Wireless Access

Reply
MVP

Re: Zebra wireless printers not getting an IP

This is my second attempt at posting, I think my post is getting deleted.

 

So after looking at the logs everything appears to be going okay. I see the user role and vlan get passed back to the controller from ClearPass and they are correctly assigned. The client though still does not get an IP address. Then after a short period of the time the client takes a default IP of 192.168.254.254 and it is at this point that the controller appears to change the clients VLAN again.

 

I also did a packet capture of the client and I noticed that the client is attempting to do a DHCP, but the DHCP process cannot complete so the client retries over and over. It would seem that either the role is not applying correctly, or the maybe it is the VLAN itself.

 

Any other ideas on what I might try?

 

Btw, I will attach the user-debug log.

Guru Elite

Re: Zebra wireless printers not getting an IP

Why do you have the denyall role in here?  

pr 3 15:03:59 :522044:  <INFO> |authmgr|  MAC=ac:3f:xx:xx:xx:xx Station authenticate(start): method=802.1x, role=denyall///denyall, VLAN=46/46, Derivation=1/0, Value Pair=1, flags=0x8

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
MVP

Re: Zebra wireless printers not getting an IP

The denyall role is the "initial role" that the clients fall into when they hit our WPA2-ENT SSID. I actually just tried changing it to a less restrictive role and unfortunately it didn't have any impact.

 

Should the "initial role" on this type of SSID be set to something less restrictive?

Guru Elite

Re: Zebra wireless printers not getting an IP

I don't know if that has an effect on it.  What are the ACLS connected to the printer role?  Does the printer role have a VLAN hardcoded in it?

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
MVP

Re: Zebra wireless printers not getting an IP

Initially had the role fairly tight, but for the testing I have since opened it up with an "any any" as I wanted to make sure that the role wasn't causing issues. I had also tried passing back a different role that I know is working for other clients and it is still unable to get an IP address.

 

The printer role does not have a hardcoded VLAN no. I was thinking of setting it. It appears that from the user-debug, the controller will first apply the user role followed by the VLAN. I wasn't sure if this would impact the clients ability to get an IP though.

Guru Elite

Re: Zebra wireless printers not getting an IP

You should have the initial role as authenticated or something with allowall, just to cover all bases.

 

You haven't connected it via 802.1x to any other infrastructure, have you?  You can try enabling FDB Update on Association in the Virtual AP, just in case this is a silent client.  Can you get any assistance from the Zebra people?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
MVP

Re: Zebra wireless printers not getting an IP

I can certainly set the initial role to authenticated with an allowall! I will make that change asap.

 

I have not no. This is a mobile wireless printer, specially the Zebra QLn420. It fully supports 802.1x as well, which is why I am scratching my a head a little. I will look up the FDB Update on Association setting, I have never heard of this before.

 

I am hoping I can get some help from them as I doubt whoever we dealt with to buy the printers will be of any help. I will call tomorrow and see if they can lend a hand.

MVP

Re: Zebra wireless printers not getting an IP

So I tried changing the intial role to authenticated and I also put a check beside FDB Update on Assoc in the VAP for the dot1x SSID. Unfortunately neither of these changes had any impact.

 

I will have to wait and see what Zebra has to say.

MVP

Re: Zebra wireless printers not getting an IP

Update on this case. Support from Zebra managed to help out.

Click here for Zebra KB

Zebra Mobile Model: QLn420

 

Our SSID is setup as a WPA2-Enterprise with ClearPass sending back user role and VLAN to controller.

 

Zebra printer is setup as WPA-PEAP/WPA-PEAP2 (as it shows in the printer config) and it is set not to validate certificate. Client was able to successfully authenticate and established a connection to the wireless, but would not get an IP address from DHCP, nor could you communicate with the device if it had a static IP.

 

We disable Protect Management Frames setting on the printer and rebooted. After rebooting it was able get an IP address.

 

I checked on the controller and there is an option to turn on MFP - "Enable Management Frame Protection".

 

Are there any side effects that could come from enabling this setting? I also noticed that there is an option to have MFP as a requirement, I would assume this could have a significant impact in the event that you have a device that does not support MFP?

Guru Elite

Re: Zebra wireless printers not getting an IP

Thank you for chasing that down. Many users will find it valuable.
I
You are correct. MFP not supported by many clients and should be left off in a mixed client environment.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: