NAC implementation wi thout DHCP Server
Dear Experts,
Is it possible to deploy NAC without having DHCP server in the network? We have some 300-400 users in the campus and want to enable NAC for them.
As per my understanding Cisco NAC cannot be deployed without DHCP server in the network, however it is not documented anywhere on the site. Currently all users' machines are configured with static IP.
We want to do user authentication, AV remediation and Patch deployment through NAC. Is it possible to deploy NAC without DHCP server??
Thanks in advance.
nayan
Hi,
Here is the basic flow of clean access for both inband and out of band: (http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_white_paper0900aecd802bdc42.html)
Figure 1. Laptop Attempts to Access the Internal Network
1. When the laptop first accesses the network, the Cisco Clean Access Server determines that the computer's MAC address is not in the list of certified devices, and that laptop is placed into an unauthenticated role. While in this role, only User Datagram Protocol (UDP) Port 53 (Domain Name System [DNS]) and Dynamic Host Control Protocol (DHCP) traffic (via DHCP and VLAN passthrough) is allowed.
2. The laptop gets an IP address from the DHCP server, but cannot get past the Clean Access Server acting as an IP filter.
3. The laptop user opens a browser and is redirected to an SSL-based Web login page where she enters her credentials, which in turn map her into the "employee" role.
4. As an "employee," she is asked to download the Clean Access Agent.
5. The Clean Access Agent performs the posture assessment and forwards the results to the Clean Access Server to make the network admissions decision.
Tarik Admani
*Please rate helpful posts*
Similar Messages
-
Microsoft DHCP Server - Option 43 Setup
I have the scope configured properly as far as the 241 Option with Option 43 and the VCI in it for both the 1130 and 1200 series AP's. However, how do you make this work if your subnet has both 1200 and 1130's in it? Basically if I have two 241 options set, the 1130 comes in first allowing hte 1130's to associate, but not the 1200's. If I remove the 1130 Option 241, the 1200's associate. Basically, how do I get both to work from the scope correctly?
Thanks,
RaunHi Raun,
Here is some additional info;
This section contains a DHCP Option 43 configuration example on a Windows 2003 Enterprise DHCP server for use with lightweight access points. For other DHCP server implementations, consult the DHCP server documentation for configuring DHCP Option 43. In Option 43, you should use the IP address of the controller management interface.
****Note DHCP Option 43 is limited to one access point type per DHCP pool. You must configure a separate DHCP pool for each access point type.****
From this doc;
http://www.cisco.com/en/US/docs/wireless/access_point/1200/installation/guide/120h_g.html
DHCP OPTION 43 for Lightweight Cisco Aironet Access Points Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808714fe.shtml#t1
Hope this helps!
Rob -
Java DHCP Server, is it possible?
I have looked at Jason Goldschmidt JDHCP api, available at:
http://www.dhcp.org/jdhcp (offline as of this posting)
or
http://www.opennms.org/cgi-bin/cvsweb.cgi/jdhcp/
He seems to have the right idea for the basics. I would like to know if it is possible to create a 100% java DHCP server. I have started one, so far it can pick up broadcasts and is limited to giving out 1 ip... What would the technical limitation of Java be in terms of implementing a Java DHCP server, if any?
Thanks
Jeremyperformance i guess. they aren't any really. the reply
above talks about how you can't pin. ok but so what
you could get around this easily enough. you could
just try to open a socket on any old port. if it times
out the ip is available.Yes, I agree, I am not concened about not being able to ping, I was planning on in the program which I am working, it will also keep track of clients who haved "leased" an IP, for example.. some sort of QOS tracking.
anyway with java sockets you can do just about
anything you want. the most difficult thing is
learning the protocol for the service you want to
implement.Agreed, I am not very familar with DHCP/BOOTp and am catching up on my reading right now, I just got "The DHCP Handbook"... seems to be THE book on DHCP... Those API's I think will make it significalty easier.
my first suggestion to you would be to build a fake
tracing server so you can see the messaging in action.
to do this put a real DHCP server on machine A, put
your fake server on machine B. then point a client
machine (C) at B. use B to pass the messages back and
forth and trace them as they go along.I have sort of done that already.. What I have is a DHCP Client simulator that shows me what messages are coming in/out.. I also have a packet sniffer to check out what exactly is going on..
anyway the only question i have is why?Ahhhh, why.. we'll the goal of it is have many "decentralized" dhcp servers with one centralized IP lease/session backend database..
Example:
You can have many seperate "dhcp servers" running on different subnets or on completey seperate lan's... on all differrent platforms, win32, linux, mac... However the leases and keeping track of the IP's in use will be handled by a database somewhere central....
Jeremy -
Best practice configure DHCP server NAC
hi all,
any idea how the best practice deploy dhcp on cas? i tired follow user guide configure dhcp on cas but still cannot running smoothly user just only grep ip authenticate.
- CCA agent very slow appear when user get ip dhcp on authenticate.any idea ?
- how to integrated profiler with nac appliance .?Hi ahmed,
You have configured your CAS to be your DHCP server, Thats well and good because you are using Real IP mode, Which Supports the CAS to be a DHCP server.
Remember
This Setting is only For your Authentication VLAN that your client gets an ip While Authentication ok.
When your Client switches to Access VLAN , your client trafiic no longer flows through the CAS so CAS is now not responsible for DHCP.
You'll have to configure another DHCP on the Trusted Side which can Lease IPs to the Acess VLAN Members.
As you have configured OOB then your client is in Acess VLAN and does not come in contact with the CAS so you need the Trusted side DHCP to give the Client an IP address.
Here in your Scenario your ACCESS VLANS are 2022,2044
Hope this helps, Do reply after Testing.
