[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 619
  • Last Modified:

Aruba 3200 Controller DNS Resolution Issue

Hello All...
We have an Aruba 3200 controller and AP105s in the field.

We have an issue with only wireless clients... When they try and go to the organizations website (yourname.org) they end up at the Aruba controller... if they try it wired, they go where they are supposed to go.

NSLOOKUP in wireless and wired clients reflect a different answer when I lookup the name, and the wireless answer is a Non-Authoritative answer but says it is from the correct DNS server.

This is on a Windows 2012 Domain, if that helps.

Any ideas where to look in the wireless controller?
0
perktech
Asked:
perktech
  • 12
  • 8
  • 7
  • +1
2 Solutions
 
DrDave242Commented:
NSLOOKUP in wireless and wired clients reflect a different answer when I lookup the name, and the wireless answer is a Non-Authoritative answer but says it is from the correct DNS server.
If the wireless clients are resolving that name to a different IP address from the one the wired clients are resolving it to, and the wired clients are able to browse to the site with no trouble, that bogus address is probably the problem. So now you just need to determine why the wireless clients resolve the name to a different address. Are the wireless clients using different DNS servers from the wired clients?
0
 
perktechAuthor Commented:
Hi Dave - no, they get the same DNS server.  The issue is somewhere in the wireless controller, just not sure where to look exactly.
0
 
UnHeardOfCommented:
Hi Perktech,
Sounds like your SSID is configured to tunnel through the controller. Check what role the user is getting when connected to the wireless. After your determine what role the user has, check to see what firewall rules are configured for that role on the wireless controller.

As an example, a user with the authenticated role has no restrictions.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
perktechAuthor Commented:
UnHeardOf - great suggestion, thanks, I will take a look on Monday!
0
 
Jakob DigranesSenior ConsultantCommented:
Hi - did changing roles and access policies fix this issue?
0
 
perktechAuthor Commented:
No, that hasn't had an impact.  I've noted that the SSL certificate that was installed is for the domain name (company.org) for some reason... I'm thinking that may be the issue...  not sure where to go from here, except maybe to try and put a generic on in place?
0
 
UnHeardOfCommented:
I would test dns from a wireless client. Run cmd..

Nslookup
server 8.8.8.8
google.Com

This will test dns ( port 53 ) through the controller and Internet access. The answer should be a non authoritative response if what your looking up is not your domain.
0
 
UnHeardOfCommented:
Also test pinging 8.8.8.8 and try trace routing to make sure your going the path you would expect.
0
 
perktechAuthor Commented:
All of that comes out as expected...  and even changing the DNS service in network config has no impact.  It is a setting in the controller somewhere, I think it has to do with the certificate, but still trying to figure out how to fix it.
0
 
UnHeardOfCommented:
Is this a captive portal setup? is the ssid configured as tunnel or bridge?
0
 
UnHeardOfCommented:
Just to clarify. Is all Web traffic ( http / https ) traffic destined to any page bringing you to the controller?
0
 
Jakob DigranesSenior ConsultantCommented:
As UnHeardOf mentions, this really looks like the DNS forwarding, dst-nat which is setup for the captive portal login.
in addition to UnHeardOfs questions, please copy whatever roles users are assigned to.

How do they authenticate to network? 802.1X with certificates or domain usernames and passwords, or Pre Shared key?

If you're using PSK - then the logon role is the role users are assigned to, so the logon role can be changed to authenticated for test purposes
0
 
perktechAuthor Commented:
They user their active directory usernames and passwords to login to the wireless, there is no captive portal on one of the SSIDs that has the issue.

Here are the list of available roles:

Name              ACL  Bandwidth                  ACL List                                       Type
----              ---  ---------                  --------                                       ----
ap-role           4    Up: No Limit,Dn: No Limit                                                 System
authenticated     22   Up: No Limit,Dn: No Limit  allow-all/                                     User
default-via-role  21   Up: No Limit,Dn: No Limit                                                 User
guest             3    Up: No Limit,Dn: No Limit  guest/                                         User
guest-logon       6    Up: No Limit,Dn: No Limit  captiveportal/,logon-control/,captiveportal6/  User
logon             1    Up: No Limit,Dn: No Limit  captiveportal6/                                User
stateful-dot1x    5    Up: No Limit,Dn: No Limit                                                 System
sys-ap-role       7    Up: No Limit,Dn: No Limit  sys-control/,sys-ap-acl/                       System (not editable)


And a sampling of some of the users logged in:
172.19.10.156  70:56:81:8a:6d:95  aimguest          authenticated  00:03:31    802.1x            4th-Tech-01        Wireless  AIM/24:de:c6:45:08:78/a-HT        AIM-8021x      tunnel        OS X
172.19.10.130  2c:be:08:f1:52:f2  bcummings         authenticated  00:00:11    802.1x            1st-Stairwell-01   Wireless  AIM/00:24:6c:b1:89:18/a-HT        AIM-8021x      tunnel        OS X
172.19.10.135  00:23:6c:93:4e:44  sadams            authenticated  00:00:43    802.1x            2nd-201-01         Wireless  AIM/00:24:6c:b1:80:80/g-HT        AIM-8021x      tunnel        OS X
0
 
Jakob DigranesSenior ConsultantCommented:
OK

Why do your logon role only contain captiveportal6 ? or is something missing?
Please take a copy of AAA-Profile used for the affected SSID, and check if logon role is the one set for logon.

