- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
client not able to connect and obtain an IP address
06-12-2019 12:07 AM
hello experts,
please help me with the troubleshooting of the wireless client which is not able to connect to the ssid "SCCorp", i am attaching the client debug and configuration of the ssid as well, the ssid has mac filtering + bandwidth contracts of 2 mbps.
i am aslo seeing this error message ":bd:ad:7f:e1 (vlan:702) Detecting Wireless-user AAA-Profile mismatch
(UAM-COCL1-MB00MDF-WC01) #show local-userdb
User Summary
------------
Name Password Role E-Mail Enabled Expiry Status Sponsor-Name Remote-IP Grantor-Name
---- -------- ---- ------ ------- ------ ------ ------------ --------- ------------
28:B2:BD:AD:7F:E1 ******** SCCorp-user-role Yes Active 0.0.0.0 admin
the mac address of the client is 28:B2:BD:AD:7F:E1
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: client not able to connect and obtain an IP address
06-12-2019 12:09 AM
my topology looks like below
ap <<<<<< controller <<<<< core switch (which has the svi for ssid vlan and ip helpers are defined) <<<<<< WAN <<<<< mpls <<<<< remote dhcp server.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: client not able to connect and obtain an IP address
06-12-2019 12:28 AM
Whats is your initial role in the aaa profile and what policy and rules is used by that role?
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: client not able to connect and obtain an IP address
06-12-2019 12:37 AM
there you go , some outputs that you might be interested in.
the client only gets seen in "show station-table" and in the login role only, it is not seen in the "show user-table " output
(UAM-COCL1-MB00MDF-WC01) #show aaa profile aaa-pf-SCCorp
AAA Profile "aaa-pf-SCCorp"
---------------------------
Parameter Value
--------- -----
Initial role SCCorp-logon-role
MAC Authentication Profile mac-auth-pf-SCCorp
MAC Authentication Default Role SCCorp-user-role
MAC Authentication Server Group sg-SCCorp
802.1X Authentication Profile dot1x-auth-pf-SCCorp
802.1X Authentication Default Role guest
802.1X Authentication Server Group N/A
Download Role from CPPM Disabled
Set username from dhcp option 12 Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout N/A
Max IPv4 for wireless user 2
RADIUS Accounting Server Group N/A
RADIUS Roaming Accounting Disabled
RADIUS Interim Accounting Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A
Device Type Classification Enabled
Enforce DHCP Enabled
PAN Firewall Integration Disabled
Open SSID radius accounting Disabled
(UAM-COCL1-MB00MDF-WC01) #show rights SCCorp-logon-role
Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'SCCorp-logon-role'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 102/0
Openflow: Disabled
Max Sessions = 65535
Check CP Profile for Accounting = TRUE
Application Exception List
--------------------------
Name Type
---- ----
Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-SCCorp-logon-role-sacl session
3 denyall session
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-SCCorp-logon-role-sacl
----------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
denyall
-------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any any deny Low 4
2 any any any-v6 deny Low 6
Expired Policies (due to time constraints) = 0
(UAM-COCL1-MB00MDF-WC01) #
(UAM-COCL1-MB00MDF-WC01) #show rights SCCorp-user-role
Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'SCCorp-user-role'
Up BW contract = SCCorp-bw-ctr (2000000 bits/sec) Down BW contract = SCCorp-bw-ctr (2000000 bits/sec)
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 104/0
Openflow: Disabled
Max Sessions = 65535
Check CP Profile for Accounting = TRUE
Application Exception List
--------------------------
Name Type
---- ----
Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-SCCorp-user-role-sacl session
3 logon-control session
4 allowall session
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-SCCorp-user-role-sacl
---------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
logon-control
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
6 any 169.254.0.0 255.255.0.0 any deny Low 4
7 any 240.0.0.0 240.0.0.0 any deny Low 4
allowall
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any any permit Low 4
2 any any any-v6 permit Low 6
Expired Policies (due to time constraints) = 0
(UAM-COCL1-MB00MDF-WC01) #
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: client not able to connect and obtain an IP address
06-12-2019 12:57 AM
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-SCCorp-logon-role-sacl session
3 denyall session
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: client not able to connect and obtain an IP address
06-12-2019 01:55 AM
thanks for enlightening me on this one, i edited the logon rule now .
i hope it will work now , correct ?
(UAM-COCL1-MB00MDF-WC01) (config) #show rights SCCorp-logon-role
Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'SCCorp-logon-role'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 102/0
Openflow: Disabled
Max Sessions = 65535
Check CP Profile for Accounting = TRUE
Application Exception List
--------------------------
Name Type
---- ----
Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-SCCorp-logon-role-sacl session
3 allowall session
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-SCCorp-logon-role-sacl
----------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
allowall
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any any permit Low 4
2 any any any-v6 permit Low 6
Expired Policies (due to time constraints) = 0
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: client not able to connect and obtain an IP address
06-12-2019 04:38 AM
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: client not able to connect and obtain an IP address
06-12-2019 05:14 AM
well this ssid is just for connecting handheld scanners , who will use a simple pre-shared key to connect to this ssid.
we are mac filtering for this , so that no other machines could connect.
i will test the ssid and will let you know how it goes.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator