RE: ISE Dynamic VLAN redirect with single eduroam WLAN

2021-07-08 Thread Tariq Adnan
Hi Sean,

Here is how we have implemented this same setup:

There are 3 scenarios:

  *   eduroam-local: our student/staff accessing eduroam within campus, they 
are authenticated against our radius/AD and then depending upon which group 
they belong to (member_of_student or member_of_staff), radius returns 
VLAN/Interface/Interface Group (student interface group or staff interface 
group) to WLC. If a person is both student and staff, he/she is given staff 
status.
  *   eduroam-inbound: our student/staff accessing eduroam in other 
institutions; our radius receives the auth request via ISP (here in Australia 
it is AARNET).
  *   eduroam-outbound: Affiliates from other institutions accessing eduroam 
within our campus; the auth request is sent to ISP which takes it to his/her 
parent institution. Upon successful authentication, radius returns 
VLAN/Interface/Interface Group (guest interface group) to WLC.



Controller:
-create student, staff and guest interfaces. Group the interfaces into 
interface group. One IG can have up to 64 interfaces.
-point the eduroam SSiD to your radius server (ISE here)

Radius server:

  *   create 3 policies or services (we are using Aruba clearpass so we use 
services)
 *   1st service/policy: eduroam-local: all conditions need to be met
*   username contains "@our institution domain"
*   is connecting to eduroam
*   request is coming from our controllers

*   then authenticate against our AD
*   return student or staff interface group to WLC

 *   2nd service/policy: eduroam-inbound: all conditions need to be met
*   Request is coming from ISP (proxy servers)

*   Then just do authentication

 *   3rd service/policy: eduroam-outbound: all conditions need to be met

*   Username contains institutions other than ours
*   Is connecting to eduroam

*   Then send auth request to ISP and upon successful auth, return 
guest interface group from radius to WLC.

Let me know if you need any further details.

-
Cheers,

Kind regards,
Tariq

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Gray, Sean
Sent: Thursday, 8 July 2021 2:52 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN

Hi Everyone,

We are looking to amalgamate our 3 dot1x WLANs (employees/student/eduroam) into 
a single WLAN (eduroam). Behind the scenes we still need to authenticate and 
route clients to their respective network segment. So to achieve this we need 
to implement dynamic vlan redirects behind the scenes.

Eduroam users from other institutions will be sent out to eduroam to be handled 
appropriately

Authentication will be handled by ISE cluster, running 2.6.0.156
WLC - 5520 (pair) running 8.8.130.0

The process, from a high level should look something like this

  *   Staff/faculty will connect to our new single WLAN, namely Eduroam
  *   They will be caught by the appropriate policy and authenticated against 
AD, validating that they are staff/faculty
  *   Now they will be redirected to the appropriate VLAN


  *   Student will follow the same process, but will be validated that they are 
a student, and redirected to a different VLAN


  *   All others (externals) will be sent to an external RADIUS server for auth 
and then redirected to yet another different VLAN.

Currently unique policies exist for each of these processes, without the added 
complexities of the VLAN redirect. So my mission is to combine these, filtering 
each client to their auth point, and then upon receiving the authorization, 
assign the appropriate vlan tag, for IP assignment, prior to them getting 
on-net.

I've been unable to find any meaningful documentation around how to handle 
internal vs external radius redirection in this scenario.

So has anyone done this, and are they able to share their process, inclusive of 
vlan redirect?

Thanks

Sean

Sean Gray | B.Sc (Hons)
Voice, Collaboration & Wireless Network Analyst
ITS, University of Lethbridge


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


RE: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN

2021-07-08 Thread Gray, Sean
Hi Everyone,

Thanks for all the great responses and offers of a deeper dive into this topic. 
I’ll definitely be in touch with a few of you directly in the coming days.

