Solved

HP MSM 710 guest access issues

Posted on 2013-07-01
7
2,987 Views
Last Modified: 2013-07-06
We have a HP MSM 710 mobility controller with multiple AP's.  The MSM is set up for both guest and internal access.  Internal access works fine.  Guest access does not.  i can connect to the guest network, obtain an ip, and login through the html page, but cannot access the web.  I will provide all settings below.  We do not use VLan's.  the internet port on the MSM is hooked directly to the dmz on my firewall.  I can browse without issue if i plug a computer directly into the dmz and use a 192.168.200.* ip address and 192.168.200.2 as the gateway, so the msm is causing the issue.  on the guest network, once connected, i can only ping the msm internet port(192.168.200.10) and gateway/dns addresses (192.168.201.25), not the dmz.  Traceroutes stop at 192.168.201.25, no matter if tracing a domain name or IP.  I have configured using the automated workflow as well as following examples from white papers, though all of those were based on vLan's.

set up as follows:
Firewall DMZ port address: 192.168.200.2 / 255.255.255.0
MSM internet port address: 192.168.200.10  / 255.255.255.0 -static
MSM acts as dhcp server for public:
DNS: 192.168.201.25
Start: 192.168.201.26
End: 192.168.201.50
Gateway: 192.168.201.25
netmask: 255.0.0.0
subnet: 192.0.0.0

Guest account that is logging in is associated with vsc.
Default route:
interface- internet port      G- 192.168.200.2         metric- 1

Attribute:
ACCESS-LIST factory,ACCEPT,all,*procurve.com,a...      
ACCESS-LIST factory,ACCEPT,all,*hp-ww.com,all      
ACCESS-LIST factory,ACCEPT,all,*windowsupdate....      
ACCESS-LIST public,deny,all,10.0.0.0.0/8,all       (<<-----this is internal network)
ACCESS-LIST public,accept,all,all,all      
USE-ACCESS-LIST factory        
DEFAULT-USER-USE-ACCESS-LIST Public        
VSA-WISPR-ACCESS-PROCEDURE 1.0

any help would be appreciated!
0
Comment
Question by:GreshAssoc
  • 6
7 Comments
 
LVL 2

Author Comment

by:GreshAssoc
ID: 39290025
More info:
message log shows following:

Jul 1 09:13:54 err dhcpd Multiple interfaces match the same shared network: eth0 br0
Jul 1 09:13:54 err dhcpd Multiple interfaces match the same subnet: eth0 br0

Not sure where the "multiple interfaces" are, internet address is 192.168 internal is 10.229


Network trace on MSM from internet port to http://www.google.com:

I have no idea where the 192.168.240.156 address is coming from..

09:34:52.495656 arp who-has 192.168.200.2 tell 192.168.200.10
09:34:52.495782 arp reply 192.168.200.2 is-at 00:17:c5:14:c8:1f
09:34:53.505825 IP 192.168.200.10 > 66.151.158.177: icmp 52: host 192.168.240.156 unreachable
09:34:53.505947 IP 192.168.200.10 > 66.151.158.177: icmp 52: host 192.168.240.156 unreachable
09:34:53.506040 IP 192.168.200.10 > 66.151.158.177: icmp 52: host 192.168.240.156 unreachable
09:34:55.932635 e8:39:35:6b:80:2c > 01:80:c2:00:00:0e, ethertype Unknown (0x88cc), length 168:
      0x0000:  0207 04e8 3935 6b80 2c04 0703 e839 356b  ....95k.,....95k
      0x0010:  802c 0602 0096 080d 496e 7465 726e 6574  .,......Internet
      0x0020:  2070 6f72 740a 2450 726f 4375 7276 6520  .port.$ProCurve.
      0x0030:  5377 6974 6368 2034 3230 3476 6c2d 4239  Switch.4204vl-B9
      0x0040:  2d54 5733 3032 4c42 3039 370c 3748 5020  -TW302LB097.7HP.
      0x0050:  436f 6e74 726f 6c6c 6572 2c54 5733 3032  Controller,TW302
      0x0060:  4c42 3039 372c 3530 2d30 302d 3130 3239  LB097,50-00-1029
      0x0070:  2d30                                     -0
09:34:57.235842 IP 192.168.200.10 > 66.151.158.177: icmp 52: host 192.168.240.156 unreachable
09:34:57.235961 IP 192.168.200.10 > 66.151.158.177: icmp 52: host 192.168.240.156 unreachable
09:34:57.236048 IP 192.168.200.10 > 66.151.158.177: icmp 52: host 192.168.240.156 unreachable
09:35:00.245832 IP 192.168.200.10 > 66.151.158.177: icmp 48: host 192.168.240.156 unreachable
09:35:00.245950 IP 192.168.200.10 > 66.151.158.177: icmp 48: host 192.168.240.156 unreachable
09:35:00.246038 IP 192.168.200.10 > 66.151.158.177: icmp 48: host 192.168.240.156 unreachable
09:35:04.525823 IP 192.168.200.10 > 66.151.158.177: icmp 52: host 192.168.240.156 unreachable
09:35:04.525939 IP 192.168.200.10 > 66.151.158.177: icmp 52: host 192.168.240.156 unreachable
09:35:04.526026 IP 192.168.200.10 > 66.151.158.177: icmp 52: host 192.168.240.156 unreachable
09:35:04.638762 IP 192.168.200.2.137 > 192.168.200.10.137: UDP, length: 50
09:35:10.065794 IP 192.168.200.10 > 66.151.158.177: icmp 48: host 192.168.240.156 unreachable
0
 
LVL 9

Expert Comment

by:M Roe
ID: 39290036
check your gateway
0
 
LVL 2

Author Comment

by:GreshAssoc
ID: 39290102
which one?  changing the client DHCP provided gateway to 192.168.200.2 or 192.168.200.10 does not correct it.  the original 192.168.201.25 was provided by the workflow
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 2

Author Comment

by:GreshAssoc
ID: 39290214
If i disable HTML Based user login everything works fine?!  I just cannot control who accessess the guest network
0
 
LVL 2

Author Comment

by:GreshAssoc
ID: 39290381
I believe this is coming down to the ACL attributes.  below is what i have listed:

ACCESS-LIST factory,ACCEPT,all,*procurve.com,a...      
ACCESS-LIST factory,ACCEPT,all,*hp-ww.com,all      
ACCESS-LIST factory,ACCEPT,all,*windowsupdate....      
ACCESS-LIST public,ACCEPT,all,all,all      
ACCESS-LIST Guests,ACCEPT,all,all,all      
ACCESS-LIST guests,ACCEPT,udp,all,67-68      
ACCESS-LIST guests,ACCEPT,all,all,53      
USE-ACCESS-LIST factory        
DEFAULT-USER-USE-ACCESS-LIST Guests        
VSA-WISPR-ACCESS-PROCEDURE 1.0


My guest account "guest" is assigned to the "Guests" account profile
0
 
LVL 2

Accepted Solution

by:
GreshAssoc earned 0 total points
ID: 39291369
Issue resolved.  solution was to add attributes:  
ACCESS-LIST guests,ACCEPT,all,*.com,all
ACCESS-LIST guests,ACCEPT,all,*.net,all
ACCESS-LIST guests,ACCEPT,all,*.org,all

other suffixes will be added as required.
0
 
LVL 2

Author Closing Comment

by:GreshAssoc
ID: 39303717
issue determined myself
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now