By OK do you mean a Radius access-accept? That is an authorization, but doesn't necessarily imply any additional access parameters are appropriately set (or not sent). We've seen this cause issues with eduroam roaming before, but this can happen both on 802.1x and open (captive portal is often implemented with AAA via MAC). Are you able have the dump what the wireless controller sees for parameters and compare with a successful authentication? Or test on a wireless lan without AAA overrides?
FWIW, I'm running a Nexus 6P on 7.1.1 and no issues on our 802.1x (eduroam) or open captive portal SSIDs. We have Cisco WLCs against ISE. On Mon, Mar 13, 2017 at 2:30 PM, Danny Eaton <dannyea...@rice.edu> wrote: > I’m looking at the DHCP server for the DHCPDISCOVER conversation, and > never see his MAC address show up. > > > > I do see the “Login OK” appear in our freeradius logs, and his credentials > work on his laptop, and the laptop gets an IP address without any issues. > The phone doesn’t work on our Open (captive portal) either, and I’ve > checked both sets of WiSM-2 HA Clusters, his MAC address is not quarantined > (if it was, it wouldn’t ever appear in the radius logs as “Login OK”). > > > > *From:* Jeremy Mooney [mailto:j-moo...@bethel.edu] > *Sent:* Monday, March 13, 2017 2:13 PM > *To:* dannyea...@rice.edu > *Cc:* The EDUCAUSE Wireless Issues Constituent Group Listserv < > WIRELESS-LAN@listserv.educause.edu> > *Subject:* Re: [WIRELESS-LAN] Android 7.1.1 and DHCP issues? > > > > Are you only looking on the DHCP server for the discover? Could a radius > server be returning an option setting an incorrect VLAN or specific ACL for > the client causing it to be dropped at the AP/WLC level? If it's happening > on an open network it'd probably have to be hitting a MAC-based rather than > user-based access rule (or possibly profiled and put in a blocked group). > > > > On Mon, Mar 13, 2017 at 12:40 PM, Danny Eaton <dannyea...@rice.edu> wrote: > > It’s set to not validate the radius-server certificate; and like I said, > it’s authenticating, just not doing the DHCPDISCOVER; I never see it in the > DHCP server logs. > > > > > > > > *From:* Shayne Ghere [mailto:sgh...@fsmail.bradley.edu] > *Sent:* Monday, March 13, 2017 12:36 PM > *To:* dannyea...@rice.edu; WIRELESS-LAN@listserv.educause.edu > *Subject:* RE: [WIRELESS-LAN] Android 7.1.1 and DHCP issues? > > > > If you’re using certs, there’s a setting under CA Certificate that you > have to set as “Do not validate” and it will then DHCP. > > > > I have a Pixel XL and that’s the only way I can get 802.1x working on my > phone. > > > > Shayne > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Danny Eaton > *Sent:* Monday, March 13, 2017 12:20 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* [WIRELESS-LAN] Android 7.1.1 and DHCP issues? > > > > > > So, I’ve got one client (1!) who is running Android 7.1.1 and no matter > which network (our 802.1X, eduroam, or even the “open” captive portal SSID) > the user tries to connect into, he gets authenticated (on eduroam and our > 802.1X SSID), but we never see a DHCPDISCOVER from his phone; it passes the > AAA (802.1X), but will just not get an IP. Thoughts? (other devices work > just fine). > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educ > ause.edu/discuss <http://www.educause.edu/discuss>. > > wbr>58c6d86b151612066850947! > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > discuss. > > > > > > -- > > Jeremy Mooney > > ITS - Bethel University > > !DSPAM:109,58c6ef36151611738848632! > -- Jeremy Mooney ITS - Bethel University ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
