EAP/802.1x/DHCP wonkieness

Unanswered Question
Feb 16th, 2010
User Badges:

I have a WLC 5508 on the 6.0 code.  I am running PEAP.  Users login with the certificate staged and are coming up with 169.254 addresses.  From the controller however, I see them at valid address from the virtual interface I expect (10.1.27.x).  On my MS Radius server, I see successful authentication.  Attached is what I see at the controller.  What am I missing?  Why would the WLC see it as having an IP, but the client (have seen this on WinXP, Win7, Vista) show a bailout IP?


Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
michael.hoer_2 Fri, 03/19/2010 - 10:21
User Badges:

I am having a similar issue with our wireless users. I am currently running 6.0.182 on my controllers and WiSM and am having issues with both. I am using WPA2 with EAP-FAST and ACS 4.1 to authenticate users. I can see the users pass authentixcation on the ACS and everything looks ok.Clients are running a mixture of Windows 7 and Windows XP/2000. We are currently migrating users to Windows 7.


The controllers show a valid IP address but the users are experiencing issues with 169.254.x.x IP addresses. Everything worked fine before I upgraded to 6.0 and this was mainly because I got a 30 pack of 1142's that would not run on 4.2.x.


I have opened a TAC case with the Wireless and ACS teams and everything appears to be setup correctly.

Robert.N.Barrett_2 Fri, 03/19/2010 - 20:01
User Badges:
  • Bronze, 100 points or more

If you have not already tried it, you should set your wireless LAN for no encryption and no authentication and see if clients get DHCP addresses.

George Stefanick Sun, 03/21/2010 - 18:08
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Are all the clients having this issue? Is DHCP over ride selected?

This is a bump.


I am having the same issue. here is  my configuration / setup


Here is my situation.  I am running a new WLC 5508 with 6.0x code and  the controller is housed at the data center, the remote building has a  high speed point to point link.  I have no issues with the LAPs  connecting but clients are not getting IP addresses from the local DHCP  server. I run the WLC as DHCP Proxy.


I am running DHCP server running on the local 3560  switch. Also I am not using option 43 on the DHCP server to provide the  controllers address I am using DNS which resolves CISCO-CAPWAP-CONTROLER  to the management address of the controller.



The  LAP has a static address 10.100.6.20


The  switchport that the LAP is plugged into is configured:


switchport  mode access

switchport access vlan 106

switchport voice  vlan 108

spanning-tree portfast


interface vlan  106

10.100.6.1 255.255.255.0


ip dhcp pool  Users

network 10.100.6.0 255.255.255.0

dns-server

default-router 10.100.6.1


From  what I understand the client connects and the WLAN which then the  controllers virtual IP in my case 1.1.1.1 tells the local DHCP server  that a client is looking for DHCP and then provides the client with IP.   I have this working in other building with the exact same configuration  as above except that I am using local DNS server to lookup the name of  the Controller Management IP but I cant understand why that would  matter.


I have run debug messages on the switch and  don't even see the DHCP Offer messages.  I have verified that wired  clients are getting DHCP from the switch.

michael.hoer_2 Thu, 06/17/2010 - 06:23
User Badges:

Here is what I have found out since posting on this thread.


We are migrating our machines to Windows 7 and have just completed this, all 5000 machines. We were using Infoblox appliances to handle DNS and DHCP addressing. Windows 7 and Vista apparently has issues with getting IP addresses from anything other than a Microsoft DHCP server.We were experiencing issues on both wired and wireless.


Here is the article:

http://support.microsoft.com/kb/928233


As a test I had our platforms guys create a Win 2008 server with DHCP and moved all our wireless DHCP addressing over to this. This has fixed the DHCP and connectivity issues for the wireless side. The wired network is still running on the Infoblox and we are waiting to hear from Infoblox about a patch.


We are however still seeing authentication issues with EAP-FAST. We can move a client to LEAP and they get on fine but when using EAP-FAST the ACS keeps sending PAC files. I can log the user off and log on to the same machine with no problem. The user can go to another machine and it works fine. We're seeing this all over the state.


Most clients are using a Dell Latitude D620, D630 or E6400 laptops with Broadcom Wireless NICs, there are some Intel cards out there as well. My personal laptop is an ATG D620 running Windows XP still and it doesn't have any trouble at all. Users with Windows 7 are only having issues. I think this is something to do with the OS and the wireless supplicant.

Having the same problem on Windows 7, with the same models.


Infrastructure:

2 x Cisco Secure ACS servers

Cisco 4400 series WLC at each site, SSID is configured with WEP encryption, EAP-FAST


Local:

Dell  laptops (normally Latitude D620/D630s, but some newer) running Windows  7.  All are using the Cisco EAP-FAST plugin, installed in automated  fashion via MSI.


We  have made no changes to our infrastructure, and Windows XP clients  using the Broadcom Wireless Client for Dell are connecting fine.  The  clients using the Cisco EAP-FAST plugin connect OK, but often get  repeatedly requested to get a new PAC file, sometimes 50-100 times an  hour.


Is there any workaround for this at all?    

Actions

This Discussion

 

 

Trending Topics - Security & Network