Solved

Aruba 3200 Controller DNS Resolution Issue

Posted on 2015-02-06
28
333 Views
Last Modified: 2015-05-28
Hello All...
We have an Aruba 3200 controller and AP105s in the field.

We have an issue with only wireless clients... When they try and go to the organizations website (yourname.org) they end up at the Aruba controller... if they try it wired, they go where they are supposed to go.

NSLOOKUP in wireless and wired clients reflect a different answer when I lookup the name, and the wireless answer is a Non-Authoritative answer but says it is from the correct DNS server.

This is on a Windows 2012 Domain, if that helps.

Any ideas where to look in the wireless controller?
0
Comment
Question by:perktech
  • 12
  • 8
  • 7
  • +1
28 Comments
 
LVL 25

Expert Comment

by:DrDave242
ID: 40594740
NSLOOKUP in wireless and wired clients reflect a different answer when I lookup the name, and the wireless answer is a Non-Authoritative answer but says it is from the correct DNS server.
If the wireless clients are resolving that name to a different IP address from the one the wired clients are resolving it to, and the wired clients are able to browse to the site with no trouble, that bogus address is probably the problem. So now you just need to determine why the wireless clients resolve the name to a different address. Are the wireless clients using different DNS servers from the wired clients?
0
 

Author Comment

by:perktech
ID: 40595121
Hi Dave - no, they get the same DNS server.  The issue is somewhere in the wireless controller, just not sure where to look exactly.
0
 
LVL 2

Accepted Solution

by:
UnHeardOf earned 250 total points
ID: 40595822
Hi Perktech,
Sounds like your SSID is configured to tunnel through the controller. Check what role the user is getting when connected to the wireless. After your determine what role the user has, check to see what firewall rules are configured for that role on the wireless controller.

As an example, a user with the authenticated role has no restrictions.
0
 

Author Comment

by:perktech
ID: 40595840
UnHeardOf - great suggestion, thanks, I will take a look on Monday!
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 40600164
Hi - did changing roles and access policies fix this issue?
0
 

Author Comment

by:perktech
ID: 40600733
No, that hasn't had an impact.  I've noted that the SSL certificate that was installed is for the domain name (company.org) for some reason... I'm thinking that may be the issue...  not sure where to go from here, except maybe to try and put a generic on in place?
0
 
LVL 2

Expert Comment

by:UnHeardOf
ID: 40601662
I would test dns from a wireless client. Run cmd..

Nslookup
server 8.8.8.8
google.Com

This will test dns ( port 53 ) through the controller and Internet access. The answer should be a non authoritative response if what your looking up is not your domain.
0
 
LVL 2

Expert Comment

by:UnHeardOf
ID: 40601669
Also test pinging 8.8.8.8 and try trace routing to make sure your going the path you would expect.
0
 

Author Comment

by:perktech
ID: 40601692
All of that comes out as expected...  and even changing the DNS service in network config has no impact.  It is a setting in the controller somewhere, I think it has to do with the certificate, but still trying to figure out how to fix it.
0
 
LVL 2

Expert Comment

by:UnHeardOf
ID: 40602119
Is this a captive portal setup? is the ssid configured as tunnel or bridge?
0
 
LVL 2

Expert Comment

by:UnHeardOf
ID: 40602122
Just to clarify. Is all Web traffic ( http / https ) traffic destined to any page bringing you to the controller?
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 40602515
As UnHeardOf mentions, this really looks like the DNS forwarding, dst-nat which is setup for the captive portal login.
in addition to UnHeardOfs questions, please copy whatever roles users are assigned to.

How do they authenticate to network? 802.1X with certificates or domain usernames and passwords, or Pre Shared key?

If you're using PSK - then the logon role is the role users are assigned to, so the logon role can be changed to authenticated for test purposes
0
 

Author Comment

by:perktech
ID: 40603218
They user their active directory usernames and passwords to login to the wireless, there is no captive portal on one of the SSIDs that has the issue.

Here are the list of available roles:

Name              ACL  Bandwidth                  ACL List                                       Type
----              ---  ---------                  --------                                       ----
ap-role           4    Up: No Limit,Dn: No Limit                                                 System
authenticated     22   Up: No Limit,Dn: No Limit  allow-all/                                     User
default-via-role  21   Up: No Limit,Dn: No Limit                                                 User
guest             3    Up: No Limit,Dn: No Limit  guest/                                         User
guest-logon       6    Up: No Limit,Dn: No Limit  captiveportal/,logon-control/,captiveportal6/  User
logon             1    Up: No Limit,Dn: No Limit  captiveportal6/                                User
stateful-dot1x    5    Up: No Limit,Dn: No Limit                                                 System
sys-ap-role       7    Up: No Limit,Dn: No Limit  sys-control/,sys-ap-acl/                       System (not editable)


And a sampling of some of the users logged in:
172.19.10.156  70:56:81:8a:6d:95  aimguest          authenticated  00:03:31    802.1x            4th-Tech-01        Wireless  AIM/24:de:c6:45:08:78/a-HT        AIM-8021x      tunnel        OS X
172.19.10.130  2c:be:08:f1:52:f2  bcummings         authenticated  00:00:11    802.1x            1st-Stairwell-01   Wireless  AIM/00:24:6c:b1:89:18/a-HT        AIM-8021x      tunnel        OS X
172.19.10.135  00:23:6c:93:4e:44  sadams            authenticated  00:00:43    802.1x            2nd-201-01         Wireless  AIM/00:24:6c:b1:80:80/g-HT        AIM-8021x      tunnel        OS X
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 40603238
OK

Why do your logon role only contain captiveportal6 ? or is something missing?
Please take a copy of AAA-Profile used for the affected SSID, and check if logon role is the one set for logon.