Thanks again

Sean

Sean Gray | B.Sc (Hons)
Voice, Collaboration & Wireless Network Analyst
ITS, University of Lethbridge

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Heavrin, Lynn
Sent: July 8, 2021 3:03 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN

Caution: This email was sent from someone outside of the University of 
Lethbridge. Do not click on links or open attachments unless you know they are 
safe. Suspicious emails should be forwarded to 
phish...@uleth.ca.

Not sure if it was directed at me or the original poster, I think it comes down 
more to an identity management classification and access issue at that point.

  1.  If employees are allowed network access to student resources then  just 
put the employee rule above the student rule in ISE and the access will 
waterfall.
  2.   If employees are restricted from seeing student resources, you may have 
to create another level of access called Student Employees where ISE matches 
the rule if you are a member of the employees group AND the students group, and 
place them in a VLAN that has access to both resources.
  3.  If you don’t want to use VLAN switching, you can use DACLs (find what 
works best for you).  In this scenario, Employees and students get put into the 
same vlan and access is controlled via DACL instead of regular IP firewalling.  
Student-only will get applied a dacl only allowing access to student things.  
Employees-only get only access to employee things.  Student Employees get 
access to both using the same process as #2, except using DACLs instead of VLAN 
switching.

Those are just 3 ways to handle that off the top of my head.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Helzerman mailto:jarh...@umich.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Thursday, July 8, 2021 at 2:05 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN

Out of curiosity how would you handle someone that has dual appointments such 
as a student that is also an employee?

-Jimmy

On Wed, Jul 7, 2021 at 7:19 PM Heavrin, Lynn 
mailto:lheav...@wustl.edu>> wrote:
Feel free to reach out.  We’re running 2.7 patch 3 with 8540s.  We assign users 
to vlans for some things, but we also like actually using ISE assigned 
interface groups instead that contain multiple interfaces/vlans for more 
scalability.

Thanks,

Lynn Heavrin
Network Engineer III | Network Engineering
Washington University in St. Louis
4480 Clayton Ave, St. Louis, MO 63110
Mail stop 8218-45-01
•: 314.935.3877 |  •:lheav...@wustl.edu



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Manon Lessard 
mailto:manon.less...@dti.ulaval.ca>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, July 7, 2021 at 12:28 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN

Same here, everything done with ISE.

DM if you need help.

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada
418 656-2131, poste 412853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca
Avis relatif à la confidentialité | Notice of 
Confidentiality


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Gray, Sean" mailto:sean.gr...@uleth.ca>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, July 7, 2021 at 12:52 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN

Hi Everyone,

We are looking to amalgamate our 3 dot1x WLANs (employees/student/eduroam) into 
a single WLAN (eduroam). Behind the scenes we still need to authenticate and 
route clients to their respective net

Re: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN

2021-07-08 Thread Heavrin, Lynn
Not sure if it was directed at me or the original poster, I think it comes down 
more to an identity management classification and access issue at that point.

  1.  If employees are allowed network access to student resources then  just 
put the employee rule above the student rule in ISE and the access will 
waterfall.
  2.   If employees are restricted from seeing student resources, you may have 
to create another level of access called Student Employees where ISE matches 
the rule if you are a member of the employees group AND the students group, and 
place them in a VLAN that has access to both resources.
  3.  If you don’t want to use VLAN switching, you can use DACLs (find what 
works best for you).  In this scenario, Employees and students get put into the 
same vlan and access is controlled via DACL instead of regular IP firewalling.  
Student-only will get applied a dacl only allowing access to student things.  
Employees-only get only access to employee things.  Student Employees get 
access to both using the same process as #2, except using DACLs instead of VLAN 
switching.

Those are just 3 ways to handle that off the top of my head.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of James Helzerman 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, July 8, 2021 at 2:05 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN

Out of curiosity how would you handle someone that has dual appointments such 
as a student that is also an employee?

