Wireless Access

Reply
Occasional Contributor II

client not able to connect and obtain an IP address

hello experts, 

 

please help me with the troubleshooting of the wireless client which is not able to connect to the ssid "SCCorp", i am attaching the client debug and configuration of the ssid as well, the ssid has mac filtering + bandwidth contracts of 2 mbps.

 

i am aslo seeing this error message ":bd:ad:7f:e1 (vlan:702) Detecting Wireless-user AAA-Profile mismatch 

 

(UAM-COCL1-MB00MDF-WC01) #show local-userdb


User Summary
------------
Name Password Role E-Mail Enabled Expiry Status Sponsor-Name Remote-IP Grantor-Name
---- -------- ---- ------ ------- ------ ------ ------------ --------- ------------

28:B2:BD:AD:7F:E1 ******** SCCorp-user-role Yes Active 0.0.0.0 admin

 

the mac address of the client is 28:B2:BD:AD:7F:E1

 

Occasional Contributor II

Re: client not able to connect and obtain an IP address

my topology looks like below

 

ap <<<<<< controller <<<<< core switch (which has the svi for ssid vlan and ip helpers are defined) <<<<<< WAN <<<<< mpls <<<<< remote dhcp server.

Highlighted
MVP
MVP

Re: client not able to connect and obtain an IP address

Hi,

Whats is your initial role in the aaa profile and what policy and rules is used by that role?
Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.
Occasional Contributor II

Re: client not able to connect and obtain an IP address

there you go , some outputs that you might be interested in.

the client only gets seen in "show station-table" and in the login role only, it is not seen in the "show user-table " output

 

(UAM-COCL1-MB00MDF-WC01) #show aaa profile aaa-pf-SCCorp

AAA Profile "aaa-pf-SCCorp"
---------------------------
Parameter Value
--------- -----
Initial role SCCorp-logon-role
MAC Authentication Profile mac-auth-pf-SCCorp
MAC Authentication Default Role SCCorp-user-role
MAC Authentication Server Group sg-SCCorp
802.1X Authentication Profile dot1x-auth-pf-SCCorp
802.1X Authentication Default Role guest
802.1X Authentication Server Group N/A
Download Role from CPPM Disabled
Set username from dhcp option 12 Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout N/A
Max IPv4 for wireless user 2
RADIUS Accounting Server Group N/A
RADIUS Roaming Accounting Disabled
RADIUS Interim Accounting Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A
Device Type Classification Enabled
Enforce DHCP Enabled
PAN Firewall Integration Disabled
Open SSID radius accounting Disabled

 

 

(UAM-COCL1-MB00MDF-WC01) #show rights SCCorp-logon-role

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'SCCorp-logon-role'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 102/0
Openflow: Disabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-SCCorp-logon-role-sacl session
3 denyall session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-SCCorp-logon-role-sacl
----------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
denyall
-------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any any deny Low 4
2 any any any-v6 deny Low 6

Expired Policies (due to time constraints) = 0

(UAM-COCL1-MB00MDF-WC01) #

 

 

(UAM-COCL1-MB00MDF-WC01) #show rights SCCorp-user-role

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'SCCorp-user-role'
Up BW contract = SCCorp-bw-ctr (2000000 bits/sec) Down BW contract = SCCorp-bw-ctr (2000000 bits/sec)
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 104/0
Openflow: Disabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-SCCorp-user-role-sacl session
3 logon-control session
4 allowall session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-SCCorp-user-role-sacl
---------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
logon-control
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
6 any 169.254.0.0 255.255.0.0 any deny Low 4
7 any 240.0.0.0 240.0.0.0 any deny Low 4
allowall
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any any permit Low 4
2 any any any-v6 permit Low 6

Expired Policies (due to time constraints) = 0

(UAM-COCL1-MB00MDF-WC01) #

MVP
MVP

Re: client not able to connect and obtain an IP address

Your initial role SCCorp-logon-role got a deny policy in it that block any traffic on rule 3.

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-SCCorp-logon-role-sacl session
3 denyall session
Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.
Occasional Contributor II

Re: client not able to connect and obtain an IP address

thanks for enlightening me on this one, i edited the logon rule now .

i hope it will work now , correct ?

 

(UAM-COCL1-MB00MDF-WC01) (config) #show rights SCCorp-logon-role

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'SCCorp-logon-role'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 102/0
Openflow: Disabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-SCCorp-logon-role-sacl session
3 allowall session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-SCCorp-logon-role-sacl
----------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
allowall
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any any permit Low 4
2 any any any-v6 permit Low 6

Expired Policies (due to time constraints) = 0

MVP
MVP

Re: client not able to connect and obtain an IP address

Seems fine, good for testing. But reminder you want bring some extra acl’s for example block controller access for guests. or not allow guest to run a dhcp server on their client. Default use the “logon” role if no enhancements are needed.
Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.
Occasional Contributor II

Re: client not able to connect and obtain an IP address

well this ssid is just for connecting handheld scanners , who will use a simple pre-shared key to connect to this ssid.

 

we are mac filtering for this , so that no other machines could connect.

i will test the ssid and will let you know how it goes.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: