DHCP configuration on Checkpoint

Usually this is an authentication problem with wireless security. The indicator is that the AP gets an address but clients don't which tells me that aren't even getting on the network to recieve a DHCP address. Can you please confirm you're using the same cipher (TKIP or AES), encryption algorithm (WPA, WEP etc.), and key (password) on the devices? Also, if you're using WPA2, do the laptosp support WPA2 security?
If this doesn't work, the try disabling security and see if you get an address on the clients. If you do, then security is the issue.
Sometimes WEP causes issues with this... avoid using WEP whenever possible. it can be cracked in 40 seconds and is not considered secure. Use at minimum WPA instead.
Cheers! :-) Let me know!
 

we have disabled encryption and also disabled security but still the issue persists.We are using centralized architecture for wireless.WLAN controller is being used and the access points are operating in lightweight mode

Oooohhhh you didn't say you were using LWAPP.
Do they have the autonomous software or are they LW only? If they can operate in autonomous mode, I say take one off the WLAN controller and test it seperately to see if you get the same issue.
Another thing -  you don't have the WLAN controller filtering or have some sort of IPS on it do you?

The access points which we have are LW only.We have been able to provide Wireless clients IP address by configuring DHCP scope on the WLAN controller.We are facing an issue when we try to configure DHCP on checkpoint to assign IP addresses to the accesspoint and WLAN clients who would get connected to the production network through checkpoint.

connectivity is shown below:

Laptop----Access point-----checkpoint(DHCP configured)------Access switch-------Core Switch------WLAN controller

By default, the AP and WLAN clients would get a private IP address which would be natted to get to the production LAN.Could you please tell me if cisco access points are recognized by checkpoint as access point and accept multiple DHCP requests coming from the AP or a single device.What i feel is that checkpoint is not accepting any DHCP requests coming through the access point except for the DHCP request that the access point sends across,correct me if i am wrong.

Okay I see... so why do you have a checkpoint firewall there in the first place?
Yes, the problem is checkpoint not allowing DHCP through - DHCP is a broadcast protocol and doesn't work across routers (unless commands are configured), firewalls, or IPsec VPN.
It is not standard practice to have a firewall splitting up a network like that. My advice is to get rid of it. Just secure your APs with WPA or better and you'll be just fine. Nobody is going to get in that doesn't have a certificate or the password, depending on what you configure.

The use of checkpoint has been made a mandate by the security team and they want to control access to the network by use of checkpoint. Is there any way i can get checkpoint to provide IP address to a laptop trying to connect to checkpoint via access point.The investment on the opurchase of checkpoints has already been made.

Hmmm... how big is the company? You don't use a firewall to control internal access - that's just stupid. You use things like NAC and MAC filtering.
The only way you're going to be able to get the DHCP requests to the server is by using a thing called a directed broadcast - that's where a device that breaks up a broadcast domain collects the request and forwards it to the DHCP server in another network. If that won't work then the only viable option is to setup a DHCP server or assign clients behind this checkpoint a static IP (yuck!).
Sounds like the security team doesn't quite know what they're doing when it comes to internal access protection measures.... woops, did I say that?

One other thing - if you can't get this working and have strong grounds on which to stand, I suggest you turn this into the security teams problem - not to punish them - but to make them understand why this isn't a suitable application for a firewall and why to use other technologies.

Thanks for the quick response...The issue here is that we are using checkpoint as DHCP server providing IP addresses to the wireless clients.Where do you want me to enable directed broadcast on.

Oh. I'm sorry I thought you had the checkpoint setup to act as a DHCP relay.
It that case, you don't need directed broadcast. You should just be able to configure it as a DHCP server like you say you have it and it should work.
Make sure the scope is active and that it's in the same network/subnet as the clients are supposed to be in. The checkpoint's IP address must be in that range as well.
Please let me know how you have it.

the AP point is picking the IP address from the checkpoint(which was the case earlier as well) but the wireless clients(laptops) trying to get an IP address from the checkpoint are unable to so. The connectivity that i am trying is as follows:

Laptop------Access point-------Checkpoint

Hmmm... try setting the APs up with a static IP outside the DHCP scope.
From what you're saying DHCP is working fine on checkpoint.
Please post the config... btw you might consider increasing the points... this is getting kind of long. :P

does checkpoint identify requests coming into through the access point from various wireless clients.AP does not have any issues getting the IP address from the DHCP scope configured on checkpoint.does not seem to be a checkpoint configuration issue.My doubt is that Checkpoint does not accept more than one request coming from the checkpoint for IP addresses.In our case, the laptops are trying to reach the checkpoint for Ip through the access point.Any comments

I'm thinking checkpoint sees them as coming from the AP and not the clients for some reason.
Can you please setup one of the lappies with a static IP and the correct subnet/gateway info and see if you can talk to the rest of the network?
Also,Can you please post the AP config?

I have tried assigning the laptop with a static IP address but still am unable to connect to the network through the access point. Will let you know the AP configuration shortly

Okay... hmmm... can you ping the checkpoint or the AP?
Please post config ASAP.
Cheers!

We are not able to ping the checkpoint nor AP when we assign a static IP address to the laptop.

Are you sure the laptop is in the same subnet, has the same subnet mask, and the default gateway should be the IP of the checkpoint server's IP address that the AP uses as its DHCP server?

thats right...the default gateway is the IP of the checkpoint....I can see the laptop assosiated in the WLAN controller but am unable to get connected to the production network.

Hmm.... do you have any ACLs?
Can you please post that config I asked for?

Guess i have understood what the issue is....LWAP creates a tunnel with the WLAN controller and any communication between the end client and WLAN controller happens over the tunnel bypassing the checkpoint.