Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Aruba 3200 Controller DNS Resolution Issue

Posted on 2015-02-06
28
Medium Priority
?
582 Views
Last Modified: 2015-05-28
Hello All...
We have an Aruba 3200 controller and AP105s in the field.

We have an issue with only wireless clients... When they try and go to the organizations website (yourname.org) they end up at the Aruba controller... if they try it wired, they go where they are supposed to go.

NSLOOKUP in wireless and wired clients reflect a different answer when I lookup the name, and the wireless answer is a Non-Authoritative answer but says it is from the correct DNS server.

This is on a Windows 2012 Domain, if that helps.

Any ideas where to look in the wireless controller?
0
Comment
Question by:perktech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 8
  • 7
  • +1
28 Comments
 
LVL 27

Expert Comment

by:DrDave242
ID: 40594740
NSLOOKUP in wireless and wired clients reflect a different answer when I lookup the name, and the wireless answer is a Non-Authoritative answer but says it is from the correct DNS server.
If the wireless clients are resolving that name to a different IP address from the one the wired clients are resolving it to, and the wired clients are able to browse to the site with no trouble, that bogus address is probably the problem. So now you just need to determine why the wireless clients resolve the name to a different address. Are the wireless clients using different DNS servers from the wired clients?
0
 

Author Comment

by:perktech
ID: 40595121
Hi Dave - no, they get the same DNS server.  The issue is somewhere in the wireless controller, just not sure where to look exactly.
0
 
LVL 2

Accepted Solution

by:
UnHeardOf earned 500 total points
ID: 40595822
Hi Perktech,
Sounds like your SSID is configured to tunnel through the controller. Check what role the user is getting when connected to the wireless. After your determine what role the user has, check to see what firewall rules are configured for that role on the wireless controller.

As an example, a user with the authenticated role has no restrictions.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:perktech
ID: 40595840
UnHeardOf - great suggestion, thanks, I will take a look on Monday!
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 40600164
Hi - did changing roles and access policies fix this issue?
0
 

Author Comment

by:perktech
ID: 40600733
No, that hasn't had an impact.  I've noted that the SSL certificate that was installed is for the domain name (company.org) for some reason... I'm thinking that may be the issue...  not sure where to go from here, except maybe to try and put a generic on in place?
0
 
LVL 2

Expert Comment

by:UnHeardOf
ID: 40601662
I would test dns from a wireless client. Run cmd..

Nslookup
server 8.8.8.8
google.Com

This will test dns ( port 53 ) through the controller and Internet access. The answer should be a non authoritative response if what your looking up is not your domain.
0
 
LVL 2

Expert Comment

by:UnHeardOf
ID: 40601669
Also test pinging 8.8.8.8 and try trace routing to make sure your going the path you would expect.
0
 

Author Comment

by:perktech
ID: 40601692
All of that comes out as expected...  and even changing the DNS service in network config has no impact.  It is a setting in the controller somewhere, I think it has to do with the certificate, but still trying to figure out how to fix it.
0
 
LVL 2

Expert Comment

by:UnHeardOf
ID: 40602119
Is this a captive portal setup? is the ssid configured as tunnel or bridge?
0
 
LVL 2

Expert Comment

by:UnHeardOf
ID: 40602122
Just to clarify. Is all Web traffic ( http / https ) traffic destined to any page bringing you to the controller?
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 40602515
As UnHeardOf mentions, this really looks like the DNS forwarding, dst-nat which is setup for the captive portal login.
in addition to UnHeardOfs questions, please copy whatever roles users are assigned to.

How do they authenticate to network? 802.1X with certificates or domain usernames and passwords, or Pre Shared key?

If you're using PSK - then the logon role is the role users are assigned to, so the logon role can be changed to authenticated for test purposes
0
 

Author Comment

by:perktech
ID: 40603218
They user their active directory usernames and passwords to login to the wireless, there is no captive portal on one of the SSIDs that has the issue.

Here are the list of available roles:

Name              ACL  Bandwidth                  ACL List                                       Type
----              ---  ---------                  --------                                       ----
ap-role           4    Up: No Limit,Dn: No Limit                                                 System
authenticated     22   Up: No Limit,Dn: No Limit  allow-all/                                     User
default-via-role  21   Up: No Limit,Dn: No Limit                                                 User
guest             3    Up: No Limit,Dn: No Limit  guest/                                         User
guest-logon       6    Up: No Limit,Dn: No Limit  captiveportal/,logon-control/,captiveportal6/  User
logon             1    Up: No Limit,Dn: No Limit  captiveportal6/                                User
stateful-dot1x    5    Up: No Limit,Dn: No Limit                                                 System
sys-ap-role       7    Up: No Limit,Dn: No Limit  sys-control/,sys-ap-acl/                       System (not editable)


And a sampling of some of the users logged in:
172.19.10.156  70:56:81:8a:6d:95  aimguest          authenticated  00:03:31    802.1x            4th-Tech-01        Wireless  AIM/24:de:c6:45:08:78/a-HT        AIM-8021x      tunnel        OS X
172.19.10.130  2c:be:08:f1:52:f2  bcummings         authenticated  00:00:11    802.1x            1st-Stairwell-01   Wireless  AIM/00:24:6c:b1:89:18/a-HT        AIM-8021x      tunnel        OS X
172.19.10.135  00:23:6c:93:4e:44  sadams            authenticated  00:00:43    802.1x            2nd-201-01         Wireless  AIM/00:24:6c:b1:80:80/g-HT        AIM-8021x      tunnel        OS X
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 40603238
OK

Why do your logon role only contain captiveportal6 ? or is something missing?
Please take a copy of AAA-Profile used for the affected SSID, and check if logon role is the one set for logon.

You say that all SSIDs have this problem?
what ArubaOS are you running?
show image version in CLI
0
 

Author Comment

by:perktech
ID: 40603504
I can't speak to why the controller was configured in any particular way, I didn't do it.  I am trying to sift through it and fix it, though.

All SSIDs have the issue.
ArubaOS 6.1.3.2


I am attaching a show config for good measure...
0
 
LVL 2

Expert Comment

by:UnHeardOf
ID: 40603526
You could change the role to authenticated to see if it resolves your issue as a test. Then you can modify it to fit your needs once you know that the role is your problem.
0
 

Author Comment

by:perktech
ID: 40603545
I don't understand... when connect, your role *is* authenticated as you can see above... why would I change it to authenticated?
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 40603868
can you do the following commands from CLI

show rights logon
show rights authenticated
0
 

Author Comment

by:perktech
ID: 40603896
show rights logon:
Derived Role = 'logon'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 1/0
 Max Sessions = 65535


access-list List
----------------
Position  Name            Location
--------  ----            --------
1         captiveportal6  

captiveportal6
--------------
Priority  Source  Destination  Service          Action   TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------          ------   ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    controller6  svc-https        captive                           Low                                                           6
2         user    any          svc-http         captive                           Low                                                           6
3         user    any          svc-https        captive                           Low                                                           6
4         user    any          svc-http-proxy1  captive                           Low                                                           6
5         user    any          svc-http-proxy2  captive                           Low                                                           6
6         user    any          svc-http-proxy3  captive                           Low                                                           6

Expired Policies (due to time constraints) = 0

show rights authenticated:
Derived Role = 'authenticated'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 22/0
 Max Sessions = 65535


access-list List
----------------
Position  Name       Location
--------  ----       --------
1         allow-all  

allow-all
---------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      permit                           Low                                                           4

Expired Policies (due to time constraints) = 0
0
 
LVL 22

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 500 total points
ID: 40603926
your logon looks like a bit askew. This really only is used before authentication - but you never know.
Do all your SSID have logon role as initial role?

Try creatin a new role called logon2 or something.
Add the following preconfigured access lists - in this order:
access-list List
----------------
Position  Name              Type     Location
--------  ----              ----     --------
1         ra-guard          session
2         logon-control     session
3         captiveportal     session
4         vpnlogon          session
5         v6-logon-control  session
6         captiveportal6    session

Then change initial role to this one, and test.
Remember to fully disconnect client before testing, or you'll just get the old role again.
show user-table (Find your user)
aaa user delete (IP-Addr of station)

then reconnect
0
 

Author Comment

by:perktech
ID: 40603975
OK, will try that - give me a day or so on that.
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 40604009
Sweet -- let me know if you need some guidance in recreating roles
0
 
LVL 2

Expert Comment

by:UnHeardOf
ID: 40604129
Can you post the results of the aaa profile from one of the said that IA having the issue

Show aaa profile "your profile"

Also review the authenticated role to see if a captive profile is defined in the misc configuration.

In the gui > security > access control > select user role authenticated > right side of screen captive portal profile by default should be not assigned. Unless your using it.
0
 

Author Comment

by:perktech
ID: 40631100
Hi @Jakob_di can you give me some help recreating the roles?  I thought I knew how to do it, but it looks a bit foreign to me once I'm in the Roles section, I can't see where to put the access lists in.
0
 

Author Comment

by:perktech
ID: 40631114
@Unheardof

(aruba-master) # show aaa profile AIM-8021x

AAA Profile "AIM-8021x"
-----------------------
Parameter                           Value
---------                           -----
Initial role                        logon
MAC Authentication Profile          N/A
MAC Authentication Default Role     guest
MAC Authentication Server Group     default
802.1X Authentication Profile       AIM-dot1x-profile
802.1X Authentication Default Role  authenticated
802.1X Authentication Server Group  AIM-8021x
L2 Authentication Fail Through      Disabled
RADIUS Accounting Server Group      N/A
RADIUS Interim Accounting           Disabled
XML API server                      N/A
RFC 3576 server                     N/A
User derivation rules               N/A
Wired to Wireless Roaming           Enabled
SIP authentication role             N/A
Device Type Classification          Enabled
Enforce DHCP                        Disabled
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 40634176
go to Configuration - Access Control
find Logon role and add configured firewall rules (on the left) and make it look like this:
1         ra-guard          session
2         logon-control     session
3         captiveportal     session
4         vpnlogon          session
5         v6-logon-control  session
6         captiveportal6    session
0
 

Author Comment

by:perktech
ID: 40712718
Sorry for the delay on this... still no luck with the different roles.
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 40714568
have you tried creating a new wireless network using PSK and see if that error happens there?
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
This program is used to assist in finding and resolving common problems with wireless connections.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question