Thank You
Regards
Edward -
Hi All,
We have planned to implement the DHCP Server therefore here I am looking for the best practice which we can do. we have almost 25 branches across the country and its under in one cloud and single
domain.
Is this better to keep a DHCP server in Head Quarters only or need to keep in each region. (Like central, eastern and western region)
If we install DHCP server in each region, can we configure same scope in all DHCP server or need to configure the scope based on region.
If we configure the same scope in all the DHCP server, is there any chance for IP conflict.
Thanks,
FaisalIn my opinion you have not mentioned the most important thing to be considered. How are the branches connected? How is Active Directory configured? Are you using AD sites?
Do you have at least one server at each branch? Do you have a DC in each branch or only one in each region?
I would think that how this is all configured would be the basis on which your DHCP strategy was based.
Bill -
Hi guys,
i have problem use nac server as dhcp server at different subnet.
one thing that i want to know is dhcp in NAC server support unicast dhcp messages ?
because when client use layer 2 connection to nac server, dhcp works fine. i think they use dhcp broadcast message.
thanksHi,
Ensure your internal network can ping the DHCP server, which in this case I think is your Hyper-V host. This probably requires that you configure an IP address on your Hyper-V host that matches the subnet you have configured on the DHCP scope.
When you add a virtual network to Hyper-V, this will add a virtual network adapter on the Hyper-V host. You can see the adapter in ipconfig with a name that matches the name of the virtual switch, for example: Ethernet adapter vEthernet (Internal Network).
I'm not sure what your goals are here. It sounds like you want to give the VMs access to the Internet, which can be done much more simply by just creating an External virtual network rather than an Internal one with NAT.
Whatever your configuration, consider that DHCP works only one of two ways:
1. DHCP server exists on the same subnet as the scope subnet and shares one of these subnet IP addresses.
2. DHCP server has a different IP address than the scope, and clients use DHCP relay to get to the DHCP server.
If you don't have a DHCP relay, then you must use the first method.
-Greg -
NAC DHCP server subnet-list issue
Hello everyone,
I currently setup the CAS as a layer 3 IB deployment, and use the CAS as the DHCP server for our remote subnets.
My issuse is when I configure the IP address pool, I have to check option "Retrict range to REALY IP", and can only put one IP address of the remote router IP address to make the DHCP server function working.
But our remote routers are configured HSRP for the user subnets, and I find that it use the physical ip address instead of the virtaul ip address to encapsulate the DHCP rely packets. If I put the HSRP virtual IP, it could not work. If I put the primary router's physical interface IP, how about it failover to the standby router?
Could anyone help me for this problem?
Thanks in advance.
JasonNever had this issue before, it should not occur under normal circumstances.
Two tips:
1: Although not 100% applicable, please verify that your config includes the command: ip subnet zero.
2: Verify that your IOS is recent and not ED, T or whatsoever. If possible load a GD image.
Regards,
Leo -
Hi there i am having an issue that has popped up recently i have a DC at a branch office that is connected to the main office DC via a Persistent Demand Dial connection in RRAS. Everything was working properly according to me until i found out that the Network
Admin who manages the branch office network failed to notify me that client machines weren't getting IP addresses from the DHCP server. This server was recently installed and wasn't fully implemented till about a week ago when i configured the Demand Dial
connection in RRAS up until that point it just had a regular old VPN connection to the main office while we worked out the kinks with a few things. the things ive tried so far to get DHCP working are as followed
1.Rebooted the branch office server (MULTIPLE TIMES)
2. Uninstalled the DHCP Role and re-installed it....To my surprise 1 client managed to get a ip on its lan adapter after DHCP was re-installed but nothing else
3. Disconnected the connection between the main office DC and the Branch office DC as i figured the main office DC DHCP server might be interfering with the branch office DC DHCP Server but nothing happened
4. Unauthorized and Reauthorized the main office DHCP server and the branch office DHCP server nothing changed
5. sifted through multiple log files on both servers and found noting in fact DHCP logs are empty on both servers
6. restored backups of the DHCP servers from when they were working
7. came here cause im out of ideas and im pulling my hair out
here are the current statistics from the problem server
Start Time: 7/12/2014 2:02:10PM
Up Time: 1Hours, 18 Minutes, 41 Seconds
Discovers: 90
Offers: 90
Requests: 2
Acks: 13
Nacks: 0
Declines: 0
Releases: 0
Total Scopes: 1
Total Addresses 253
In Use 2 (0%)
Available: 251 (99%)
Id like to add that RRAS was getting IP addresses from the problem server up until the point i uninstalled the role and re-installed it
heres is a ipconfig /all from the problem server
Windows IP Configuration
Host Name . . . . . . . . . . . . : MNB-DC
Primary Dns Suffix . . . . . . . : VTEACR.LOCAL
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : VTEACR.LOCAL
PPP adapter Remote Router:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Remote Router
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.141.70.25(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.141.70.10
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 00-16-35-AB-D3-05
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d9e:daa4:34dd:db44%10(Preferred)
IPv4 Address. . . . . . . . . . . : 10.141.80.102(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::226:5aff:feb7:5b3c%10
10.141.80.1
DNS Servers . . . . . . . . . . . : ::1
10.141.80.102
NetBIOS over Tcpip. . . . . . . . : Enabled
PPP adapter RAS (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : RAS (Dial In) Interface
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 169.254.238.243(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{427DF66B-3B30-40B1-B67E-B5587465C
394}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 11:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.ziricom.com
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 12:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.VTEACR.LOCAL
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 13:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{BE201060-A9B9-404A-8361-F8FFB82F5
6F6}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 14:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 15:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.VTEACR.LOCAL
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 16:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #7
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 19:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.ziricom.com
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
if anymore information is needed please let me know i have full access to everything on the network so its not a problem and i am able to remotely access the branch office DC and all computer and switches at any time of the day
Viper Technologies Computer Repair Putting The Venomus Bite Back In Your Computer We Are Located In Antigonish ,NS Canada Check Us Out HTTP://WWW.VIPERTECHNOLOGIES.TKHi,
Does this issue occur on one client or multiple?
