profile

User Entries: 5/5

(6000-2) #

You can see there are two entries for 98:4b:4a:53:d2:3a. One has a valid address (172.16) where the other, while a valid private IP (10.167) is not an IP range we use.

If I do a

(6000-2) #aaa user delete mac 98:4b:4a:53:d2:3a
2 users deleted

(6000-2) #

Now my phone will connect correctly again. I'm not sure what's causing the second entry to show up. It may be occurring when my handset swaps from one AP to another.

Is there a way to make the user database allow only ONE entry per MAC? :confused:

That most likely is the Verizon WAN address of that phone. You can deal with this issue by using the special validuser acl.

"ip access-list session validuser any any any permit

"This firewall rule controls which users will be added to the user- table of the controller through untrusted interfaces. Only IP addresses permitted by this ACL will be admitted to the system for further processing. If a client device attempts to use an IP address that is denied by this rule, the client device will be ignored by the controller and given no network access. You can use this rule to restrict foreign IP addresses from being added to the user-table. This policy should not be applied to any user role, it is an internal system policy."

if you only want your users to get ip addresses from 172.16.x.x, you configure the validuser ACL lke this:

config t
ip access-list session validuser
any network 172.16.0.0 255.255.0.0 any permit
any any any deny

Thanks for the quick reply! I currently have an access-list on this network. Most of them look like this:

So the guest network is NAT'd.

So would this be a new access-list I'd apply to the guest role? Would it come before or after my current access-list. Should the validuser access-list be NAT'd as well?

E.g.
config t
ip access-list session validuser
any network 172.16.0.0 255.255.0.0 any pool nat-guest-pool
any any any deny


Thanks again!

The validuser ACL is a special ACL, that just needs to be configured to allow only the ip addresses you want clients to be able to obtain. Do not NAT or do anything else or apply it to a role. Just permit only the subnets you want to be assigned to users. If you have guests in a different subnet, you also have to add a line permitting traffic to those subnets, as well. For example if you have regular users in 172.16.x.x and guests in 192.168.1.x, you would do this:

config t
ip access-list session validuser
any network 172.16.0.0 255.255.0.0 any permit
any network 192.168.1.0 255.255.255.0 any permit
any any any deny

This ONLY exists so that only clients that have ip addresses i 172.16.x.x and in 192.168.1.x will enter the user table. No more, no less.

Sweet! Makes sense! Thanks a ton. I put in my valid networks. I'll keep an eye on it, and see if it fixes the oddness.

---

The validuser ACL is a special ACL, that just needs to be configured to allow only the ip addresses you want clients to be able to obtain. Do not NAT or do anything else or apply it to a role. Just permit only the subnets you want to be assigned to users. If you have guests in a different subnet, you also have to add a line permitting traffic to those subnets, as well. For example if you have regular users in 172.16.x.x and guests in 192.168.1.x, you would do this:

config t
ip access-list session validuser
any network 172.16.0.0 255.255.0.0 any permit
any network 192.168.1.0 255.255.255.0 any permit
any any any deny

This ONLY exists so that only clients that have ip addresses i 172.16.x.x and in 192.168.1.x will enter the user table. No more, no less.

---

---

That most likely is the Verizon WAN address of that phone. You can deal with this issue by using the special validuser acl.

"ip access-list session validuser any any any permit

"This firewall rule controls which users will be added to the user- table of the controller through untrusted interfaces. Only IP addresses permitted by this ACL will be admitted to the system for further processing. If a client device attempts to use an IP address that is denied by this rule, the client device will be ignored by the controller and given no network access. You can use this rule to restrict foreign IP addresses from being added to the user-table. This policy should not be applied to any user role, it is an internal system policy."

if you only want your users to get ip addresses from 172.16.x.x, you configure the validuser ACL lke this:

---

Any chance you could explain how the controller actually gets a whiff of the phones '3G' ip address? Surely a phone (or whatever device) doesn't bridge between the two interfaces?

It surely does bridge. You will see the same thing if you have VMWARE installed on a laptop.

More on the topic of the validuser ACL - i notice it is not just a permit all in 6.x anymore.


1 any any svc-sec-papi permit
2 169.254.0.0 255.255.0.0 any any deny


so now its blocking 169.254.0.0/16 by default

Also I notice this rule has the source ip defined - previous rules in this thread were using the destination to define networks?

The first line is interesting - I guess its to permit devices that talk like a RAP regardless of their IP.... could be an interesting use for this ACL...
ie deny clients that were serving dhcp/dns etc.... would that work
is the validuser acl constantly being processed for users/devices not assigned a role?
so once they are in a role it no longer applies?

Is there more documentation for the validuser acl outside of the userguide?

i am running 3.4 here. doesn't seem like ti allow me to configure it in local controller.

It is global so you can only configure it on the master.

(Sorry for the update to this old thread -- it is at the top of results and this might help someone else...)

 

For the validuser ACL - be sure to keep/include the following lines so that IPv6 will work:

 

ipv6 host fe80:: any any deny
ipv6 network fc00::/7 any any permit
ipv6 network fe80::/64 any any permit
ipv6 alias ipv6-reserved-range any any deny

 

  This would be in addition to allowing your IPv4 and IPv6 ranges, of course.