NAC as DHCP server problem

Hi guys,
i have problem use nac server as dhcp server at different subnet.
one thing that i want to know is dhcp in NAC server support unicast dhcp messages ?
because when client use layer 2 connection to nac server, dhcp works fine. i think they use dhcp broadcast message.
thanks

Hi,
Ensure your internal network can ping the DHCP server, which in this case I think is your Hyper-V host. This probably requires that you configure an IP address on your Hyper-V host that matches the subnet you have configured on the DHCP scope.
When you add a virtual network to Hyper-V, this will add a virtual network adapter on the Hyper-V host. You can see the adapter in ipconfig with a name that matches the name of the virtual switch, for example: Ethernet adapter vEthernet (Internal Network).
I'm not sure what your goals are here. It sounds like you want to give the VMs access to the Internet, which can be done much more simply by just creating an External virtual network rather than an Internal one with NAT.
Whatever your configuration, consider that DHCP works only one of two ways:
1. DHCP server exists on the same subnet as the scope subnet and shares one of these subnet IP addresses.
2. DHCP server has a different IP address than the scope, and clients use DHCP relay to get to the DHCP server.
If you don't have a DHCP relay, then you must use the first method.
-Greg

Similar Messages

WLC as DHCP server problems

Hi
      My 5508 WLC which runs version 7.4.100.60 is configured as a DHCP server for the AP management and here's my problem:
Client can not get the address,I am in location at 1F of AP, obtain an IP address and associated to this AP, but I got to address is the address section 2F instead of 1F address above. In this WLC the AP, power and channel have not been optimized, the adjacent channels are AP 1, the power display is 1.
Last night I test, disconnect reconnect several times, I was able to get to the same network to a different IP address.My AP is 1602I. LoaderVersion 15.2<2> JAX . This is why ?

Cisco Controller) >show interface summ
Number of Interfaces.......................... 17
Interface Name                         Port     Vlan Id     IP Address      Type    Ap Mgr       Guest
management                            LAG       421      10.217.147.45   Static       Yes           No
redundancy-management          LAG       421           0.0.0.0         Static        No            No
redundancy-port                           -    untagged        0.0.0.0         Static        No            No
service-port                               N/A       N/A      10.215.29.165   Static         No           No
t2-2f                                        LAG       608       10.215.69.125   Dynamic    No            No
t2-1f                                        LAG       609       10.215.68.253   Dynamic    No            No

E1200 odd roque DHCP server problem

My local network connected to AT&T Uverse has both len and wiress connections. with some devices specified in the DHCP reservations list. all has worked fine for a while now. the UVerse modems do not support DHCP reservation configurations.
last weekend, one of my Linux machines (in the DHCP reservation list) suddenly changed its address from 192.168.2.34 (dhcp server at 192.168.2.1 as confgured) to 192.168.1.105 (dhcp server at 192.168.1.251). I couldn't find the second DHCP server, and eventually put iptables on my linux box to drop packets from that server and get back up and running.. spent sat/sunday fixing this.
Monday it happened again!.. even tho the iptables was still set to drop the packets!.. I found a dhcp roque utility for windows and started isolating parts of my network til I was down to two machines.. one windows and the E1200.
I ended up using the admin UI on the E1200 to restore the router to default and reconfigure back to operation, and the rogue DHCP server is gone!... I did NOT try to power off/on the router.
I do not know how this happened. Altho the E1200 was in the UVerse modem DMZ (so I could get DDNS to work) , I changed the userid and password, did not have wireless admin access or Wan admin acces enabled. It seems 'unlikely' that the router had been hacked, but I have no other explanation unless there is a pretty serious firmware bug. I have found other reports of similar behavior on other vendors routers, which seem to be caused by a loss of the wan link AND having DHCP reservation machines.
I have not tried to recreate the scenario. any ideas welcomed.

config
ATT Pace modem, DHCP on, wireless on, address range 192.168.1.2- 192.168.1.40, dhcp server at 192.1.1
ethernet cable from ATT modem to 1200 'wan' port.
1200 DCHP on, base address 192.168.2.1, dhcp range 192.168.2.2-192.168.2.200, wireless on
out of E1200
ethernet to local machine
ethernet to Insteon automation hub
ethernet to 4 port ethernet switch on other side of room
   switch to local windows machine (dhcp reservation address 192.168.2.106)
   switch to back of Dlink 1522 Access point, providing wireless to TV, Blueray player and roku box, access point address 192.168.2.5 in E1200 DHCP reservations list. DHCP off on 1522
      back of dlink (4 port switch) ethernet to linux machine. 2 ft away.
      back of dlink (4 port switch) to NAS storage device.
Brother multi-function laser configured fixed address Wirless to 1200 (192.168.2.195), need wireless for tablet/iphone/ipad print support.
so we have 1 ethernet network, and 3 wifi networks. (all 2.4mhz)
(my dauther and son-in-law here as they move back to local area from Chicago, have connectivity issues with wireless on 1200, due to house walls, not so much on UVerse modem. 1522 dedicated to entertainment systems.
Only the ethernet connected Linux box experienced this dhcp problem.
the roque dhcp server was at 192.168.1.251, and provided ip address 192.168.1.105
note that AT&T DHCP is 192.168.1.255

NAC implementation wi thout DHCP Server

Dear Experts,
Is it possible to deploy NAC without having DHCP server in the network? We have some 300-400 users in the campus and want to enable NAC for them.
As per my understanding Cisco NAC cannot be deployed without DHCP server in the network, however it is not documented anywhere on the site. Currently all users' machines are configured with static IP.
We want to do user authentication, AV remediation and Patch deployment through NAC. Is it possible to deploy NAC without DHCP server??
Thanks in advance.
nayan

Hi,
Here is the basic flow of clean access for both inband and out of band: (http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_white_paper0900aecd802bdc42.html)
Figure 1. Laptop Attempts to Access the Internal Network
1. When the laptop first accesses the network, the Cisco Clean Access Server determines that the computer's MAC address is not in the list of certified devices, and that laptop is placed into an unauthenticated role. While in this role, only User Datagram Protocol (UDP) Port 53 (Domain Name System [DNS]) and Dynamic Host Control Protocol (DHCP) traffic (via DHCP and VLAN passthrough) is allowed.
2. The laptop gets an IP address from the DHCP server, but cannot get past the Clean Access Server acting as an IP filter.
3. The laptop user opens a browser and is redirected to an SSL-based Web login page where she enters her credentials, which in turn map her into the "employee" role.
4. As an "employee," she is asked to download the Clean Access Agent.
5. The Clean Access Agent performs the posture assessment and forwards the results to the Clean Access Server to make the network admissions decision.
Tarik Admani
*Please rate helpful posts*

