Wireless Access

Hey all!
since you were so quick to help with my last question, I figured I'd ask another one.
To re-cap:

Big background up front: I had a lab with an HP switch for users, a MAS 1500 for redirection (maybe) and head-end, and a 7005 controller. This is all segregated via Cisco ASA to simulate a remote office. Our ClearPass appliance is not in this segregated lab, since it is a VM and we don't have a big enough lab/budget to have VM in the lab. With this setup, everything seemed to be working fine - although I am almost positive that it was actually the controller handling all of the redirection rather than the MAS.

Part II
Well, since our remote sites DO have MAS switches, but DO NOT have controllers, I have moved the controller to the other side of the firewall with the VM, thus ensuring that I am both emulating a remote site, and that I am indeed doing the redirection with the MAS rather than the controller. This is now working with no 'click here to continue' stopping point, thanks to help from Tim Cappalli (thanks again).

Part III
Currently, I am seeing two problems, neither of which seem to me be something that should have been affected by the controller move, but they are now broken. the first issue is that wireless devices are no longer getting IP addresses. The MAS switch is doing the DHCP, and it is working for wired users. The AP itself also gets an IP from the MAS, and the wireless devices, the AP, and wired devices (once authenticated as being company owned/full access devices) are all on the same vlan. Is there a change in the controller I need to make to let wireless users get DHCP from inside the segregated area?
Second issue is that the ClearPass appliance appears to be placing wired devices into the wrong vlan after going through the workflow. Unfortunately I am not the one doing the actual testing, but I was told that ClearPass is sending the device to the posturing vlan 526, but the devices is getting an IP from the captive portal vlan 426.

Not sure which part of the configs I need to share, so if you ask, I will provide.

Thanks,

Russell

What device is the default gateway for the clients?

From the sounds of it, your user VLAN is now isolated from whatever upstream device provided user connectivity.  A diagram would be very helpful.

Thanks for the reply.

The default gateway for clients in any vlan is the MAS. I tried to make the diagram as simple and as thorough as possible. I am trying to emulate our production environment as much as possible with the lab. The ClearPass appliance exists only as a lab device, although it is within the home office lan because that is where it will be in production. The firewall segregates the lab in the same way the MPLS cloud segregates my remote sites.

In prod, the remote APs connect through the MPLS cloud to the prod controller, but they get DHCP from the local domain controllers. in the lab, they should be getting DHCP from the MAS. Wired clients get DHCP from the MAS correctly, wireless clients cycle repeatedly once they are authorized to the controller.

Russell

Are you tunneling user traffic to the controller or bridging it locally?

In prod, I am bridging. In the lab, I was tunneling and moved it to bridging to see if that would fix the issue. It did not. I also in prod have the VAP in a vlan, but the role NOT in a vlan. In the lab, I had BOTH the VAP and the role assigned to the vlan. I changed the lab to reflect prod, but haven't been able to test since I made that change.

edit: I was able to test with still no success/no dhcp

Russell

Still having issues, thought I'd add some configs and 'shows' that could be helpful.

Thanks everyone!!

Attached are the configs for the VAPs, their AAAs, and their SSIDs. Also, the rights for all of the roles. I changed the INTERNAL op-mode from wpa2-aes to wpa2-psk-aes, and now both INTERNAL and GUEST can get an IP, whereas EMPLOYEE still fails. To me, this points to an issue with ClearPass, which is being used as the radius server. I do not have another radius server available to test that though. I added a auth-tracebuf to the attachment.

Here, I have my laptop and phone trying to connect. The third MAC is the AP:

show station-table

Station Entry
-------------
MAC Name Role Age(d:h:m) Auth AP name Essid Phy Remote Profile
------------ ------ ---- ---------- ---- ------- ----- --- ------ -------
10:0b:a9:d5:23:5c host/IT5CB21215VWL.hmcorp.local CLEARPASS-POSTURE-ROLE 00:00:06 Yes LAB-AP-2-ac:a3:1e:c3:3f:70 LAB-EMPLOYEE a-HT Yes LAB_EMPLOYEE_AAA
c8:19:f7:0b:6e:24 CLEARPASS-BYODLOGIN-ROLE 00:00:00 No LAB-AP-2-ac:a3:1e:c3:3f:70 LAB-INTERNAL a-HT Yes LAB_INTERNAL_AAA
00:19:2f:95:b1:b3 authenticated 00:00:01 No N/A " " No test

Station Entries: 3

Only the phone shows as a user:

show user

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- ---------
10.75.92.252 c8:19:f7:0b:6e:24 CLEARPASS-BYODLOGIN-ROLE 00:00:00 LAB-AP-2-ac:a3:1e:c3:3f:70 Associated(Remote) LAB-INTERNAL/ac:a3:1e:b3:f7:10/a-HT LAB_INTERNAL_AAA bridge Android

User Entries: 1/1
Curr/**bleep** Alloc:4/289 Free:0/285 Dyn:4 AllocErr:0 FreeErr:0

Attachment(s)

VAP and rights.txt   22 KB 1 version