Understanding DHCP Option 82

Unanswered Question
Mar 5th, 2014
User Badges:

hi All,


I have configured my WLC as DHCP server. So in this case do i need to enable dhcp option 82 on the dynamic interface.


I have a guest vlan, i have dynamic interface for this and user id's created for it, but users are stuck in WEbauth_reqd. i am unable to understand whats the issue.Anyone for help           

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Sandeep Choudhary Wed, 03/05/2014 - 10:09
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

HI,


DHCP option 82 enables the controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources. You can configure the controller to add option 82 information to DHCP requests from clients before forwarding the requests to the DHCP server.



I think you need to enter controller ip address as DHCP server on dynamic interface of WLC.


Regards

Ashish Chandra Wed, 03/05/2014 - 10:22
User Badges:

Hi Royce,


Just FYI, here is what should happen during webauth.

1) Client associates.
2) WLC moves client into DHCP_REQD Policy Manager state.
3) Client either does DHCP or WLC learns the client's IP address.
4) WLC moves client into WEBAUTH_REQD Policy Manager state.
5) Client opens browser.
6) Client sends DNS lookup for the default web page.
7) DNS responds with IP address.
8) Browser sends TCP SYN to IP address.
9) WLC intercepts TCP SYN and continues TCP handshake.
10) Browser sends HTTP GET with requested URL.
11*) WLC sends HTTP redirect to https:///login.html
12*) Client opens https:///login.html

roycemathew Thu, 03/06/2014 - 00:23
User Badges:

Steps 1 -4 goes smooth i beleive, but i dont have any direct interaction with the customer local site so donet know whether they are doing it correctly.


In WLC virtual interface i have put a domain.com so guest wont see page with virtual rather with this domain.com/login


So once customer completes 1 to 4, shall i ask customer to open browser and type google.com and see whether it works (means at this point it should get a response from WLC with internal default authentication type)

manassin Wed, 03/05/2014 - 19:12
User Badges:


Hi,


If the clients are in webauth req state then its not an issue with the DHCP.

Clients move to webauth req state once they get the IP Address.

Without an IP address the wireless client can not reach the webauth req state.


Are you using layer 3 security on the WLAN.


What type of webauth you are using : Internal , Customized, External.


What is the IP address of the Virtual interface.


Is it an Anchor - Foreign setup.


Where is the DHCP configured for the Wireless clients connecting on this WLAN.



Thanks and regards,

Manas Pratap Singh.

roycemathew Thu, 03/06/2014 - 01:09
User Badges:

If the clients are in webauth req state then its not an issue with the DHCP.

Clients move to webauth req state once they get the IP Address.

Without an IP address the wireless client can not reach the webauth req state - Success as i can see client got an IP from DHCP(WLC)


Are you using layer 3 security on the WLAN. - Yes Web Auth


What type of webauth you are using : Internal , Customized, External. - Internal


What is the IP address of the Virtual interface - 1.1.1.1


No Anchor foreign setup


Where is the DHCP configured for the Wireless clients connecting on this WLAN -  DHCP configured on WLC

Scott Fella Thu, 03/06/2014 - 05:09
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

I don't know what you have configured thus far, but just a few thing I want to point out and make sure you have done properly..


Make sure you have dhcp proxy enabled on the WLC.  Also the interface that your putting the guest users on, you need to configure the wlc management ip as the primary dhcp address.


1.jpg


Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

roycemathew Thu, 03/06/2014 - 08:59
User Badges:

Yeah Scott i have configured it the same, but when i check the association i see "Webauth_reqd" state in Policy manager. Not sure whether they are providing some wrong user id or not

Scott Fella Thu, 03/06/2014 - 12:14
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

You would actually have to see it for yourself... users are users and maybe they are.... you can enable client exclusion and see if they get excluded and that would tell you that they are not typing it right.


Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

manassin Thu, 03/06/2014 - 17:37
User Badges:

Hi,


Thanks for the reply.


Please try to put the following url in a browser of the wireless client.


http://1.1.1.1/login.html


If by using this url you are getting the login page then the issue should be at the dns side.

If we are not getting the login page using this url then the issue should be at the WLC side.


Webauth cases need a detailed troubleshooting and we should proceed step by step.


Thanks and regards,

Manas Pratap Singh.

kaaftab Wed, 03/05/2014 - 22:09
User Badges:
  • Silver, 250 points or more

we can configure option 82 to prevent DHCP client requests from untrusted sources that is the main function of it but make sure you follow the following steps for trouble shooting

Troubleshooting Web Authentication


After you configure web authentication, if the feature does not work as       expected, complete these troubleshooting steps:


  1. Check if the client gets an IP address. If not, users can uncheck             DHCP Required on the WLAN and give the wireless client a             static IP address. This assumes association with the access point. Refer to the             IP addressing issues section of Troubleshooting             Client Issues in the Cisco Unified Wireless Network for troubleshooting DHCP             related issues.

  2. On WLC versions earlier than 3.2.150.10, you must manually enter             https://1.1.1.1/login.html in order to navigate to the web             authentication window.

    The next step in the process is DNS resolution of the URL in the             web browser. When a WLAN client connects to a WLAN configured for web             authentication, the client obtains an IP address from the DHCP server. The user             opens a web browser and enters a website address. The client then performs the             DNS resolution to obtain the IP address of the website. Now, when the client             tries to reach the website, the WLC intercepts the HTTP Get session of the             client and redirects the user to the web authentication login page.

  3. Therefore, ensure that the client is able to perform DNS resolution             for the redirection to work. On Windows, choose Start >             Run, enter CMD in order to open a command window, and             do a “nslookup www.cisco.com" and see if the IP address comes back.

    On Macs/Linux: open a terminal window and do a “nslookup             www.cisco.com" and see if the IP address comes back.

