Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

ArubaOS 8.7 block client DHCP requests by default when no PEF license.

This thread has been viewed 17 times

  • 1.  ArubaOS 8.7 block client DHCP requests by default when no PEF license.

    Posted Nov 23, 2022 10:22 PM

    I have one 7205 controller with only AP license without PEF. 
    When I set up a Virtual AP with bridge mode and VLAN then client could not get IP address. I already check DHCP server is worked.

    I saw default role is "logon" and it's rule had deny user udp 68.


    My switch type is HPE 5140. Switch port config as below:

    VLAN 203 is for Aruba Controller and AP.

    VLAN 20 is for clients that AP bridged mode.

    ssid config as below:

    Another I search mac address table on switch, wireless clients were all on correct VLAN, but just could not get IP from DHCP.

    Thanks for any suggestions.




  • 2.  RE: ArubaOS 8.7 block client DHCP requests by default when no PEF license.

    Posted Nov 24, 2022 04:38 AM
    Hi Pigsign,

    Can you share what role your client is getting once authenticated please.

    Original Message


  • 3.  RE: ArubaOS 8.7 block client DHCP requests by default when no PEF license.

    EMPLOYEE
    Posted Nov 24, 2022 05:05 AM
    The deny user->any port 68 prevents DHCP spoofing. The client cannot send a DHCP reply, but can send a DHCP request (port 67/udp) and the server can respond because the source is not user (which is dynamically replaced with the client IP).

    Please note that with a controller, tunneling the traffic is recommended. If you want to bridge your traffic, there are good chances that running APs in Instant Mode would be a better solution.

    Can you run a port mirror on the AP switch port? You could then determine if the DHCP packet goes out from the AP on VLAN20. On AOS-Switches, I know that if you don't fully configure dhcp snooping, the switch will block the DHCP response packets. Not sure on Comware. But knowing if the packet goes out of the AP may help... as well you could try setting a static IP on the client to see if communication works then.

    I'm also confused why the client would get the logon role, it should be authenticated, but I don't have a controller without PEF to test with. Aruba Support may be a good next step.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 4.  RE: ArubaOS 8.7 block client DHCP requests by default when no PEF license.

    Posted Nov 24, 2022 07:41 AM
    It really shouldn’t be the role causing the problem since “logon” allows DHCP… but try changing the default role in your AAA profile to “authenticated” and see if the client can complete DHCP.

    ---------------------------------
    ACNSA | ACEA | ACCP | ACMP
    ---------------------------------



    Original Message


  • 5.  RE: ArubaOS 8.7 block client DHCP requests by default when no PEF license.

    Posted Nov 30, 2022 10:20 PM
    I could not change default role to "authenticated" the system said it needs PEF license.
    But in this logic I tried to change role to "guest" and everything worked like a charm. :-)

    Thanks to all yours suggestions.
    Original Message