Please check this article:
http://technet.microsoft.com/en-us/library/cc757164(v=ws.10).aspx#BKMK_5
Regards.
Vivian Wang -
Internal DHCP Server on Wireless not working
Hi community,
I'm facing some problems to setup a DHCP server on a WLC 2504. I'll try to resume my configuration:
I have 2 networks: inside users (vlan 1) and external users (vlan)
My controller uses the port 1 to connect to the switch, which has a trunk with WLC.
I have two routers, one using vlan 1 (192.168.3.0/24) and one using vlan 10 (200.X.X.X). All ports to these routers are access ports on their respective vlans.
I have 2 SSID, one for inside, other to outside. Inside is working very well.
To the outside I created a DHCP escope and already set the IP of the management interface 192.168.3.119.
Managemente interface (vlan 1 inside): 192.168.3.119/24
Outside interface (vlan 10): 200.X.X.195 - Default gateway 200.X.X.X.193
I alredy checked the DHCP Proxy in Advanced option.
See the output of the debug client:
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >debug client 00:27:10:ce:38:e8
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 Association received from mobile on AP a4:18:75:03:e0:c0
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 Global 200 Clients are allowed to AP radio
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 Max Client Trap Threshold: 0 cur: 1
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 10
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 Re-applying interface policy for client
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 192.168.3.206 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1851)
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 192.168.3.206 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 In processSsidIE:3883 setting Central switched to TRUE
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 In processSsidIE:3886 apVapId = 2 and Split Acl Id = 65535
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 Applying site-specific Local Bridging override for station 00:27:10:ce:38:e8 - vapId 2, site 'default-group', interface 'externo-embratel'
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 Applying Local Bridging Interface Policy for station 00:27:10:ce:38:e8 - vlan 10, interface id 12, interface 'externo-embratel'
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 STA - rates (8): 140 18 152 36 176 72 96 108 48 72 96 108 0 0 0 0
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 Processing RSN IE type 48, length 22 for mobile 00:27:10:ce:38:e8
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 apfMsRunStateDec
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 apfMs1xStateDec
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 192.168.3.206 RUN (20) Change state to START (0) last state RUN (20)
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 192.168.3.206 START (0) Initializing policy
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 192.168.3.206 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfMsConnTask_2: Mar 26 17:45:11.390: 00:27:10:ce:38:e8 192.168.3.206 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)
*apfMsConnTask_2: Mar 26 17:45:11.391: 00:27:10:ce:38:e8 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_2: Mar 26 17:45:11.391: 00:27:10:ce:38:e8 192.168.3.206 8021X_REQD (3) Plumbed mobile LWAPP rule on AP a4:18:75:03:e0:c0 vapId 2 apVapId 2 flex-acl-name:
*apfMsConnTask_2: Mar 26 17:45:11.391: 00:27:10:ce:38:e8 apfPemAddUser2 (apf_policy.c:273) Changing state for mobile 00:27:10:ce:38:e8 on AP a4:18:75:03:e0:c0 from Associated to Associated
*apfMsConnTask_2: Mar 26 17:45:11.391: 00:27:10:ce:38:e8 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*apfMsConnTask_2: Mar 26 17:45:11.391: 00:27:10:ce:38:e8 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
*apfMsConnTask_2: Mar 26 17:45:11.391: 00:27:10:ce:38:e8 Sending Assoc Response to station on BSSID a4:18:75:03:e0:c0 (status 0) ApVapId 2 Slot 1
*apfMsConnTask_2: Mar 26 17:45:11.391: 00:27:10:ce:38:e8 apfProcessAssocReq (apf_80211.c:6719) Changing state for mobile 00:27:10:ce:38:e8 on AP a4:18:75:03:e0:c0 from Associated to Associated
*pemReceiveTask: Mar 26 17:45:11.393: 00:27:10:ce:38:e8 192.168.3.206 Removed NPU entry.
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Creating a PKC PMKID Cache entry for station 00:27:10:ce:38:e8 (RSN 2)
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Resetting MSCB PMK Cache Entry 0 for station 00:27:10:ce:38:e8
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Setting active key cache index 8 ---> 8
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Setting active key cache index 8 ---> 0
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Adding BSSID a4:18:75:03:e0:ce to PMKID cache at index 0 for station 00:27:10:ce:38:e8
*dot1xMsgTask: Mar 26 17:45:11.394: New PMKID: (16)
*dot1xMsgTask: Mar 26 17:45:11.394: [0000] 61 96 e0 14 b9 0c c9 ca b2 e0 b7 0a 63 83 15 0d
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Initiating RSN PSK to mobile 00:27:10:ce:38:e8
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 dot1x - moving mobile 00:27:10:ce:38:e8 into Force Auth state
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Skipping EAP-Success to mobile 00:27:10:ce:38:e8
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Found an cache entry for BSSID a4:18:75:03:e0:ce in PMKID cache at index 0 of station 00:27:10:ce:38:e8
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Found an cache entry for BSSID a4:18:75:03:e0:ce in PMKID cache at index 0 of station 00:27:10:ce:38:e8
*dot1xMsgTask: Mar 26 17:45:11.394: Including PMKID in M1 (16)
*dot1xMsgTask: Mar 26 17:45:11.394: [0000] 61 96 e0 14 b9 0c c9 ca b2 e0 b7 0a 63 83 15 0d
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Starting key exchange to mobile 00:27:10:ce:38:e8, data packets will be dropped
*dot1xMsgTask: Mar 26 17:45:11.394: 00:27:10:ce:38:e8 Sending EAPOL-Key Message to mobile 00:27:10:ce:38:e8
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.396: 00:27:10:ce:38:e8 Received EAPOL-Key from mobile 00:27:10:ce:38:e8
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.396: 00:27:10:ce:38:e8 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:27:10:ce:38:e8
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.397: 00:27:10:ce:38:e8 Received EAPOL-key in PTK_START state (message 2) from mobile 00:27:10:ce:38:e8
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.397: 00:27:10:ce:38:e8 Stopping retransmission timer for mobile 00:27:10:ce:38:e8
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.397: 00:27:10:ce:38:e8 Sending EAPOL-Key Message to mobile 00:27:10:ce:38:e8
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.399: 00:27:10:ce:38:e8 Received EAPOL-Key from mobile 00:27:10:ce:38:e8
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.399: 00:27:10:ce:38:e8 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:27:10:ce:38:e8
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.399: 00:27:10:ce:38:e8 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 00:27:10:ce:38:e8
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.399: 00:27:10:ce:38:e8 Stopping retransmission timer for mobile 00:27:10:ce:38:e8
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.399: 00:27:10:ce:38:e8 apfMs1xStateInc
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 192.168.3.206 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3)
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 Not Using WMM Compliance code qosCap 00
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 192.168.3.206 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP a4:18:75:03:e0:c0 vapId 2 apVapId 2 flex-acl-name:
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 apfMsRunStateInc
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 192.168.3.206 L2AUTHCOMPLETE (4) Change state to RUN (20) last state L2AUTHCOMPLETE (4)
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 192.168.3.206 RUN (20) Reached PLUMBFASTPATH: from line 5982
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 192.168.3.206 RUN (20) Adding Fast Path rule
type = Airespace AP Client
on AP a4:18:75:03:e0:c0, slot 1, interface = 1, QOS = 0
IPv4 ACL ID = 255, IPv6 ACL ID =
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 192.168.3.206 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 10, Local Bridging intf id = 12
*Dot1x_NW_MsgTask_0: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 192.168.3.206 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255)
*pemReceiveTask: Mar 26 17:45:11.400: 00:27:10:ce:38:e8 192.168.3.206 Added NPU entry of type 1, dtlFlags 0x0
*pemReceiveTask: Mar 26 17:45:11.401: 00:27:10:ce:38:e8 Pushing IPv6: fe80:0000:0000:0000: 893c:4ed3:f9a0:b90f , and MAC: 00:27:10:CE:38:E8 , Binding to Data Plane. SUCCESS !!
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP received op BOOTREQUEST (1) (len 331,vlan 0, port 1, encap 0xec03)
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP selecting relay 1 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 200.x.x..195 VLAN: 10
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP selected relay 1 - 192.168.3.119 (local address 200.x.x.195, gateway 200.x.x.193, VLAN 10, port 1)
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP transmitting DHCP REQUEST (3)
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP xid: 0x464542f7 (1178944247), secs: 0, flags: 8000
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP chaddr: 00:27:10:ce:38:e8
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP siaddr: 0.0.0.0, giaddr: 200.x.x.195
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP requested ip: 192.168.3.206
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP selecting relay 2 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 200.x.x.195 VLAN: 10
*DHCP Socket Task: Mar 26 17:45:11.445: 00:27:10:ce:38:e8 DHCP selected relay 2 - NONE
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP received op BOOTREQUEST (1) (len 331,vlan 0, port 1, encap 0xec03)
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP selecting relay 1 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 200.x.x.195 VLAN: 10
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP selected relay 1 - 192.168.3.119 (local address 200.x.x.195, gateway 200.x.x.193, VLAN 10, port 1)
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP transmitting DHCP REQUEST (3)
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP xid: 0x464542f7 (1178944247), secs: 768, flags: 8000
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP chaddr: 00:27:10:ce:38:e8
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP siaddr: 0.0.0.0, giaddr: 200.x.x.195
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP requested ip: 192.168.3.206
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP selecting relay 2 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 200.x.x.195 VLAN: 10
*DHCP Socket Task: Mar 26 17:45:14.647: 00:27:10:ce:38:e8 DHCP selected relay 2 - NONE
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP received op BOOTREQUEST (1) (len 331,vlan 0, port 1, encap 0xec03)
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP selecting relay 1 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 200.x.x.195 VLAN: 10
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP selected relay 1 - 192.168.3.119 (local address 200.x.x.195, gateway 200.x.x.193, VLAN 10, port 1)
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP transmitting DHCP REQUEST (3)
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP xid: 0x464542f7 (1178944247), secs: 3072, flags: 8000
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP chaddr: 00:27:10:ce:38:e8
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP siaddr: 0.0.0.0, giaddr: 200.x.x.195
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP requested ip: 192.168.3.206
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP selecting relay 2 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 200.x.x.195 VLAN: 10
*DHCP Socket Task: Mar 26 17:45:23.590: 00:27:10:ce:38:e8 DHCP selected relay 2 - NONE
(Cisco Controller) >
What can be wrong?
Thank you in advanced.Hi Plinio,
I see your device connected twice. it connected to the first SSID successfully and I can see it got IP 192.168.3.206.
Then it tries to get an ip from the other scope!! (while as the debugs show it is already connected and in RUN state).
That is strange!!
a question: do you have DHCP required enabled under your WLAN?
Rating useful replies is more useful than saying "Thank you" -
WLC 5508 Internal DHCP server issues
Hi,
I am hoping to get your feedback around the dhcp issues I am facing with Two Centrally Switched Wireless LANs. I have tried to explain the setup and the problems below and would appreciate it if anyone can suggest a solution for the problems I am facing:
The setup is as follows:
- I have a WLC 5508 which has been configured with 4 SSIDs, out of which 2 are using Central Authentication and Switching.
- I have an LWAP connected to the WLC in HREAP mode.
- WLC is configured as the DHCP server for clients connecting to the SSID 'Guest'. For the rest, I am using external dhcp server.
- Only one scope for Guest Interface is setup on the WLC.
Problems:
1. As far as I know, for WLC to act as internal dhcp server, it is mandatory to have the proxy enabled, but the Clients connecting to SSID 'Internet' are
unable to get an ip address from the external dhcp server, if dhcp proxy is enabled on the WLC. If i disable the proxy, it all works fine.
2. DHCP does not release the ip addresses assigned to clients even after they are logged out.
3. If a machine which was earlier connected to 'Guest' SSID connects to the 'Internet' SSID, it requests the same ip it was assigned by the WLC which it was assigned under 'Guest', but gets tagged with the Vlan configured on the management interface.
************Output from the Controller********************
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.116.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS + LDPE
(Cisco Controller) >show interface summary
Interface Name Port Vlan Id IP Address Type Ap Mgr Gu
est
guest 1 301 10.255.255.30 Dynamic No No
management 1 100 172.17.1.30 Static Yes No
service-port N/A N/A 192.168.0.1 Static No No
virtual N/A N/A 10.0.0.1 Static No No
(Cisco Controller) >show wlan summary
Number of WLANs.................................. 4
WLAN ID WLAN Profile Name / SSID Status Interface Name
1 LAN Enabled management
2 Internet Enabled management
3 Managment Assets Enabled management
4 Guest Enabled guest
(Cisco Controller) >show dhcp detailed guest
Scope: guest
Enabled.......................................... Yes
Lease Time....................................... 86400 (1 day )
Pool Start....................................... 10.255.255.31
Pool End......................................... 10.255.255.254
Network.......................................... 10.255.255.0
Netmask.......................................... 255.255.255.0
Default Routers.................................. 10.255.255.1 0.0.0.0 0.0.0.0
DNS Domain.......................................
DNS.............................................. 8.8.8.8 8.8.4.4 0.0.0.0
Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0
(Cisco Controller) >show interface detailed management
Interface Name................................... management
MAC Address...................................... e8:b7:48:9b:84:20
IP Address....................................... 172.17.1.30
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 172.17.1.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 100
Quarantine-vlan.................................. 0
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 172.30.50.1
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. No
L2 Multicast..................................... Enabled
(Cisco Controller) >show interface detailed guest
Interface Name................................... guest
MAC Address...................................... e8:b7:48:9b:84:24
IP Address....................................... 10.255.255.30
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 10.255.255.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 301
Quarantine-vlan.................................. 0
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. Unconfigured
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No
Guest Interface.................................. No
L2 Multicast..................................... Enabled
(Cisco Controller) >show dhcp leases
MAC IP Lease Time Remaining
00:21:6a:9c:03:04 10.255.255.46 23 hours 52 minutes 42 seconds <<<<<<< lease remains even when the client is disconnected.
*********Example of Client connected to the right Vlan with an ip address from the incorrect interface. *************
(Cisco Controller) >show client detail 00:21:6a:9c:03:04
Client MAC Address............................... 00:21:6a:9c:03:04
Client Username ................................. N/A
AP MAC Address................................... a0:cf:5b:00:49:c0
AP Name.......................................... mel
Client State..................................... Associated
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 2 <<<<<<<< 'Internet' SSID
BSSID............................................ a0:cf:5b:00:49:ce
Connected For ................................... 319 secs
Channel.......................................... 36
IP Address....................................... 10.255.255.46 <<<<<<< IP address assigned from the 'Guest' Interface or dhcp scope on the WLC
Association Id................................... 1
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Session Timeout.................................. 1800
Client CCX version............................... 4
Client E2E version............................... 1
QoS Level........................................ Silver
802.1P Priority Tag.............................. disabled
WMM Support...................................... Enabled
Power Save....................................... OFF
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
Policy Type...................................... N/A
Encryption Cipher................................ None
Management Frame Protection...................... No
EAP Type......................................... Unknown
H-REAP Data Switching............................ Central <<<<<<<<<
H-REAP Authentication............................ Central <<<<<<<<<<
Interface........................................ management
VLAN............................................. 100 <<<<<<<<<<< right Vlan
Quarantine VLAN.................................. 0
Access VLAN...................................... 100Hi All,
I have a similar issue where Wireless clients are not receiving automatic addressing from an internal DHCP server. I have multiple interfaces configured on the WLC which are connected to separate VLANS. The manually specified DHCP primary server entry is the same on all interfaces. Some clients are able to authenticate and receive automatic IP configuration but some clients are failing the address assignment process. I have checked connectivity between the WLC and DHCP server, this is confirmed as working. When I carry out a "debug dhcp packet enable", I get the following outputs which seems as if the DHCP discover request from the client is skipped. Your thoughts and inputs on this are appreciated.
DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option len (including the magic cookie) 76
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: message type = DHCP DISCOVER
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 116 (len 1) - skipping
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 61 (len 7) - skipping
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: requested ip = 169.254.223.5
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 12 (len 13) - skipping
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: vendor class id = MSFT 5.0 (len 8)
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 55 (len 11) - skipping
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 43 (len 2) - skipping
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP options end, len 76, actual 68
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP Forwarding DHCP packet (332 octets) packet DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option len (including the magic cookie) 76
Thanks,
Raj Sandhu -
Server version: Windows server 2008 R2 Ent.
Structure of DHCP scopes: Two DHCP server 50% to 50% all allocation for per scopes.
Question: Sometimes the DHCP server
allocate the IP address at the same time to the a strange MAC address per IP address, the type is "DHCP/BOOT", it cause DHCP scopes out of space at some time point. We need clear up them manually.
I found strange MAC address in HEX is the IP address which the server allocated.
Someone meet the issues before, any solution for this ?
Thanks !
Client IP Address
Name
Lease Expiration
Type
Unique ID
10.199.190.0
10.199.190.0
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e3000
10.199.190.46
10.199.190.46
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e343600
10.199.190.59
10.199.190.59
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e353900
10.199.190.69
10.199.190.69
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e363900
10.199.190.74
10.199.190.74
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e373400
10.199.190.90
10.199.190.90
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e393000
10.199.190.101
10.199.190.101
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31303100
10.199.190.104
10.199.190.104
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31303400
10.199.190.110
10.199.190.110
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31313000
10.199.190.114
10.199.190.114
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31313400
10.199.190.117
10.199.190.117
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31313700
10.199.190.121
10.199.190.121
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31323100
10.199.190.138
10.199.190.138
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31333800
10.199.190.144
10.199.190.144
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31343400
10.199.190.153
10.199.190.153
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31353300
10.199.190.156
10.199.190.156
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31353600
10.199.190.157
10.199.190.157
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31353700
10.199.190.163
10.199.190.163
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31363300
10.199.190.165
10.199.190.165
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31363500
10.199.190.168
10.199.190.168
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31363800
10.199.190.169
10.199.190.169
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31363900
10.199.190.174
10.199.190.174
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31373400
10.199.190.177
10.199.190.177
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31373700
10.199.190.184
10.199.190.184
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31383400
10.199.190.188
10.199.190.188
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31383800
10.199.190.189
10.199.190.189
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31383900
10.199.190.192
10.199.190.192
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31393200
10.199.190.197
10.199.190.197
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e31393700
10.199.190.201
10.199.190.201
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32303100
10.199.190.202
10.199.190.202
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32303200
10.199.190.209
10.199.190.209
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32303900
10.199.190.210
10.199.190.210
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32313000
10.199.190.211
10.199.190.211
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32313100
10.199.190.212
10.199.190.212
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32313200
10.199.190.213
10.199.190.213
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32313300
10.199.190.216
10.199.190.216
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32313600
10.199.190.219
10.199.190.219
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32313900
10.199.190.222
10.199.190.222
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32323200
10.199.190.225
10.199.190.225
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32323500
10.199.190.226
10.199.190.226
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32323600
10.199.190.229
10.199.190.229
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32323900
10.199.190.233
10.199.190.233
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32333300
10.199.190.235
10.199.190.235
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32333500
10.199.190.238
10.199.190.238
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32333800
10.199.190.240
10.199.190.240
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32343000
10.199.190.242
10.199.190.242
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32343200
10.199.190.243
10.199.190.243
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32343300
10.199.190.246
10.199.190.246
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32343600
10.199.190.249
10.199.190.249
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32343900
10.199.190.251
10.199.190.251
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32353100
10.199.190.252
10.199.190.252
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32353200
10.199.190.255
10.199.190.255
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139302e32353500
10.199.191.1
10.199.191.1
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e3100
10.199.191.2
10.199.191.2
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e3200
10.199.191.5
10.199.191.5
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e3500
10.199.191.6
10.199.191.6
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e3600
10.199.191.8
10.199.191.8
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e3800
10.199.191.13
10.199.191.13
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e313300
10.199.191.14
10.199.191.14
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e313400
10.199.191.15
10.199.191.15
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e313500
10.199.191.16
10.199.191.16
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e313600
10.199.191.17
10.199.191.17
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e313700
10.199.191.18
10.199.191.18
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e313800
10.199.191.19
10.199.191.19
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e313900
10.199.191.20
10.199.191.20
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e323000
10.199.191.21
10.199.191.21
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e323100
10.199.191.22
10.199.191.22
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e323200
10.199.191.23
10.199.191.23
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e323300
10.199.191.24
10.199.191.24
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e323400
10.199.191.27
10.199.191.27
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e323700
10.199.191.29
10.199.191.29
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e323900
10.199.191.30
10.199.191.30
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e333000
10.199.191.31
10.199.191.31
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e333100
10.199.191.32
10.199.191.32
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e333200
10.199.191.33
10.199.191.33
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e333300
10.199.191.34
10.199.191.34
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e333400
10.199.191.37
10.199.191.37
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e333700
10.199.191.38
10.199.191.38
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e333800
10.199.191.39
10.199.191.39
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e333900
10.199.191.42
10.199.191.42
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e343200
10.199.191.44
10.199.191.44
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e343400
10.199.191.49
10.199.191.49
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e343900
10.199.191.52
10.199.191.52
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e353200