Dhcp server won't admit my Arch Linux (though Win's have no problems)

1. Generally my dhcpcd works fine in every network (and always has, I have not changed anything substantial).
2. Currently I am in a network (for just a couple of weeks) in which it does not.
3. The network will ignore all my dhcp requests over both network devices, enp1s0 and wlp2s0 (ethernet and wifi)
4. When trying the same from Windows (dual boot), the dhcp client works brilliantly (i.e. the hardware is fine)
5. I can force entry into the cable network by simply assigning an IP address and setting netmask and gateway as was configured by dhcp when I tried from Windows
6. For wifi this does not work. More specifically it works for a brief moment if (and only if) I was connected from Windows immediately before and assign myself the same IP address (I can ping the gateway and also 8.8.8.8). After this moment the network apparently kicks me out (cannot ping anything any more, nothing answers). dhcpcd inform (dhcpcd -s <IP Adress>) does not fare better.
7. I tried changing some of the settings in dhcpcd.conf that have been given as reasons for similar problems in the forums, archwiki, or somewhere else, including exchanging 'duid' for 'clientid', and commenting out 'require dhcp_server_identifier'. Does not help. My dhcpcd.conf, see below.
8. dhclient does not work either.
What I want: Connect to the internet via wifi from Arch.
I guess this comes down to making the dhcp server believe my Arch was one of the Windowses it is used to. How do I do that?
I understand that dhcp does not involve clients revealing their operating systems to the servers; but some configurations are likely different between Arch and Windows. I am not used to working with Windows and have no idea how to access the dhcp client configuration settings there (if this is even possible) to get an idea what exactly is different. Here is my dhcpcd.conf - any ideas what exactly about it displeases the server so much or what I might change or add to make the server more pleasantly inclined?
dhcpcd.conf
hostname
clientid
#duid
persistent
option rapid_commit
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes
option ntp_servers
#require dhcp_server_identifier
nohook lookup-hostname
noipv4ll
I would include the logs as well, but they are boring beyond belief, do not contain anything except for dhcpcd trying and failing with timeout.

Thanks, MoonSwan & ewaller,
MoonSwan wrote:Windows' IP address and network settings navigate to: Control Panel -> Network and Internet -> Network Connections -> Click on Device Here (WIFI or LAN) -> Properties and from there you should be able to see the settings you need to figure out what's going on in Windows.
Found that, There are a lot of "Advanced properties", for instance "Bandwidth Capacity" is set to "11b/g: 20MHz", "BSS Mode" is set to "802.11n Mode", "Fragmentation Threshold" to "2346" (whatever that may mean) ... etc. Unfortunately, I cant copy any of that; most of it also seems rather unimportant; also I left all this on its default setting when I followed the instructions on how to connect to this wifi on Windows.
However, here is some information I managed to squeeze out of the pathetic, pittyful Windows terminal which they call the "Comand Line"
C:\Windows\system32> ipconfig /all
<...>
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . : <the network name>
Description . . . . . . . . . . . : <hardware description> 802.11b/g/n (2.4GHz)
Physical Address. . . . . . . . . : <the mac address>
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : <some ipv6> %13(Preferred)
IPv4 Address. . . . . . . . . . . : <the ipv4> (Preferred)
Subnet Mask . . . . . . . . . . . : <subnet mask>
Lease Obtained. . . . . . . . . . : Fri, 23. May 2014 19:47:10
Lease Expires . . . . . . . . . . : Fri, 23. May 2014 21:17:09
Default Gateway . . . . . . . . . : <gateway ip>
DHCP Server . . . . . . . . . . . : <some ip that is not part of the local subnet>
DHCPv6 IAID . . . . . . . . . . . : 319352249
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-9F-0F-D6-E0-DB-55-CF-26-6
DNS Servers . . . . . . . . . . . : <a few dns server ip's>
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : <some ipv6> (Preferred)
Link-local IPv6 Address . . . . . : <another ipv6> %12(Preferred)
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter 6TO4 Adapter:
Connection-specific DNS Suffix . : <the network name>
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : <some ipv6> (Preferred)
Default Gateway . . . . . . . . . : <another ipv6>
<yet another ipv6>
DNS Servers . . . . . . . . . . . : <the same ipv4 dns server ip's as above>
NetBIOS over Tcpip. . . . . . . . : Disabled
C:\Windows\system32> netsh wlan show all
Wireless System Information Summary
(Time: 23.05.2014 20:38:49 W. Europe Daylight Time)
=======================================================================
============================== SHOW DRIVERS ===========================
=======================================================================
Interface name: Wireless Network Connection
Driver : <hardware description> 802.11b/g/n (2.4GHz)
Vendor : Broadcom
Provider : Broadcom
Date : 21.01.2012
Version : 6.20.55.31
INF file : C:\Windows\INF\oem25.inf
Files : 5 total
C:\Windows\system32\DRIVERS\BCMWL664.SYS
C:\Windows\system32\bcmihvsrv64.dll
C:\Windows\system32\bcmihvui64.dll
C:\Windows\system32\drivers\vwifibus.sys
C:\Windows\system32\bcmwlcoi.dll
Type : Native Wi-Fi Driver
Radio types supported : 802.11n 802.11g 802.11b
FIPS 140-2 mode supported : Yes
Hosted network supported : Yes
Authentication and cipher supported in infrastructure mode:
Open None
Open WEP
Shared None
Shared WEP
WPA2-Enterprise TKIP
WPA2-Personal TKIP
WPA2-Enterprise CCMP
WPA2-Personal CCMP
WPA2-Enterprise Vendor defined
WPA2-Enterprise Vendor defined
Vendor defined Vendor defined
Vendor defined Vendor defined
Vendor defined TKIP
Vendor defined CCMP
Vendor defined Vendor defined
Vendor defined Vendor defined
WPA-Enterprise TKIP
WPA-Personal TKIP
WPA-Enterprise CCMP
WPA-Personal CCMP
Authentication and cipher supported in ad-hoc mode:
WPA2-Personal CCMP
Open None
Open WEP
IHV service present : Yes
IHV adapter OUI : [00 10 18], type: [00]
IHV extensibility DLL path: C:\Windows\System32\bcmihvsrv64.dll
IHV UI extensibility ClSID: {aaa6dee9-31b9-4f18-ab39-82ef9b06eb73}
IHV diagnostics CLSID : {00000000-0000-0000-0000-000000000000}
=======================================================================
============================= SHOW INTERFACES =========================
=======================================================================
There is 1 interface on the system:
Name : Wireless Network Connection
Description : 802.11b/g/n (2.4GHz)
GUID : 6d122ca5-cdc2-42d1-a1fb-3754098b19eb
Physical address : <the mac address>
State : connected
SSID : <ssid>
BSSID : <access point mac address>
Network type : Infrastructure
Radio type : 802.11n
Authentication : WPA2-Enterprise
Cipher : CCMP
Connection mode : Auto Connect
Channel : 1
Receive rate (Mbps) : 72
Transmit rate (Mbps) : 72
Signal : 83%
Profile : <ssid>
Hosted network status : Not available
=======================================================================
=========================== SHOW HOSTED NETWORK =======================
=======================================================================
Hosted network settings
Mode : Disallowed
Settings : <Not configured>
Hosted network status
Status : Not available
=======================================================================
============================= SHOW SETTINGS ===========================
=======================================================================
Wireless LAN settings
Show blocked networks in visible network list: No
Only use GP profiles on GP-configured networks: No
Hosted network mode allowed in WLAN service: No
Allow shared user credentials for network authentication: Yes
Block period: Not Configured.
Auto configuration logic is enabled on interface "Wireless Network Connection"
=======================================================================
============================== SHOW FILTERS ===========================
=======================================================================
Allow list on the system (group policy)
<None>
Allow list on the system (user)
<None>
Block list on the system (group policy)
<None>
Block list on the system (user)
<None>
=======================================================================
=========================== SHOW CREATEALLUSER ========================
=======================================================================
Everyone is allowed to create all user profiles.
=======================================================================
============================= SHOW PROFILES ===========================
=======================================================================
Profiles on interface Wireless Network Connection:
Group policy profiles (read only)
<None>
User profiles
All User Profile : <ssid>
<other profile names>
=======================================================================
========================== SHOW PROFILES NAME=* =======================
=======================================================================
Profile eduroam on interface Wireless Network Connection:
=======================================================================
Applied: All User Profile
Profile information
Version : 1
Type : Wireless LAN
Name : <ssid>
Control options :
Connection mode : Connect automatically
Network broadcast : Connect only if this network is broadcasting
AutoSwitch : Do not switch to other networks
Connectivity settings
Number of SSIDs : 1
SSID name : "<ssid>"
Network type : Infrastructure
Radio type : [ Any Radio Type ]
Vendor extension : Not present
Security settings
Authentication : WPA2-Enterprise
Cipher : CCMP
Security key : Absent
802.1X : Enabled
EAP type : Microsoft: Protected EAP (PEAP)
802.1X auth credential : Machine or user credential
Cache user information : Yes
<other profiles ...>
=======================================================================
======================= SHOW NETWORKS MODE=BSSID ======================
=======================================================================
Interface name : Wireless Network Connection
There are 4 networks currently visible.
SSID 1 : eduroam
Network type : Infrastructure
Authentication : WPA2-Enterprise
Encryption : CCMP
BSSID 1 : <other access point ssid>
Signal : 2%
Radio type : 802.11n
Channel : 11
Basic rates (Mbps) : 1 2 5.5 11
Other rates (Mbps) : 6 9 12 18 24 36 48 54
BSSID 2 : <other access point ssid>
Signal : 0%
Radio type : 802.11n
Channel : 11
Basic rates (Mbps) : 1 2 5.5 11
Other rates (Mbps) : 6 9 12 18 24 36 48 54
BSSID 3 : <access point ssid>
Signal : 87%
Radio type : 802.11n
Channel : 1
Basic rates (Mbps) : 1 2 5.5 11
Other rates (Mbps) : 6 9 12 18 24 36 48 54
BSSID 4 : <other access point ssid>
Signal : 0%
Radio type : 802.11n
Channel : 1
Basic rates (Mbps) : 1 2 5.5 11
Other rates (Mbps) : 6 9 12 18 24 36 48 54
SSID 2 : <...>
What I find odd is this "Taredo Tunneling Pseudo-Interface". As a matter of fact, I have not the slightest idea if this is happening inside this local Windows I have here or if this is something real in the network configuration (on the other side of the access point)... It apparently should tunnel IPv6 to IPv4 and/or vice versa. However, why would there be two connections over the same network interface (IPv6 and IPv4)...
What is odd as well is that the DHCP server is not part of the subnet my Windows is in. It just seems to announce IP, netmask, gateway to the Windows ... (the gateway is in the subnet). Could it be that the Linux dhcp client does not accept something like that. No, that's unlikely, right? dhcpcd -d should have reported this...
MoonSwan wrote:Btw, love the name,
Thanks. Likewise
MoonSwan wrote:it's nice to see such a name after seeing so many that are intentionally hurtful to others of any stripe in a rainbow.
Actually, I always felt that the Arch Forum is quite tolerant in this respect. (And so is reddit, but of course, you are right, there are places on the internet where you can run into a lot of assholes. Kind of like in the real world... Quite frustrating.)
ewaller wrote:I guess it could be a MAC problem. but I don't know.
Unlikely; on windows the mac address is the same.
ewaller wrote: Can you get to the router logs? Can you see if the router saw a solicitation?
no. and given their network configuration I don't suppose the IT people here would be very forthcoming if I asked them. Their helpdesk said that they couldn't help me since my laptop was not one of their computers.
ewaller wrote:Also, (just a sanity check) are you sure you are connected to the correct access point? But that does not make sense -- you said this happens on wired as well sad
Dang.
I am. It's WPA2 encrypted & I only have access data to this one wifi network. (To avoid confusing everyone with mentioning too many different things, I did not detail this in the original post. I am accessing it using wpa_supplicant running in a terminal; wpa_supplicant works fine says "connection succeeded" etc. So the problem is not in the WPA/ wifi-connection layer but really in the IP/dhcp layer.)
ewaller wrote:Is this a corporate environment? A school perhaps?
Yes, a university. They have someone working here who went through great lengths to make it difficult for people to connect to the internet.

Best practice configure DHCP server NAC

hi all,
any idea how the best practice deploy dhcp on cas? i tired follow user guide configure dhcp on cas but still cannot running smoothly user just only grep ip authenticate.
- CCA agent very slow appear when user get ip dhcp on authenticate.any idea ?
- how to integrated profiler with nac appliance .?

Hi ahmed,
You have configured your CAS to be your DHCP server, Thats well and good because you are using Real IP mode, Which Supports the CAS to be a DHCP server.
Remember
This Setting is only For your Authentication VLAN that your client gets an ip While Authentication ok.
When your Client switches to Access VLAN , your client trafiic no longer flows through the CAS so CAS is now not responsible for DHCP.
You'll have to configure another DHCP on the Trusted Side which can Lease IPs to the Acess VLAN Members.
As you have configured OOB then your client is in Acess VLAN and does not come in contact with the CAS so you need the Trusted side DHCP to give the Client an IP address.
Here in your Scenario your ACCESS VLANS are 2022,2044
Hope this helps, Do reply after Testing.
Thank You
Regards
Edward

NAC DHCP server subnet-list issue

Hello everyone,
I currently setup the CAS as a layer 3 IB deployment, and use the CAS as the DHCP server for our remote subnets.
My issuse is when I configure the IP address pool, I have to check option "Retrict range to REALY IP", and can only put one IP address of the remote router IP address to make the DHCP server function working.
But our remote routers are configured HSRP for the user subnets, and I find that it use the physical ip address instead of the virtaul ip address to encapsulate the DHCP rely packets. If I put the HSRP virtual IP, it could not work. If I put the primary router's physical interface IP, how about it failover to the standby router?
Could anyone help me for this problem?
Thanks in advance.
Jason

Never had this issue before, it should not occur under normal circumstances.
Two tips:
1: Although not 100% applicable, please verify that your config includes the command: ip subnet zero.
2: Verify that your IOS is recent and not ED, T or whatsoever. If possible load a GD image.
Regards,
Leo

PXE boot problem: guest VM DHCP request packets not able to reach DHCP server

Hi Gurus,
I'm wondering if anyone could help me with this problem. I wanted to install Linux on Oracle VMs using PXE. I set up a DHCP server and the OVM running RHEL6.4 box. The DHCP server worked fine since other PHYSICAL servers could get IPs from this DHCP server. However, DHCP requests from Oracle VMs was not able to reach the DHCP server. So I suspect this is a VM-specific issue.
If I type in "dhcp net0" on gPXE prompt on the OVS machine(sappire), I can see the requests were being sent from the OVS server (sapphire):
gPXE> dhcp net0
DHCP (net0 00:21:f6:00:00:00) .............................................Connection time out (0x4c106035)
Could not configure net0: Connection time out (0x4c106035)
gPXE>
[root@sapphire ~]# tcpdump -i any -n udp dst portrange 67-68
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
20:47:25.606400 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:21:f6:00:00:00, length: 387
20:47:25.606549 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:21:f6:00:00:00, length: 387
20:47:25.606559 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:21:f6:00:00:00, length: 387
^C
12 packets captured
14 packets received by filter
0 packets dropped by kernel
But if I snoop the same on the RHEL6.4 server running DHCP server and OVM, no request can be seen:
[root@bluestone Desktop]# tcpdump -i any -n udp dst portrange 67-68
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
OVS(sapphire) and OVM(bluestone) are located in the same subnet:
[root@bluestone network-scripts]# ifconfig -a
eth0      Link encap:Ethernet HWaddr 00:14:22:72:7C:27
          inet addr:192.168.2.48 Bcast:192.168.2.255 Mask:255.255.255.0
          inet6 addr: fe80::214:22ff:fe72:7c27/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:106795 errors:0 dropped:0 overruns:0 frame:0
          TX packets:122056 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:59173975 (56.4 MiB) TX bytes:25362955 (24.1 MiB)
[root@sapphire ~]# ifconfig -a
10049df2fc Link encap:Ethernet HWaddr 8A:C5:05:83:AF:C9
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:80 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:33200 (32.4 KiB) TX bytes:0 (0.0 b)
eth0      Link encap:Ethernet HWaddr 00:1A:64:64:DA:64
          inet addr:192.168.2.202 Bcast:192.168.2.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:37664 errors:0 dropped:0 overruns:0 frame:0
          TX packets:38939 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4537897 (4.3 MiB) TX bytes:23127790 (22.0 MiB)
eth0:0    Link encap:Ethernet HWaddr 00:1A:64:64:DA:64
          inet addr:192.168.2.212 Bcast:192.168.2.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
[root@sapphire ~]# brctl show
bridge name    bridge id        STP enabled    interfaces
10049df2fc        8000.8ac50583afc9    yes        tap7.0
                            tap7.1
                            vif7.0
                            vif7.1
I turned off iptables and SELinux on the DHCP server, the issue still remained.
Any help will be highly appriciaited.
Thanks in advance,
Alex

Hi,
- Do you install Oracle VM Server (OVS) on an emulated environment like Oracle VM VirtualBox ? if yes so you can't do it.
- Don't forget to configure the Virtual Machines Network and also to add this network to this Virtual Machine.
I hope this can help you
Best Regards

Time Capsule/AirPort Express problem with DHCP server

Hi everyone,
I seem to be having some weird issue with my home network. I use a Time Capsule (2011) as my main router and a new AirPort Express as a wireless bridge (router set to "Extend a wireless network", the LAN port is connected to network printer). Recently, it seems that at least once or twice a week that the DHCP server on my router stops working. Computers that have static IP addresses have no problem accessing the internet or my local network, but devices that don't have static IPs are unable to join the network (over Wi-Fi or ethernet) because they are not being assigned an IP. This never happened before. I'm not sure if it has anything to do with the recent firmware update. Anybody else seem to be having this problem? I am able to get the DHCP server working again by restarting the Time Capsule or by setting the computer or device that won't connect to a static IP. Really curious why this seems to be happening…
Thanks for all the help guys

I am having the same problem with the same setup: a 2011 Time Capsule and an Airport Express. I've had my Aiport Express hooked in for about 2 years, so I know it is not the problem. The only difference I have is the DHCP will stop working on the ethernet, but still work over WiFi from the TC. Rebooting the Time Capsule fixes the DHCP issue.
I am running version 7.6.4 in the Time Capsule.

Problems trying to migrating ports to a new Vlan using an externar DHCP server

Hello, here is the thing. I have the following configuration in my Core Switch:
interface Vlan1
ip address 10.24.74.1 255.255.254.0 secondary
ip address 192.0.2.54 255.255.255.0
ip helper-address 10.24.86.22
no ip redirects
As you see, we are using an external DHCP server for the Vlan1 and it is working:
Internet 192.0.2.98 0 3c97.0e23.3d8d ARPA Vlan1
Internet 192.0.2.194 0 e89a.8f77.36a0 ARPA Vlan1
Internet 192.0.2.195 0 e89a.8f77.01ab ARPA Vlan1
Internet 192.0.2.198 2 001c.25de.acaa ARPA Vlan1
Internet 192.0.2.199 0 d8eb.97a6.30a4 ARPA Vlan1
Internet 192.0.2.196 0 f0de.f1f1.1e06 ARPA Vlan1
Internet 192.0.2.203 0 e89a.8f77.016f ARPA Vlan1
Internet 192.0.2.207 4 d0c7.89d6.3ba3 ARPA Vlan1
Internet 192.0.2.211 0 4437.e636.7ef7 ARPA Vlan1
But, when a try to migrate this port to a new Vlan (Vlan50), I got the following issue:
001290: Jul 23 08:27:44.705 GMT: DHCPD: DHCPREQUEST received from client 013c.970e.233d.8d.
001291: Jul 23 08:27:44.705 GMT: DHCPD: client has moved to a new subnet.
001292: Jul 23 08:27:44.705 GMT: DHCPD: Sending DHCPNAK to client 013c.970e.233d.8d.
001293: Jul 23 08:27:44.705 GMT: DHCPD: broadcasting BOOTREPLY to client 3c97.0e23.3d8d.
001294: Jul 23 08:27:44.725 GMT: dhcp_snooping_get_ingress_port: Interface src_index 0xF
001295: Jul 23 08:27:44.725 GMT: DHCPD: DHCPDISCOVER received from client 013c.970e.233d.8d on interface Vlan50.
001296: Jul 23 08:27:44.725 GMT: DHCPD: there is no address pool for 10.24.76.1.
001297: Jul 23 08:27:44.725 GMT: DHCPD: setting giaddr to 10.24.76.1.
001298: Jul 23 08:27:44.725 GMT: DHCPD: BOOTREQUEST from 013c.970e.233d.8d forwarded to 10.24.86.21.
Any suggestions,
Thank you in advance,

Just to help someone who has the same issue.
I found this on the web site:
When the server receives a DHCPREQUEST from a client in the RENEWING (or REBINDING) state, it normally grants the renewal only if the client has an unexpired lease with this server. Otherwise the server ignores the request; the server to which the client is bound should answer the client. (The only exception is normally that if a server is sure the IP address the client is asking for is inappropriate for the client, the server will send a DHCPNAK, which forces the client back to the INIT state.)
Thank you anyway

DHCP server migration problem (2008 R2 to 2012 R2)

Hi,
I want to migrate my DHCP server from 2008 R2 to 2012 R2 server.I exported dhcp configuration by issuing export-dhcpserver command on 2012 R2 server.
And now, when I try to import xml into new server I see error during import:
VERBOSE: Importing option definitions on server...
Import-DhcpServer : Failed to add option definition 249 on DHCP server server.lbank.msft. : The specified option
already exists. (20009)
At line:1 char:1
+ Import-DhcpServer -ComputerName server.lbank.msft -File D:\Darbinis\dhcp\dhc ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceExists: (249:root/Microsoft/...ptionDefinition) [Import-DhcpServer], CimExceptio
   n
    + FullyQualifiedErrorId : DHCP 20009,Import-DhcpServer
How to troubleshoot such error? Thanks.

I have used the following resources and still had DHCP Migration Failure.
http://blogs.technet.com/b/teamdhcp/archive/2012/09/11/migrating-existing-dhcp-server-deployment-to-windows-server-2012-dhcp-failover.aspx
http://blogs.technet.com/b/kevinholman/archive/2013/09/25/migrating-dhcp-services-to-2012-r2-and-configuring-scope-failover.aspx
http://technet.microsoft.com/en-us/windowsserver/dd448608.aspx
http://technet.microsoft.com/en-us/library/dn495425.aspx
http://technet.microsoft.com/en-us/library/dd379535(WS.10).aspx

NAC OOB VIRTUAL GW PROBLEM

Hi,
I am trying to setup a NAC OOB Virtual GW Scenario (attached is the visio schematic of the setup):
Switch: 3550 (ios 12.2(46) adv ip serv)
NAC 4130 appliances: v4.1.6 (also tried v4.5)
Switch Configuration of the trunks to the CAS):
- int f0/23 (connected to CAS e0) -> dot1q trunk with native vlan 999 and allowed vlans 199 (mgt vlan of cas) and 10 (hosts access vlan)
- int f0/21 (connected ro CAS e1) -> dot1q trunk with native vlan 998 and allowed vlans 100 (hosts authentication vlan)
- SVIs on switch: 199, 10, 200 (CAM mgt vlan), 99 (dns, dhcp)
The problem I am facing is that the host once connected to a managed port is able to acquire an ip from the access vlan from the dhcp server but is not redirected to the login page. I tried to follow some hints provided in previous posts but none of them worked for me. I configured the following:
- Login Page
- Configured IP based traffic control on the unautheticated role to permit all traffic (also host based to permit https://192.168.199.1 -> cas' ip with trusted dns my dns server 192.168.99.1)
- Managed subnet with unused ip in access vlan (192.168.10.253) and vlan id that of the auth vlan (100)
- vlan mapping between untrusted vlan 100 and trusted vlan 10
- tried to access a resolvable website by my dns from the host (as per the suggestion from a previous post for someone who was facing the same prob)
- also tried to access the cas' login page from the host with vain, eventhough it is accessible from trusted subnets
Note: I followed the configuration guide of both v4.1.6 and v4.5 and with both versions I was facing the same problem.
I would be very thankful for any hints to help me solve this issue.
Questions: When the host is connected to a managed host (assigned to the managed vlan 100) and it is assigned an ip from the a access vlan 10. Shouldn't I be able to access the managed subnet case I configured ip traffic control policy to permit all traffic from untrusted to trusted? also shouldn't I be able to resolve website's ip with "nslookup x.com" since dns traffic is by default configured and also trusted dns server 192.168.99.1 is configured?
Thanks in advance for any help.

It arised to be that the 3550/3560/3750 are not supported for Central Deployment. The problem is solved.
Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment
For Cisco Clean Access (NAC Appliance) in In-Band Central Deployment mode, when a Cisco Catalyst 3560/3750 series switch is used as a Layer 3 switch and if both ports of the Clean Access Server (CAS) are connected to the same 3560/3750 switch, the minimum switch IOS code required is Cisco IOS release 12.2(25)SEE.
Because caveat CSCdu27506 is not fixed on the Catalyst 3550 series switch, when the Catalyst 3550 is used as a Layer 3 switch, it cannot be used in NAC Appliance In-Band Central Deployment.
For further details, refer to switch IOS caveat CSCdu27506:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdu27506
See also Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB).
Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB)
Table 6 describes Cisco Catalyst switch model support for the Virtual Gateway VLAN Mapping feature of the Clean Access Server for either in-band (IB) or out-of-band deployments (OOB). This table is intended to clarify CAS network deployment options when connecting the CAS in Virtual Gateway (bridge) mode to the switches listed.
Table 6 Switch Support for CAS Virtual Gateway In-Band/OOB VLAN Mapping Feature
Cisco Catalyst Switch Model Virtual Gateway
Central Deployment
(both interfaces into same switch) Edge Deployment
(each interface into different switch)
6000/6500 Yes Yes
4000/4500 Yes Yes
3750/3560 (L3 switch) Yes with 12.2(25) SEE and higher 1
Yes
3550 (L3 switch) No 1
Yes
3750/3560 (L2 switch) Yes Yes
3550 (L2 switch) Yes Yes
2950/2960 Yes Yes
2900XL No 2
Yes
3500XL Yes Yes
28xx NME Yes with 12.2(25) SEE and higher 1
Yes
1 Due to switch caveat CSCdu27506. See Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment for details.
2 2900 XL does not support removing VLAN 1 from switch trunks.

Internal DHCP Server on Wireless not working

Hi community,
I'm facing some problems to setup a DHCP server on a WLC 2504. I'll try to resume my configuration:
I have 2 networks: inside users (vlan 1) and external users (vlan)
My controller uses the port 1 to connect to the switch, which has a trunk with WLC.
I have two routers, one using vlan 1 (192.168.3.0/24) and one using vlan 10 (200.X.X.X). All ports to these routers are access ports on their respective vlans.
I have 2 SSID, one for inside, other to outside. Inside is working very well.
To the outside I created a DHCP escope and already set the IP of the management interface 192.168.3.119.
Managemente interface (vlan 1 inside): 192.168.3.119/24
Outside interface (vlan 10): 200.X.X.195 - Default gateway 200.X.X.X.193
I alredy checked the DHCP Proxy in Advanced option.
See the output of the debug client:
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >debug client 00:27:10:ce:38:e8
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 Association received from mobile on AP a4:18:75:03:e0:c0
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 Global 200 Clients are allowed to AP radio
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 Max Client Trap Threshold: 0 cur: 1
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 10
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 Re-applying interface policy for client
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 192.168.3.206 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1851)
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 192.168.3.206 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 In processSsidIE:3883 setting Central switched to TRUE
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 In processSsidIE:3886 apVapId = 2 and Split Acl Id = 65535
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 Applying site-specific Local Bridging override for station 00:27:10:ce:38:e8 - vapId 2, site 'default-group', interface 'externo-embratel'
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 Applying Local Bridging Interface Policy for station 00:27:10:ce:38:e8 - vlan 10, interface id 12, interface 'externo-embratel'
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 STA - rates (8): 140 18 152 36 176 72 96 108 48 72 96 108 0 0 0 0
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 Processing RSN IE type 48, length 22 for mobile 00:27:10:ce:38:e8
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 apfMsRunStateDec
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 apfMs1xStateDec
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 192.168.3.206 RUN (20) Change state to START (0) last state RUN (20)
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 192.168.3.206 START (0) Initializing policy
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 192.168.3.206 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 192.168.3.206 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)
*apfMsConnTask_2: Mar 26 17:45:11.391: 00:27:10:ce:38:e8 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_2: Mar 26 17:45:11.391: 00:27:10:ce:38:e8 192.168.3.206 8021X_REQD (3) Plumbed mobile LWAPP rule on AP a4:18:75:03:e0:c0 vapId 2 apVapId 2 flex-acl-name:
*apfMsConnTask_2: Mar 26 17:45:11.391: 00:27:10:ce:38:e8 apfPemAddUser2 (apf_policy.c:273) Changing state for mobile 00:27:10:ce:38:e8 on AP a4:18:75:03:e0:c0 from Associated to Associated
*apfMsConnTask_2: Mar 26 17:45:11.391: 00:27:10:ce:38:e8 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*apfMsConnTask_2: Mar 26 17:45:11.391: 00:27:10:ce:38:e8 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
*apfMsConnTask_2: Mar 26 17:45:11.391: 00:27:10:ce:38:e8 Sending Assoc Response to station on BSSID a4:18:75:03:e0:c0 (status 0) ApVapId 2 Slot 1
*apfMsConnTask_2: Mar 26 17:45:11.391: 00:27:10:ce:38:e8 apfProcessAssocReq (apf_80211.c:6719) Changing state for mobile 00:27:10:ce:38:e8 on AP a4:18:75:03:e0:c0 from Associated to Associated
*pemReceiveTask: Mar 26 17:45:11.393: 00:27:10:ce:38:e8 192.168.3.206 Removed NPU entry.
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Creating a PKC PMKID Cache entry for station 00:27:10:ce:38:e8 (RSN 2)
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Resetting MSCB PMK Cache Entry 0 for station 00:27:10:ce:38:e8
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Setting active key cache index 8 ---> 8
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Setting active key cache index 8 ---> 0
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Adding BSSID a4:18:75:03:e0:ce to PMKID cache at index 0 for station 00:27:10:ce:38:e8
*dot1xMsgTask: Mar 26 17:45:11.394: New PMKID: (16)
*dot1xMsgTask: Mar 26 17:45:11.394:      [0000] 61 96 e0 14 b9 0c c9 ca b2 e0 b7 0a 63 83 15 0d
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Initiating RSN PSK to mobile 00:27:10:ce:38:e8
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 dot1x - moving mobile 00:27:10:ce:38:e8 into Force Auth state
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Skipping EAP-Success to mobile 00:27:10:ce:38:e8
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Found an cache entry for BSSID a4:18:75:03:e0:ce in PMKID cache at index 0 of station 00:27:10:ce:38:e8
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Found an cache entry for BSSID a4:18:75:03:e0:ce in PMKID cache at index 0 of station 00:27:10:ce:38:e8
*dot1xMsgTask: Mar 26 17:45:11.394: Including PMKID in M1 (16)
*dot1xMsgTask: Mar 26 17:45:11.394:      [0000] 61 96 e0 14 b9 0c c9 ca b2 e0 b7 0a 63 83 15 0d
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Starting key exchange to mobile 00:27:10:ce:38:e8, data packets will be dropped
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Sending EAPOL-Key Message to mobile 00:27:10:ce:38:e8
                                                                                                              state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.396: 00:27:10:ce:38:e8 Received EAPOL-Key from mobile 00:27:10:ce:38:e8
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.396: 00:27:10:ce:38:e8 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:27:10:ce:38:e8
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.397: 00:27:10:ce:38:e8 Received EAPOL-key in PTK_START state (message 2) from mobile 00:27:10:ce:38:e8
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.397: 00:27:10:ce:38:e8 Stopping retransmission timer for mobile 00:27:10:ce:38:e8
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.397: 00:27:10:ce:38:e8 Sending EAPOL-Key Message to mobile 00:27:10:ce:38:e8
                                                                                                                    state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.399: 00:27:10:ce:38:e8 Received EAPOL-Key from mobile 00:27:10:ce:38:e8
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.399: 00:27:10:ce:38:e8 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:27:10:ce:38:e8
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.399: 00:27:10:ce:38:e8 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 00:27:10:ce:38:e8
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.399: 00:27:10:ce:38:e8 Stopping retransmission timer for mobile 00:27:10:ce:38:e8
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.399: 00:27:10:ce:38:e8 apfMs1xStateInc
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 192.168.3.206 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3)
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 Not Using WMM Compliance code qosCap 00
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 192.168.3.206 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP a4:18:75:03:e0:c0 vapId 2 apVapId 2 flex-acl-name:
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 apfMsRunStateInc
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 192.168.3.206 L2AUTHCOMPLETE (4) Change state to RUN (20) last state L2AUTHCOMPLETE (4)
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 192.168.3.206 RUN (20) Reached PLUMBFASTPATH: from line 5982
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 192.168.3.206 RUN (20) Adding Fast Path rule
type = Airespace AP Client
on AP a4:18:75:03:e0:c0, slot 1, interface = 1, QOS = 0
IPv4 ACL ID = 255, IPv6 ACL ID =
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 192.168.3.206 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 10, Local Bridging intf id = 12
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 192.168.3.206 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255)
*pemReceiveTask: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 192.168.3.206 Added NPU entry of type 1, dtlFlags 0x0
*pemReceiveTask: Mar 26 17:45:11.401: 00:27:10:ce:38:e8 Pushing IPv6: fe80:0000:0000:0000: 893c:4ed3:f9a0:b90f , and MAC: 00:27:10:CE:38:E8 , Binding to Data Plane. SUCCESS !!
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP received op BOOTREQUEST (1) (len 331,vlan 0, port 1, encap 0xec03)
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP selecting relay 1 - control block settings:
                        dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
                        dhcpGateway: 0.0.0.0, dhcpRelay: 200.x.x..195 VLAN: 10
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP selected relay 1 - 192.168.3.119 (local address 200.x.x.195, gateway 200.x.x.193, VLAN 10, port 1)
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP transmitting DHCP REQUEST (3)
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP   xid: 0x464542f7 (1178944247), secs: 0, flags: 8000
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP   chaddr: 00:27:10:ce:38:e8
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP   siaddr: 0.0.0.0, giaddr: 200.x.x.195
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP   requested ip: 192.168.3.206
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP selecting relay 2 - control block settings:
                        dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
                        dhcpGateway: 0.0.0.0, dhcpRelay: 200.x.x.195 VLAN: 10
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP selected relay 2 - NONE
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP received op BOOTREQUEST (1) (len 331,vlan 0, port 1, encap 0xec03)
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP selecting relay 1 - control block settings:
                        dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
                        dhcpGateway: 0.0.0.0, dhcpRelay: 200.x.x.195 VLAN: 10
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP selected relay 1 - 192.168.3.119 (local address 200.x.x.195, gateway 200.x.x.193, VLAN 10, port 1)
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP transmitting DHCP REQUEST (3)
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP   xid: 0x464542f7 (1178944247), secs: 768, flags: 8000
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP   chaddr: 00:27:10:ce:38:e8
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP   siaddr: 0.0.0.0, giaddr: 200.x.x.195
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP   requested ip: 192.168.3.206
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP selecting relay 2 - control block settings:
                        dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
                        dhcpGateway: 0.0.0.0, dhcpRelay: 200.x.x.195 VLAN: 10
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP selected relay 2 - NONE
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP received op BOOTREQUEST (1) (len 331,vlan 0, port 1, encap 0xec03)
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP selecting relay 1 - control block settings:
                        dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
                        dhcpGateway: 0.0.0.0, dhcpRelay: 200.x.x.195 VLAN: 10
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP selected relay 1 - 192.168.3.119 (local address 200.x.x.195, gateway 200.x.x.193, VLAN 10, port 1)
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP transmitting DHCP REQUEST (3)
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP   xid: 0x464542f7 (1178944247), secs: 3072, flags: 8000
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP   chaddr: 00:27:10:ce:38:e8
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP   siaddr: 0.0.0.0, giaddr: 200.x.x.195
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP   requested ip: 192.168.3.206
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP selecting relay 2 - control block settings:
                        dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
                        dhcpGateway: 0.0.0.0, dhcpRelay: 200.x.x.195 VLAN: 10
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP selected relay 2 - NONE
(Cisco Controller) >
What can be wrong?
Thank you in advanced.