-Jimmy

On Wed, Jul 7, 2021 at 7:19 PM Heavrin, Lynn 
mailto:lheav...@wustl.edu>> wrote:
Feel free to reach out.  We’re running 2.7 patch 3 with 8540s.  We assign users 
to vlans for some things, but we also like actually using ISE assigned 
interface groups instead that contain multiple interfaces/vlans for more 
scalability.

Thanks,

Lynn Heavrin
Network Engineer III | Network Engineering
Washington University in St. Louis
4480 Clayton Ave, St. Louis, MO 63110
Mail stop 8218-45-01
•: 314.935.3877 |  •:lheav...@wustl.edu



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Manon Lessard 
mailto:manon.less...@dti.ulaval.ca>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, July 7, 2021 at 12:28 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN

Same here, everything done with ISE.

DM if you need help.

Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada
418 656-2131, poste 412853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca
Avis relatif à la confidentialité | Notice of 
Confidentiality


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Gray, Sean" mailto:sean.gr...@uleth.ca>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, July 7, 2021 at 12:52 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN

Hi Everyone,

We are looking to amalgamate our 3 dot1x WLANs (employees/student/eduroam) into 
a single WLAN (eduroam). Behind the scenes we still need to authenticate and 
route clients to their respective network segment. So to achieve this we need 
to implement dynamic vlan redirects behind the scenes.

Eduroam users from other institutions will be sent out to eduroam to be handled 
appropriately

Authentication will be handled by ISE cluster, running 2.6.0.156
WLC – 5520 (pair) running 8.8.130.0

The process, from a high level should look something like this

  *   Staff/faculty will connect to our new single WLAN, namely Eduroam
  *   They will be caught by the appropriate policy and authenticated against 
AD, validating that they are staff/faculty
  *   Now they will be redirected to the appropriate VLAN


  *   Student will follow the same process, but will be validated that they are 
a student, and redirected to a different VLAN


  *   All others (externals) will be sent to an external RADIUS server for auth 
and then redirected to yet another different VLAN.

Currently unique policies exist for each of these processes, without the added 
complexities of the

Re: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN

2021-07-08 Thread James Helzerman
Out of curiosity how would you handle someone that has dual appointments
such as a student that is also an employee?

-Jimmy

On Wed, Jul 7, 2021 at 7:19 PM Heavrin, Lynn  wrote:

> Feel free to reach out.  We’re running 2.7 patch 3 with 8540s.  We assign
> users to vlans for some things, but we also like actually using ISE
> assigned interface groups instead that contain multiple interfaces/vlans
> for more scalability.
>
>
>
> Thanks,
>
>
>
> *Lynn Heavrin*
>
> *Network Engineer III | Network Engineering*
>
> Washington University in St. Louis
>
> 4480 Clayton Ave, St. Louis, MO 63110
>
> Mail stop 8218-45-01
> (: 314.935.3877 |  *:lheav...@wustl.edu
>
>
>
>
>
>
>
> *From: *The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Manon Lessard <
> manon.less...@dti.ulaval.ca>
> *Reply-To: *The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Wednesday, July 7, 2021 at 12:28 PM
> *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single
> eduroam WLAN
>
>
>
> Same here, everything done with ISE.
>
>
>
> DM if you need help.
>
>
>
> *Manon Lessard*
> Chargée de programmation et d’analyse
>
> CCNP, CWNE #275, AWA 10, ESCE Design
>
> Direction des technologies de l'information
>
> Pavillon Louis-Jacques-Casault
> 1055, avenue du Séminaire
> Bureau 0403
> Université Laval, Québec (Québec)
>
> G1V 0A6, Canada
>
> 418 656-2131, poste 412853
> Télécopieur : 418 656-7305
>
> manon.less...@dti.ulaval.ca
> www.dti.ulaval.ca
>
> Avis relatif à la confidentialité | Notice of Confidentiality
> 
>
>
>
>
>
> *From: *The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Gray, Sean" <
> sean.gr...@uleth.ca>
> *Reply-To: *The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Wednesday, July 7, 2021 at 12:52 PM
> *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *[WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam
> WLAN
>
>
>
> Hi Everyone,
>
>
>
> We are looking to amalgamate our 3 dot1x WLANs (employees/student/eduroam)
> into a single WLAN (eduroam). Behind the scenes we still need to
> authenticate and route clients to their respective network segment. So to
> achieve this we need to implement dynamic vlan redirects behind the scenes.
>
>
>
> Eduroam users from other institutions will be sent out to eduroam to be
> handled appropriately
>
>
>
> Authentication will be handled by ISE cluster, running 2.6.0.156
>
> WLC – 5520 (pair) running 8.8.130.0
>
>
>
> The process, from a high level should look something like this
>
>- Staff/faculty will connect to our new single WLAN, namely Eduroam
>- They will be caught by the appropriate policy and authenticated
>against AD, validating that they are staff/faculty
>- Now they will be redirected to the appropriate VLAN
>
>
>
>- Student will follow the same process, but will be validated that
>they are a student, and redirected to a different VLAN
>
>
>
>- All others (externals) will be sent to an external RADIUS server for
>auth and then redirected to yet another different VLAN.
>
>
>
> Currently unique policies exist for each of these processes, without the
> added complexities of the VLAN redirect. So my mission is to combine these,
> filtering each client to their auth point, and then upon receiving the
> authorization, assign the appropriate vlan tag, for IP assignment, prior to
> them getting on-net.
>
>
>
> I’ve been unable to find any meaningful documentation around how to handle
> internal vs external radius redirection in this scenario.
>
>
>
> So has anyone done this, and are they able to share their process,
> inclusive of vlan redirect?
>
>
>
> Thanks
>
>
>
> Sean
>
>
>
> *Sean Gray* | B.Sc (Hons)
>
> Voice, Collaboration & Wireless Network Analyst
>
> ITS, University of Lethbridge
>
>
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
>
> --
>
> The materials in this message are private and may contain Protected
> Healthcare Information or other information of a sensitive nature. If you
> 

RE: ArubaOS 8.5.0.9 Clients not getting an address

2021-07-08 Thread Enfield, Chuck
Sorry, we had the issue on 8.6 code.  We skipped 8.5 code.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Enfield, Chuck
Sent: Thursday, July 8, 2021 1:21 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ArubaOS 8.5.0.9 Clients not getting an address

We have not experienced this exact problem, but we've seen weird forwarding 
behaviors from AP-205's after power events.  Not all of our APs are on UPS yet, 
twice after severe thunderstorms some AP-205's stopped forwarding user traffic 
(DHCP still works, but once the client is in the user table the AP won't 
forward its traffic.)  Rebooting the AP fixes the problem.  We suspect that 
power instability is putting the APs in a weird state.  We haven't been on 
8.5.0.9 that long and have not seen the issue on that code yet, but we had it 
on two previous 8.5 releases.

This probably isn't what you have, but I figured I'd mention it in case any of 
the details line up.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jerry Bucklaew
Sent: Thursday, July 8, 2021 1:02 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] ArubaOS 8.5.0.9 Clients not getting an address

To ALL:


  We are experiencing and issue on our aruba os 8.5.0.9 code and I am 
wondering if anyone else has seen it.  Starting this week we have had 
complaints of users not getting an ip address.   It seems to be isolated to two 
buildings for the most part.On the dhcp server we see the discover and 
offer, but never a request.   On the controller packet capture we see the same 
thing, discover and offer but no request.  On a client side packet capture we 
see discover but no offer.  It seems to be ap related and a reboot of the ap 
seems to fix it, sometimes we have to reboot many ap's as a bunch in the same 
area have the issue.   For those with netinsight the insight, "no dhcp request 
after offer" seems to catch it.
For now it is only affect about 50 people out of 5k so a small number.  But 
it also seems to be affecting about 50 Ap's out of 6k, so again a small number. 
 But we really have not confirmed that it is the ap.   We have confirmed that a 
client on the same ap will continually have the problem no matter how many 
times we reboot him or de-auth him.  We have confirmed that many times if we 
get him to go to a different ap/location it does seem to clear up.