10.199.191.54
10.199.191.54
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e353400
10.199.191.56
10.199.191.56
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e353600
10.199.191.61
10.199.191.61
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e363100
10.199.191.62
10.199.191.62
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e363200
10.199.191.64
10.199.191.64
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e363400
10.199.191.65
10.199.191.65
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e363500
10.199.191.66
10.199.191.66
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e363600
10.199.191.70
10.199.191.70
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e373000
10.199.191.72
10.199.191.72
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e373200
10.199.191.73
10.199.191.73
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e373300
10.199.191.79
10.199.191.79
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e373900
10.199.191.80
10.199.191.80
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e383000
10.199.191.81
10.199.191.81
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e383100
10.199.191.82
10.199.191.82
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e383200
10.199.191.83
10.199.191.83
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e383300
10.199.191.84
10.199.191.84
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e383400
10.199.191.86
10.199.191.86
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e383600
10.199.191.90
10.199.191.90
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e393000
10.199.191.91
10.199.191.91
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e393100
10.199.191.92
10.199.191.92
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e393200
10.199.191.93
10.199.191.93
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e393300
10.199.191.97
10.199.191.97
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e393700
10.199.191.98
10.199.191.98
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e393800
10.199.191.99
10.199.191.99
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e393900
10.199.191.101
10.199.191.101
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e31303100
10.199.191.102
10.199.191.102
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e31303200
10.199.191.105
10.199.191.105
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e31303500
10.199.191.106
10.199.191.106
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e31303600
10.199.191.108
10.199.191.108
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e31303800
10.199.191.112
10.199.191.112
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e31313200
10.199.191.115
10.199.191.115
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e31313500
10.199.191.116
10.199.191.116
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e31313600
10.199.191.117
10.199.191.117
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e31313700
10.199.191.119
10.199.191.119
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e31313900
10.199.191.120
10.199.191.120
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e31323000
10.199.191.121
10.199.191.121
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e31323100
10.199.191.125
10.199.191.125
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e31323500
10.199.191.133
10.199.191.133
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e31333300
10.199.191.146
10.199.191.146
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e31343600
10.199.191.158
10.199.191.158
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e31353800
10.199.191.162
10.199.191.162
2014/8/5 10:07
DHCP/BOOTP
31302e3139392e3139312e31363200Hi,
According your description, this may be caused by virus or malicious client.
Please try to perform a network capture on your DHCP server. Then find the device which send these malicious discover messages.
To download Network Monitor, please click the link below,
http://www.microsoft.com/en-hk/download/details.aspx?id=4865
To prevent this issue, you may implement NAP Enforcement for DHCP.
Here is a checklist of configuring NAP Enforcement for DHCP,
Checklist: Configure NAP Enforcement for DHCP
http://technet.microsoft.com/en-us/library/cc772356(v=WS.10).aspx
Hope this helps.
Steven Lee
TechNet Community Support -
DHCP server + IP multipath
hi,
I have configured a solaris 10 box that runs a dhcp server with ha networking using multipathing:
ifconfig dmfe0 thehostname netmask + broadcast + group mygroup -failover deprecated up
ifconfig dmfe0 addif hahostname + broadcast + failover up
ifconfig dmfe1 otherhostname netmask + broadcast + group mygroup -failover deprecated up
The networking if working fine, and setting the failover period to 2500 in /etc/default/mpathd works great - unplug cable from dmfe0 and the host is still available
before using hahostname as a virtual interface, it was bound to dmfe0, and running dhcp was all fine. Now that the IP is on the virtual interface, the DHCP server address that clients see is the IP of "thehostname" (from /etc/hosts). 1st question: is it possible to get the DHCP server to show its IP address as the IP of HAHOSTNAME instead of THEHOSTNAME? I have added "INTERFACES=dmfe0,dmfe1" to /etc/inet/dhcpsrv.conf, not able to bind to virtual interfaces, would like to if possible
In addition to that, since implementing this networking config, dhcp is not running as well. The clients on the network all received dhcp addresses with no problems prior to the HA configuration changes, after changing to this config and restarting (either restarting the dhcp-server service with svcadm or even after a server reboot), some clients are not getting IP addresses. The clients are Windows XP clients, and I had to disable my network card and re-enable it to get it to get an IP address. I get the following error in event viewer (event ID 1001):
"The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server."
after getting an IP, i can renew my IP and there are no problems, but in the event of the primary nic failing (tested by unplugging network cable), i cannot get DHCP addresses again.
the first thing that jumps to mind is it might be an arp issue - should i be binding the same mac address to all cards perhaps? i have set local-mac-address?=true with eeprom.
ideas?You may want to ask this under Firewall section of this forum.
Regards,
Sawan Gupta -
PiX501 firewall as DHCP Server
VSAT Modem ==> Pix 501 as DHCPServer ==> WRT54GS Linksys wireless Router ==> Clients
I am trying to implement the above setup for my wireless network but unfortunately my linksys router is not able to access the internet throught PIX 501. Please advise the solutionHI, [PLS RATE if HELPS]
I agree to Spremkumar comments.
Basic DHCP Services Config in PIX:
Configure the PIX such that users on the inside network that are configure for DHCP receive an IP address, WINS, DNS and default gateway.
PIX1(config)#dhcpd address 192.168.1.100-192.168.1.200
PIX1(config)#dhcpd dns
PIX1(config)#dhcpd domain
PIX1(config)#dhcpd wins
PIX1(config)#dhcpd enable inside
1. Connect a PC/Laptop to the inside Interface via which the IP Address is leased
2. Why do you need a Router between the PIX (as DHCP Server) and Clients
3. Atlast can you check whether the Outside Interface is connected to VSAT Modem and Inside Interface to Wireless Router(if must) or a Client (for a testing)
Please refer sample configuration above for your help and provide more information on your requirement.
PLS RATE if HELPS
Best Regards,
Guru Prasad R -
OS X server, DHCP Server and random blocked IPs
Hello !
I use a Mac Mini as a DHCP server for my wireless network. It is connected to internet through a wired modem and gives an IP (through Airport) to the computers that ask for it.
Everything works quite fine... Unless, sometimes, clients obtain an adress but cannot browse the web nor connect to local network. The ip is just "blocked".