Hi Plinio,
I see your device connected twice. it connected to the first SSID successfully and I can see it got IP 192.168.3.206.
Then it tries to get an ip from the other scope!! (while as the debugs show it is already connected and in RUN state).
That is strange!!
a question: do you have DHCP required enabled under your WLAN?
Rating useful replies is more useful than saying "Thank you"

WLC 5508 Internal DHCP server issues

Hi,
I am hoping to get your feedback around the dhcp issues I am facing with Two Centrally Switched Wireless LANs. I have tried to explain the setup and the problems below and would appreciate it if anyone can suggest a solution for the problems I am facing:
The setup is as follows:
- I have a WLC 5508 which has been configured with 4 SSIDs, out of which 2 are using Central Authentication and Switching.
- I have an LWAP connected to the WLC in HREAP mode.
- WLC is configured as the DHCP server for clients connecting to the SSID 'Guest'. For the rest, I am using external dhcp server.
- Only one scope for Guest Interface is setup on the WLC.
Problems:
1. As far as I know, for WLC to act as internal dhcp server, it is mandatory to have the proxy enabled, but the Clients connecting to SSID 'Internet' are
unable to get an ip address from the external dhcp server, if dhcp proxy is enabled on the WLC. If i disable the proxy, it all works fine.
2. DHCP does not release the ip addresses assigned to clients even after they are logged out.
3. If a machine which was earlier connected to 'Guest' SSID connects to the 'Internet' SSID, it requests the same ip it was assigned by the WLC which it was assigned under 'Guest', but gets tagged with the Vlan configured on the management interface.
************Output from the Controller********************
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.116.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS + LDPE
(Cisco Controller) >show interface summary
Interface Name                   Port Vlan Id IP Address         Type        Ap Mgr        Gu
est
guest                                        1    301      10.255.255.30    Dynamic   No              No
management                          1    100      172.17.1.30        Static          Yes            No
service-port                              N/A N/A      192.168.0.1       Static         No               No
virtual                                        N/A   N/A      10.0.0.1              Static         No               No
(Cisco Controller) >show wlan summary
Number of WLANs.................................. 4
WLAN ID WLAN Profile Name / SSID               Status    Interface Name
1        LAN                                    Enabled   management
2        Internet                               Enabled   management
3        Managment Assets          Enabled   management
4        Guest                                  Enabled   guest
(Cisco Controller) >show dhcp detailed guest
Scope: guest
Enabled.......................................... Yes
Lease Time....................................... 86400 (1 day )
Pool Start....................................... 10.255.255.31
Pool End......................................... 10.255.255.254
Network.......................................... 10.255.255.0
Netmask.......................................... 255.255.255.0
Default Routers.................................. 10.255.255.1 0.0.0.0 0.0.0.0
DNS Domain.......................................
DNS.............................................. 8.8.8.8 8.8.4.4 0.0.0.0
Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0
(Cisco Controller) >show interface detailed management
Interface Name................................... management
MAC Address...................................... e8:b7:48:9b:84:20
IP Address....................................... 172.17.1.30
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 172.17.1.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 100
Quarantine-vlan.................................. 0
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 172.30.50.1
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. No
L2 Multicast..................................... Enabled
(Cisco Controller) >show interface detailed guest
Interface Name................................... guest
MAC Address...................................... e8:b7:48:9b:84:24
IP Address....................................... 10.255.255.30
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 10.255.255.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 301
Quarantine-vlan.................................. 0
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. Unconfigured
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No
Guest Interface.................................. No
L2 Multicast..................................... Enabled
(Cisco Controller) >show dhcp leases
       MAC                IP         Lease Time Remaining
00:21:6a:9c:03:04    10.255.255.46    23 hours 52 minutes 42 seconds        <<<<<<< lease remains even when the client is disconnected.
*********Example of Client connected to the right Vlan with an ip address from the incorrect interface. *************
(Cisco Controller) >show client detail 00:21:6a:9c:03:04
Client MAC Address............................... 00:21:6a:9c:03:04
Client Username ................................. N/A
AP MAC Address................................... a0:cf:5b:00:49:c0
AP Name.......................................... mel
Client State..................................... Associated
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 2                 <<<<<<<<   'Internet' SSID
BSSID............................................ a0:cf:5b:00:49:ce
Connected For ................................... 319 secs
Channel.......................................... 36
IP Address....................................... 10.255.255.46      <<<<<<< IP address assigned from the 'Guest' Interface or dhcp scope on the WLC
Association Id................................... 1
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Session Timeout.................................. 1800
Client CCX version............................... 4
Client E2E version............................... 1
QoS Level........................................ Silver
802.1P Priority Tag.............................. disabled
WMM Support...................................... Enabled
Power Save....................................... OFF
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
Policy Type...................................... N/A
Encryption Cipher................................ None
Management Frame Protection...................... No
EAP Type......................................... Unknown
H-REAP Data Switching............................ Central       <<<<<<<<<
H-REAP Authentication............................ Central       <<<<<<<<<<
Interface........................................ management
VLAN............................................. 100           <<<<<<<<<<< right Vlan
Quarantine VLAN.................................. 0
Access VLAN...................................... 100

Hi All,
I have a similar issue where Wireless clients are not receiving automatic addressing from an internal DHCP server. I have multiple interfaces configured on the WLC which are connected to separate VLANS. The manually specified DHCP primary server entry is the same on all interfaces. Some clients are able to authenticate and receive automatic IP configuration but some clients are failing the address assignment process. I have checked connectivity between the WLC and DHCP server, this is confirmed as working. When I carry out a "debug dhcp packet enable", I get the following outputs which seems as if the DHCP discover request from the client is skipped. Your thoughts and inputs on this are appreciated.
DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option len (including the magic cookie) 76
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: message type = DHCP DISCOVER
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 116 (len 1) - skipping
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 61 (len 7) - skipping
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: requested ip = 169.254.223.5
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 12 (len 13) - skipping
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: vendor class id = MSFT 5.0 (len 8)
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 55 (len 11) - skipping
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 43 (len 2) - skipping
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP options end, len 76, actual 68
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP Forwarding DHCP packet (332 octets) packet DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option len (including the magic cookie) 76
Thanks,
Raj Sandhu

Can some one translate these instructions D-Link DI-524: installation as wireless HUB/Bridge General ON ALL TYPES OF ROUTERS DHCP SERVER HAS TO BE DISABLED ON ALL TYPES OF ROUTERS UPnP ALSO HAS TO BE DISABLED OTHERWISE YOU CAN SEVERELY HINDER OTHER USE

D-Link DI-524: installation as wireless HUB/Bridge
General
ON ALL TYPES OF ROUTERS DHCP SERVER HAS TO BE DISABLED
ON ALL TYPES OF ROUTERS UPnP ALSO HAS TO BE DISABLED
OTHERWISE YOU CAN SEVERELY HINDER OTHER USERS IN YOUR NEIGHBOURHOOD!
Practical example: D-Link DI-524
The DI-524 is a wireless router.Although the manufacturer doesn't mention this, you can also install this device as a wireless hub.Of course this is not supported by the manufacturer. Therefor you have nowhere to go in case of any problems Plug in the power cord of the DI-524. Do not yet connect the network cable!Search for existing wireless networks with your computer. Connect with the router.This can for example be done like this:
Click the start-button (at the bottom in the left corner of your screen).
Go to control panel
Go to internet connections (you may have to choose classic representation first)
You can now see your wireless network card, among other things. Right-click and 'View available Wireless networks'.
Connect to the router. In most cases the router will be called 'default'.Check your IP-address: you get an IP address from the DI-524
Go to the start-button
Go to 'Run'
Type 'cmd' and press enter
type 'ipconfig' and press enter
your IP address starts with 192.
Surf to your router with your regular browser. For this you need the address and a password, which you can find in the documentation.
In this case the address is 192.168.0.1
Now you must secure the router. For this it is best to use WPA-PSK
Your key is a randomly chosen sentence. Don't make this sentence too short.
Warning: Case sensitive!
You cannot reach the router anymore now.
Go back to your network card via "make connection". Search for your wireless network again and make a new connection
You are asked for a key. Supply this key the way you configured it in your router.
Surf back to the router.
Disable the DHCP server.
!! YOU HAVE TO DISABLE UPnP ON ALL TYPES OF ROUTERS
OTHERWISE YOU CAN SEVERELY HINDER OTHER USERS IN YOUR NEIGHBOURHOOD!
for this, go to Tools, Misc and switch off UPnP
Save these settings.
If you do not have a D-link router, look up in the manual or somewhere else where you can disable UPnP
Now you cannot reach the router anymore again.
It is only from this moment that you can connect the router to the modem.
Important: Use one of the 4 LAN ports. Never use the WAN port!
Go to your network card via the control panel. Right-click and "Repair"
Now you should get an IP-address in the range of 10.nnn.nnn.nnn
If you still don't have 192... you've made an error. The DI-524 still functions as a router and this is not allowed!

There are no Mac based instructions. The router is accessed and adjusted the same way whether you are using a Mac OS X, Windows or Linux. As noted in the other post it is done through your web browser which works the same from any computer. Even a Chrome Book.
akertrav wrote:
Thank you for that what I have been trying to do is extend the range of my wifi witha second dilink router. I was hoping for some mac based directions to achive this rather than the PC based as presented. Thank you for your ireply Paul

NAC as DHCP server problem

Similar Messages

Maybe you are looking for