You say that all SSIDs have this problem?
what ArubaOS are you running?
show image version in CLI
0
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

 

Author Comment

by:perktech
ID: 40603504
I can't speak to why the controller was configured in any particular way, I didn't do it.  I am trying to sift through it and fix it, though.

All SSIDs have the issue.
ArubaOS 6.1.3.2


I am attaching a show config for good measure...
0
 
LVL 2

Expert Comment

by:UnHeardOf
ID: 40603526
You could change the role to authenticated to see if it resolves your issue as a test. Then you can modify it to fit your needs once you know that the role is your problem.
0
 

Author Comment

by:perktech
ID: 40603545
I don't understand... when connect, your role *is* authenticated as you can see above... why would I change it to authenticated?
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 40603868
can you do the following commands from CLI

show rights logon
show rights authenticated
0
 

Author Comment

by:perktech
ID: 40603896
show rights logon:
Derived Role = 'logon'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 1/0
 Max Sessions = 65535


access-list List
----------------
Position  Name            Location
--------  ----            --------
1         captiveportal6  

captiveportal6
--------------
Priority  Source  Destination  Service          Action   TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------          ------   ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    controller6  svc-https        captive                           Low                                                           6
2         user    any          svc-http         captive                           Low                                                           6
3         user    any          svc-https        captive                           Low                                                           6
4         user    any          svc-http-proxy1  captive                           Low                                                           6
5         user    any          svc-http-proxy2  captive                           Low                                                           6
6         user    any          svc-http-proxy3  captive                           Low                                                           6

Expired Policies (due to time constraints) = 0

show rights authenticated:
Derived Role = 'authenticated'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 22/0
 Max Sessions = 65535


access-list List
----------------
Position  Name       Location
--------  ----       --------
1         allow-all  

allow-all
---------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      permit                           Low                                                           4

Expired Policies (due to time constraints) = 0
0
 
LVL 20

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 250 total points
ID: 40603926
your logon looks like a bit askew. This really only is used before authentication - but you never know.
Do all your SSID have logon role as initial role?

Try creatin a new role called logon2 or something.
Add the following preconfigured access lists - in this order:
access-list List
----------------
Position  Name              Type     Location
--------  ----              ----     --------
1         ra-guard          session
2         logon-control     session
3         captiveportal     session
4         vpnlogon          session
5         v6-logon-control  session
6         captiveportal6    session

Then change initial role to this one, and test.
Remember to fully disconnect client before testing, or you'll just get the old role again.
show user-table (Find your user)
aaa user delete (IP-Addr of station)

then reconnect
0
 

Author Comment

by:perktech
ID: 40603975
OK, will try that - give me a day or so on that.
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 40604009
Sweet -- let me know if you need some guidance in recreating roles
0
 
LVL 2

Expert Comment

by:UnHeardOf
ID: 40604129
Can you post the results of the aaa profile from one of the said that IA having the issue

Show aaa profile "your profile"

Also review the authenticated role to see if a captive profile is defined in the misc configuration.

In the gui > security > access control > select user role authenticated > right side of screen captive portal profile by default should be not assigned. Unless your using it.
0
 

Author Comment

by:perktech
ID: 40631100
Hi @Jakob_di can you give me some help recreating the roles?  I thought I knew how to do it, but it looks a bit foreign to me once I'm in the Roles section, I can't see where to put the access lists in.
0
 

Author Comment

by:perktech
ID: 40631114
@Unheardof

(aruba-master) # show aaa profile AIM-8021x

AAA Profile "AIM-8021x"
-----------------------
Parameter                           Value
---------                           -----
Initial role                        logon
MAC Authentication Profile          N/A
MAC Authentication Default Role     guest
MAC Authentication Server Group     default
802.1X Authentication Profile       AIM-dot1x-profile
802.1X Authentication Default Role  authenticated
802.1X Authentication Server Group  AIM-8021x
L2 Authentication Fail Through      Disabled
RADIUS Accounting Server Group      N/A
RADIUS Interim Accounting           Disabled
XML API server                      N/A
RFC 3576 server                     N/A
User derivation rules               N/A
Wired to Wireless Roaming           Enabled
SIP authentication role             N/A
Device Type Classification          Enabled
Enforce DHCP                        Disabled
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 40634176
go to Configuration - Access Control
find Logon role and add configured firewall rules (on the left) and make it look like this:
1         ra-guard          session
2         logon-control     session
3         captiveportal     session
4         vpnlogon          session
5         v6-logon-control  session
6         captiveportal6    session
0
 

Author Comment

by:perktech
ID: 40712718
Sorry for the delay on this... still no luck with the different roles.
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 40714568
have you tried creating a new wireless network using PSK and see if that error happens there?
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now