So again, just wondering if we are the only ones or if someone else has seen 
this.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


RE: ArubaOS 8.5.0.9 Clients not getting an address

2021-07-08 Thread Michael Holden
If you’re using a LACP link between the controller/MD and the uplink switch 
double check that LACP signaling is correct.
We’ve seen this with at least one switch vendor where the LAG showed up, but 
traffic was intermittent.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jerry Bucklaew
Sent: Thursday, July 8, 2021 1:02 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] ArubaOS 8.5.0.9 Clients not getting an address

To ALL:


  We are experiencing and issue on our aruba os 8.5.0.9 code and I am 
wondering if anyone else has seen it.  Starting this week we have had 
complaints of users not getting an ip address.   It seems to be isolated to two 
buildings for the most part.On the dhcp server we see the discover and 
offer, but never a request.   On the controller packet capture we see the same 
thing, discover and offer but no request.  On a client side packet capture we 
see discover but no offer.  It seems to be ap related and a reboot of the ap 
seems to fix it, sometimes we have to reboot many ap’s as a bunch in the same 
area have the issue.   For those with netinsight the insight, “no dhcp request 
after offer” seems to catch it.
For now it is only affect about 50 people out of 5k so a small number.  But 
it also seems to be affecting about 50 Ap’s out of 6k, so again a small number. 
 But we really have not confirmed that it is the ap.   We have confirmed that a 
client on the same ap will continually have the problem no matter how many 
times we reboot him or de-auth him.  We have confirmed that many times if we 
get him to go to a different ap/location it does seem to clear up.


So again, just wondering if we are the only ones or if someone else has seen 
this.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


RE: ArubaOS 8.5.0.9 Clients not getting an address

2021-07-08 Thread Johnson, Christopher
I've seen this on RAPs with SSIDs operating in split-tunnel mode and "possibly" 
bridge mode with Android Clients - but I occasionally saw this with 8.3.0.7 and 
8.5.0.9 and 8.5.0.11. Issue was somewhat intermittent and semi-replicable with 
TAC - but ended up having to close the case as troubleshooting wasn't really 
going anywhere and replicating the problem reliably at times was frustrating 
and we only have 1 or 2 RAPs for myself and a couple other network staff 
members.

My theory at the time was there was some "defect/disconnect" between the AP and 
it's "Drop Unknown Multicast/Broadcast Logic" - because although I could see 
"DHCP Offers" via the Datapath of the Controller downstream - I wasn't seeing 
these DHCP Offers via an Air Capture (Open SSID was one of the troubleshooting 
steps we performed) - and in reverse - at times where I saw the "DHCP Request" 
from the Client during an Air Capture - the DHCP Request never hit the Datapath 
of the Controller. But again - this was only on Remote APs operating in 
Split-Tunnel Mode. So not sure if that helps.
Christopher Johnson
Wireless Network Engineer
Office of Technology Solutions | Illinois State University
(309) 438-8444

Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook and 
Twitter


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jerry Bucklaew
Sent: Thursday, July 08, 2021 12:02 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] ArubaOS 8.5.0.9 Clients not getting an address

[This message came from an external source. If suspicious, report to 
ab...@ilstu.edu]
To ALL:


  We are experiencing and issue on our aruba os 8.5.0.9 code and I am 
wondering if anyone else has seen it.  Starting this week we have had 
complaints of users not getting an ip address.   It seems to be isolated to two 
buildings for the most part.On the dhcp server we see the discover and 
offer, but never a request.   On the controller packet capture we see the same 
thing, discover and offer but no request.  On a client side packet capture we 
see discover but no offer.  It seems to be ap related and a reboot of the ap 
seems to fix it, sometimes we have to reboot many ap's as a bunch in the same 
area have the issue.   For those with netinsight the insight, "no dhcp request 
after offer" seems to catch it.
For now it is only affect about 50 people out of 5k so a small number.  But 
it also seems to be affecting about 50 Ap's out of 6k, so again a small number. 
 But we really have not confirmed that it is the ap.   We have confirmed that a 
client on the same ap will continually have the problem no matter how many 
times we reboot him or de-auth him.  We have confirmed that many times if we 
get him to go to a different ap/location it does seem to clear up.


So again, just wondering if we are the only ones or if someone else has seen 
this.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


RE: ArubaOS 8.5.0.9 Clients not getting an address

2021-07-08 Thread Enfield, Chuck
We have not experienced this exact problem, but we've seen weird forwarding 
behaviors from AP-205's after power events.  Not all of our APs are on UPS yet, 
twice after severe thunderstorms some AP-205's stopped forwarding user traffic 
(DHCP still works, but once the client is in the user table the AP won't 
forward its traffic.)  Rebooting the AP fixes the problem.  We suspect that 
power instability is putting the APs in a weird state.  We haven't been on 
8.5.0.9 that long and have not seen the issue on that code yet, but we had it 
on two previous 8.5 releases.

This probably isn't what you have, but I figured I'd mention it in case any of 
the details line up.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jerry Bucklaew
Sent: Thursday, July 8, 2021 1:02 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] ArubaOS 8.5.0.9 Clients not getting an address

To ALL:


  We are experiencing and issue on our aruba os 8.5.0.9 code and I am 
wondering if anyone else has seen it.  Starting this week we have had 
complaints of users not getting an ip address.   It seems to be isolated to two 
buildings for the most part.On the dhcp server we see the discover and 
offer, but never a request.   On the controller packet capture we see the same 
thing, discover and offer but no request.  On a client side packet capture we 
see discover but no offer.  It seems to be ap related and a reboot of the ap 
seems to fix it, sometimes we have to reboot many ap's as a bunch in the same 
area have the issue.   For those with netinsight the insight, "no dhcp request 
after offer" seems to catch it.
For now it is only affect about 50 people out of 5k so a small number.  But 
it also seems to be affecting about 50 Ap's out of 6k, so again a small number. 
 But we really have not confirmed that it is the ap.   We have confirmed that a 
client on the same ap will continually have the problem no matter how many 
times we reboot him or de-auth him.  We have confirmed that many times if we 
get him to go to a different ap/location it does seem to clear up.


So again, just wondering if we are the only ones or if someone else has seen 
this.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


ArubaOS 8.5.0.9 Clients not getting an address

2021-07-08 Thread Jerry Bucklaew
To ALL:


  We are experiencing and issue on our aruba os 8.5.0.9 code and I am 
wondering if anyone else has seen it.  Starting this week we have had 
complaints of users not getting an ip address.   It seems to be isolated to two 
buildings for the most part.On the dhcp server we see the discover and 
offer, but never a request.   On the controller packet capture we see the same 
thing, discover and offer but no request.  On a client side packet capture we 
see discover but no offer.  It seems to be ap related and a reboot of the ap 
seems to fix it, sometimes we have to reboot many ap’s as a bunch in the same 
area have the issue.   For those with netinsight the insight, “no dhcp request 
after offer” seems to catch it.
For now it is only affect about 50 people out of 5k so a small number.  But 
it also seems to be affecting about 50 Ap’s out of 6k, so again a small number. 
 But we really have not confirmed that it is the ap.   We have confirmed that a 
client on the same ap will continually have the problem no matter how many 
times we reboot him or de-auth him.  We have confirmed that many times if we 
get him to go to a different ap/location it does seem to clear up.


So again, just wondering if we are the only ones or if someone else has seen 
this.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community