    If you believe the client is not getting DNS resolution, you can             either:

    Does entering this URL bring up the web page? If yes, it is most             likely a DNS problem. It might also be a certificate problem. The controller,             by default, uses a self-signed certificate and most web browsers warn against             using them.

  4. For web authentication using customized web page, ensure that the             HTML code for the customized web page is appropriate.

    You can download a sample Web Authentication script from             Cisco Software             Downloads. For example, for the 4400 controllers, choose             Products > Wireless > Wireless LAN Controller > Standalone             Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404             Wireless LAN Controller > Software on Chassis > Wireless Lan Controller             Web Authentication Bundle-1.0.1 and download the             webauth_bundle.zip file.

    These parameters are added to the URL when the user's Internet             browser is redirected to the customized login page:

    • ap_mac—The MAC address of the access point to which the wireless                 user is associated.

    • switch_url—The URL of the controller to which the user                 credentials should be posted.

    • redirect—The URL to which the user is redirected after                 authentication is successful.

    • statusCode—The status code returned from the controller's web                 authentication server.

    • wlan—The WLAN SSID to which the wireless user is                 associated.

    These are the available status codes:

    • Status Code 1: "You are already logged in. No further action is                 required on your part."

    • Status Code 2: "You are not configured to authenticate against                 web portal. No further action is required on your part."

    • Status Code 3: "The username specified cannot be used at this                 time. Perhaps the username is already logged into the                 system?"

    • Status Code 4: "You have been excluded."

    • Status Code 5: "The User Name and Password combination you have                 entered is invalid. Please try again."

  5. All the files and pictures that need to appear on the Customized             web page should be bundled into a .tar file before uploading to the WLC. Ensure             that one of the files included in the tar bundle is login.html. You receive             this error message if you do not include the login.html             file:

    webauth-tshoot1.gif

    Refer to the             Guidelines             for Customized Web Authentication section of             Wireless             LAN Controller Web Authentication Configuration Example for more             information on how to create a customized web authentication window.

    Note: Files that are large and files that have long names will result                 in an extraction error. It is recommended that pictures are in .jpg                 format.

  6. Internet Explorer 6.0 SP1 or later is the browser recommended for             the use of web authentication. Other browsers may or may not             work.

  7. Ensure that the Scripting option is not blocked on             the client browser as the customized web page on the WLC is basically an HTML             script. On IE 6.0, this is disabled by default for security purposes.

    Note: The Pop Up blocker needs to be disabled on the browser if you                 have configured any Pop Up messages for the user.

    Note: If you browse to an https site, redirection does                 not work. Refer to Cisco bug ID                 CSCar04580 (registered customers only)          for more information.

  8. If you have a host name configured for the             virtual interface of the WLC, make sure that the DNS             resolution is available for the host name of the virtual interface.

    Note: Navigate to the Controller > Interfaces menu                 from the WLC GUI in order to assign a DNS hostname to the                 virtual interface.

  9. Sometimes the firewall installed on the client computer blocks the             web authentication login page. Disable the firewall before you try to access             the login page. The firewall can be enabled again once the web authentication             is completed.

  10. Topology/solution firewall can be placed between the client and             web-auth server, which depends on the network. As for each network             design/solution implemented, the end user should make sure these ports are             allowed on the network firewall.

    Protocol Port
    HTTP/HTTPS TrafficTCP port 80/443
    CAPWAP Data/Control TrafficUDP port 5247/5246
    LWAPP Data/Control Traffic (before rel 5.0)UDP port 12222/12223
    EOIP packets IP protocol 97
    Mobility UDP port 16666 (non secured)                        UDP port 16667 (secured IPSEC tunnel)


  11. For web authentication to occur, the client should first associate             to the appropriate WLAN on the WLC. Navigate to the Monitor >             Clients menu on the WLC GUI in order to see if the client is             associated to the WLC. Check if the client has a valid IP             address.

  12. Disable the Proxy Settings on the client browser until web             authentication is completed.

  13. The default web authentication method is PAP. Ensure that PAP             authentication is allowed on the RADIUS server for this to work. In order to             check the status of client authentication, check the debugs and log messages             from the RADIUS server. You can use the debug aaa             all command on the WLC to view the debugs from the RADIUS             server.

  14. Update the hardware driver on the computer to the latest code from             manufacturer's website.

  15. Verify settings in the supplicant (program on             laptop).

  16. When you use the Windows Zero Config supplicant built into             Windows:

    • Verify user has latest patches installed.

    • Run debugs on supplicant.

  17. On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a             command window, Start > Run > CMD:

    netsh ras set tracing eapol enable
          netsh ras set tracing rastls enable

    In order to disable the logs, run the same command but replace             enable with disable. For XP, all logs will be located in             C:\Windows\tracing.

  18. If you still have no login web page, collect and analyze this             output from a single client:

    debug client 
    debug dhcp message enable
    debug aaa all enable
    debug dot1x aaa enable
    debug mobility handoff enable
Rasika Nayanajith Thu, 03/06/2014 - 18:59
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi


You do not want to enable DHCP option 82 to get this working.


DHCP option 82 is required only if you want to get client attachement details (like which AP they connect to) & below post should able to help you understand this feature.


1. http://mrncciew.com/2013/05/18/understanding-dhcp-option-82/

2. http://mrncciew.com/2013/06/08/wlc-dhcp-option-82-config-example/


HTH

Rasika


*** Pls rate all useful responses ****

Abha Jha Fri, 03/07/2014 - 06:49
User Badges:
  • Cisco Employee,

It doesn't seem to be DHCP option 82 issue but related to web auth.

Is there too much load on WLC.. does this happen only in high load condition when lot many clients are already connected?

Actions

This Discussion

Related Content