You say that all SSIDs have this problem?
what ArubaOS are you running?
show image version in CLI
0
 
perktechAuthor Commented:
I can't speak to why the controller was configured in any particular way, I didn't do it.  I am trying to sift through it and fix it, though.

All SSIDs have the issue.
ArubaOS 6.1.3.2


I am attaching a show config for good measure...
0
 
UnHeardOfCommented:
You could change the role to authenticated to see if it resolves your issue as a test. Then you can modify it to fit your needs once you know that the role is your problem.
0
 
perktechAuthor Commented:
I don't understand... when connect, your role *is* authenticated as you can see above... why would I change it to authenticated?
0
 
Jakob DigranesSenior ConsultantCommented:
can you do the following commands from CLI

show rights logon
show rights authenticated
0
 
perktechAuthor Commented:
show rights logon:
Derived Role = 'logon'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 1/0
 Max Sessions = 65535


access-list List
----------------
Position  Name            Location
--------  ----            --------
1         captiveportal6  

captiveportal6
--------------
Priority  Source  Destination  Service          Action   TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------          ------   ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    controller6  svc-https        captive                           Low                                                           6
2         user    any          svc-http         captive                           Low                                                           6
3         user    any          svc-https        captive                           Low                                                           6
4         user    any          svc-http-proxy1  captive                           Low                                                           6
5         user    any          svc-http-proxy2  captive                           Low                                                           6
6         user    any          svc-http-proxy3  captive                           Low                                                           6

Expired Policies (due to time constraints) = 0

show rights authenticated:
Derived Role = 'authenticated'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 22/0
 Max Sessions = 65535


access-list List
----------------
Position  Name       Location
--------  ----       --------
1         allow-all  

allow-all
---------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      permit                           Low                                                           4

Expired Policies (due to time constraints) = 0
0
 
Jakob DigranesSenior ConsultantCommented:
your logon looks like a bit askew. This really only is used before authentication - but you never know.
Do all your SSID have logon role as initial role?

Try creatin a new role called logon2 or something.
Add the following preconfigured access lists - in this order:
access-list List
----------------
Position  Name              Type     Location
--------  ----              ----     --------
1         ra-guard          session
2         logon-control     session
3         captiveportal     session
4         vpnlogon          session
5         v6-logon-control  session
6         captiveportal6    session

Then change initial role to this one, and test.
Remember to fully disconnect client before testing, or you'll just get the old role again.
show user-table (Find your user)
aaa user delete (IP-Addr of station)

then reconnect
0
 
perktechAuthor Commented:
OK, will try that - give me a day or so on that.
0
 
Jakob DigranesSenior ConsultantCommented:
Sweet -- let me know if you need some guidance in recreating roles
0
 
UnHeardOfCommented:
Can you post the results of the aaa profile from one of the said that IA having the issue

Show aaa profile "your profile"

Also review the authenticated role to see if a captive profile is defined in the misc configuration.

In the gui > security > access control > select user role authenticated > right side of screen captive portal profile by default should be not assigned. Unless your using it.
0
 
perktechAuthor Commented:
Hi @Jakob_di can you give me some help recreating the roles?  I thought I knew how to do it, but it looks a bit foreign to me once I'm in the Roles section, I can't see where to put the access lists in.
0
 
perktechAuthor Commented:
@Unheardof

(aruba-master) # show aaa profile AIM-8021x

AAA Profile "AIM-8021x"
-----------------------
Parameter                           Value
---------                           -----
Initial role                        logon
MAC Authentication Profile          N/A
MAC Authentication Default Role     guest
MAC Authentication Server Group     default
802.1X Authentication Profile       AIM-dot1x-profile
802.1X Authentication Default Role  authenticated
802.1X Authentication Server Group  AIM-8021x
L2 Authentication Fail Through      Disabled
RADIUS Accounting Server Group      N/A
RADIUS Interim Accounting           Disabled
XML API server                      N/A
RFC 3576 server                     N/A
User derivation rules               N/A
Wired to Wireless Roaming           Enabled
SIP authentication role             N/A
Device Type Classification          Enabled
Enforce DHCP                        Disabled
0
 
Jakob DigranesSenior ConsultantCommented:
go to Configuration - Access Control
find Logon role and add configured firewall rules (on the left) and make it look like this:
1         ra-guard          session
2         logon-control     session
3         captiveportal     session
4         vpnlogon          session
5         v6-logon-control  session
6         captiveportal6    session
0
 
perktechAuthor Commented:
Sorry for the delay on this... still no luck with the different roles.
0
 
Jakob DigranesSenior ConsultantCommented:
have you tried creating a new wireless network using PSK and see if that error happens there?
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 12
  • 8
  • 7
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now