If i try to use it on an other computer (manually), it just doens't work.
So, I must change the ip, by changing the DHCP Name of the computer (otherwise, the server always give the same adress), to fix the problem.
What is strange, is that a few time after, the incriminated ip works new ! Until it is down again...
My bootpd config file is the fallowing;
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NetBoot</key>
<dict/>
<key>Subnets</key>
<array>
<dict>
<key>allocate</key>
<true/>
<key>dhcpdomainname</key>
<string>antoine.maille.priv</string>
<key>dhcpdomain_nameserver</key>
<array>
<string>81.253.149.1</string>
<string>80.10.246.3</string>
<string>10.0.0.1</string>
</array>
<key>dhcpldapurl</key>
<array>
<string>ldaps://Mac Mini/</string>
</array>
<key>dhcp_router</key>
<string>10.0.0.1</string>
<key>lease_max</key>
<integer>604800</integer>
<key>leasetimesecs</key>
<string>86400</string>
<key>name</key>
<string>DHCP WiFi</string>
<key>net_address</key>
<string>10.0.0.0</string>
<key>net_mask</key>
<string>255.255.255.0</string>
<key>net_range</key>
<array>
<string>10.0.0.10</string>
<string>10.0.0.100</string>
</array>
<key>selectedportname</key>
<string>en1</string>
<key>uuid</key>
<string>FEB30FD5-3749-480E-9FEB-BD2C20206431</string>
</dict>
</array>
<key>allow</key>
<array/>
<key>bootp_enabled</key>
<true/>
<key>deny</key>
<array/>
<key>detectother_dhcpserver</key>
<true/>
<key>dhcp_enabled</key>
<true/>
<key>oldnetbootenabled</key>
<false/>
<key>relay_enabled</key>
<true/>
<key>relayiplist</key>
<array/>
<key>timeServiceStarted</key>
<string>2008-11-26 22:59:19 +0100</string>
</dict>
</plist>
Do you have any idea of what I should do to fix that problem ?
Thanks !
alexBrandon Macinnis wrote:
Dnar,
Thanks for the follow up bit about using the smbutil statshares command. I used that and could confirm that I am also able to force it to connect with smb2. Oddly though, in the stat share info it still says "AUTO_NEGOTIATE"
SMB_NEGOTIATE AUTO_NEGOTIATE
SMB_VERSION SMB_2.1
But maybe that just means something else and not the fact that it did not auto negotiate to SMB. I guess for now this will be what I have to do to use smb2.
I think in this case the AUTO_NEGOTIATE merely means it will auto negotiate a connection between SMB1, SMB2, and (from your data) also SMB2.1 this would have nothing to do with auto negotiating between SMB2 and AFP, which from this thread appears broken.
I also would like to thank Brandon for the tip about smbutil statshares, I had been looking for a simple way to tell what version of SMB was being used to test my NAS.
For everyone's benefit, it would appear from the above that whilst Apple advertise Mavericks as using SMB2 they have gone as far as implementing SMB2.1 and merely list it only as SMB2 for simplicity and due to the fact there is not a huge different between SMB2 and SMB2.1
See http://en.wikipedia.org/wiki/Server_Message_Block#SMB_2_and_3 -
NAC Implementation with LanDesk
Hi.
first of all excuse me for not putting this question in correct category. because none of other category working for me... page is not loading.
so here is my prob.
We have currently Cisco NAC implemented in our Enterprise. we want to deploy LanDesk aswell..
the problem is when the PC boots the first time NAC assigns Authentication IP and the same time LandDesk Agent tries to connect to LanDesk Server which offcorse he cannot as this authentication IP the client cannot communicate with anything other than NAC Server.
So how to ? can any one please???
thanks in advanceYou can set a delay on the services by running a script found here and then you can execute the service or make the call that will fire up the landesk services. Here is an example of the script that I am talking about....
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1173302
Also here is one of the articles I found on how to use scripting to start services,
http://www.computerperformance.co.uk/vbscript/wmi_services.htm
I had a customer use this method to map their network drives and were able to get this to work successfully.
Also one more method is you can create a check that you can always set to fail and then set a launch services requirement that will always attempt to start the services for the landesk service. here is the config guide that will guide you through this:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1354681
Thanks,
Tarik
Maybe you are looking for
-
Adobe LiveCycle Designer 10.0 insert QR-Codes
Hello Adobe Community, I contacted an Adobe supporter via live chat two days ago. He said that the Designer 10.0 supports QR-Codes on PDF. But before buying the expensive software, I want to make sure that it really supports creating QR-Codes (Data M
-
Clean install iBook G4 with Tiger
I need to clean up my harddrive. I have backed up all of my files, so I think I want to do a clean re-install of the OS. I'm wondering the best way to go about doing this. Any tips? Is there a way to do it without uninstalling various software (Micro
-
"how to get songs to new computer"?
hey i have got a new laptop i already had all mi songs on ipod ok.. so then i connect it to my new laptop then when it says du wana sync with the new comp i said no.. so then i use podutil to try to copy the songs i did everything right.. when poduti
-
Compensating for tabs and leader dots when converting to HTML
A FrameMaker document contains a series of "tables" which are actually very long lists. They have the appearance of a TOC: a text phrase, a long line of leader dots, a tab, and a numeral at the end of the dots. Since the tabs and leader dots vanish w
-
Classification Data (SLED) not Updated for Movement Type 561
Dear All, I have noticed that after uploading the opening stock with movement type 561, the Classification data (Date of manufacture & Shelf Life expiry date) which was captured in MB1C is not updated in the batch master in Classification Tab. Is thi