Wireless Access

Uni_SKF_BT_123 · ‎06-12-2019

hello experts,

please help me with the troubleshooting of the wireless client which is not able to connect to the ssid "SCCorp", i am attaching the client debug and configuration of the ssid as well, the ssid has mac filtering + bandwidth contracts of 2 mbps.

i am aslo seeing this error message ":bd:ad:7f:e1 (vlan:702) Detecting Wireless-user AAA-Profile mismatch

(UAM-COCL1-MB00MDF-WC01) #show local-userdb

User Summary
------------
Name Password Role E-Mail Enabled Expiry Status Sponsor-Name Remote-IP Grantor-Name
---- -------- ---- ------ ------- ------ ------ ------------ --------- ------------

28:B2:BD:AD:7F:E1 ******** SCCorp-user-role Yes Active 0.0.0.0 admin

the mac address of the client is 28:B2:BD:AD:7F:E1

Uni_SKF_BT_123 · ‎06-12-2019

my topology looks like below

ap <<<<<< controller <<<<< core switch (which has the svi for ssid vlan and ip helpers are defined) <<<<<< WAN <<<<< mpls <<<<< remote dhcp server.

mkk · ‎06-12-2019

Hi,

Whats is your initial role in the aaa profile and what policy and rules is used by that role?

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.

Uni_SKF_BT_123 · ‎06-12-2019

there you go , some outputs that you might be interested in.

the client only gets seen in "show station-table" and in the login role only, it is not seen in the "show user-table " output

(UAM-COCL1-MB00MDF-WC01) #show aaa profile aaa-pf-SCCorp

AAA Profile "aaa-pf-SCCorp"
---------------------------
Parameter Value
--------- -----
Initial role SCCorp-logon-role
MAC Authentication Profile mac-auth-pf-SCCorp
MAC Authentication Default Role SCCorp-user-role
MAC Authentication Server Group sg-SCCorp
802.1X Authentication Profile dot1x-auth-pf-SCCorp
802.1X Authentication Default Role guest
802.1X Authentication Server Group N/A
Download Role from CPPM Disabled
Set username from dhcp option 12 Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout N/A
Max IPv4 for wireless user 2
RADIUS Accounting Server Group N/A
RADIUS Roaming Accounting Disabled
RADIUS Interim Accounting Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A
Device Type Classification Enabled
Enforce DHCP Enabled
PAN Firewall Integration Disabled
Open SSID radius accounting Disabled

(UAM-COCL1-MB00MDF-WC01) #show rights SCCorp-logon-role

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'SCCorp-logon-role'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 102/0
Openflow: Disabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-SCCorp-logon-role-sacl session
3 denyall session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-SCCorp-logon-role-sacl
----------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
denyall
-------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any any deny Low 4
2 any any any-v6 deny Low 6

Expired Policies (due to time constraints) = 0

(UAM-COCL1-MB00MDF-WC01) #

(UAM-COCL1-MB00MDF-WC01) #show rights SCCorp-user-role

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'SCCorp-user-role'
Up BW contract = SCCorp-bw-ctr (2000000 bits/sec) Down BW contract = SCCorp-bw-ctr (2000000 bits/sec)
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 104/0
Openflow: Disabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-SCCorp-user-role-sacl session
3 logon-control session
4 allowall session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-SCCorp-user-role-sacl
---------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
logon-control
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
6 any 169.254.0.0 255.255.0.0 any deny Low 4
7 any 240.0.0.0 240.0.0.0 any deny Low 4
allowall
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any any permit Low 4
2 any any any-v6 permit Low 6

Expired Policies (due to time constraints) = 0

(UAM-COCL1-MB00MDF-WC01) #

mkk · ‎06-12-2019

Your initial role SCCorp-logon-role got a deny policy in it that block any traffic on rule 3.

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-SCCorp-logon-role-sacl session
3 denyall session

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.

Uni_SKF_BT_123 · ‎06-12-2019

thanks for enlightening me on this one, i edited the logon rule now .

i hope it will work now , correct ?

(UAM-COCL1-MB00MDF-WC01) (config) #show rights SCCorp-logon-role

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'SCCorp-logon-role'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 102/0
Openflow: Disabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-SCCorp-logon-role-sacl session
3 allowall session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-SCCorp-logon-role-sacl
----------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
allowall
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any any permit Low 4
2 any any any-v6 permit Low 6

Expired Policies (due to time constraints) = 0

mkk · ‎06-12-2019

Seems fine, good for testing. But reminder you want bring some extra acl’s for example block controller access for guests. or not allow guest to run a dhcp server on their client. Default use the “logon” role if no enhancements are needed.

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.

Uni_SKF_BT_123 · ‎06-12-2019

well this ssid is just for connecting handheld scanners , who will use a simple pre-shared key to connect to this ssid.

we are mac filtering for this , so that no other machines could connect.

i will test the ssid and will let you know how it goes.

Wireless Access

client not able to connect and obtain an IP address

Re: client not able to connect and obtain an IP address

Re: client not able to connect and obtain an IP address

Re: client not able to connect and obtain an IP address

Re: client not able to connect and obtain an IP address

Re: client not able to connect and obtain an IP address

Re: client not able to connect and obtain an IP address

Re: client not able to connect and obtain an IP address

How to mount USB storage on 650 controller

iPad 2 Issues

Guest wireless Network Questions need help ASAP plz.

Mobility controller (not responding)

Layer 2 Mobility or Layer 3?

Aruba Deployment with Firewalls

COTD: Boot options for controllers

COTD: SNMP events

Admin Password Flaw with 3.1.0.7 upgrade

Upgrade problems...

Making DHCP mandatory on Aruba WLAN

AirWave SSH "on_controllers" command

Deploying Aruba APs over high latency links

Customizing Amigopod skin

Duplicate a Aruba controller group in AirWave

Aruba Instant 6.4.2.6-4.1.1.11 Released 11/27/2015

Aruba Instant 6.4.2.6-4.1.1.10 Released 9/28/15

Re: ArubaOS Downloads

Aruba Mobility Controllers

Remote AP Networks

Indoor 802.11n Site Survey and Planning

AOS 6.4.1 HTML Technical Document

Lync Over Aruba WiFi

Wireless Access

client not able to connect and obtain an IP address

Re: client not able to connect and obtain an IP address

Re: client not able to connect and obtain an IP address

Re: client not able to connect and obtain an IP address

Re: client not able to connect and obtain an IP address

Re: client not able to connect and obtain an IP address

Re: client not able to connect and obtain an IP address

Re: client not able to connect and obtain an IP address

Follow Us