WLC 2006 INTERNAL DHCP FOR GUESTS CLIENTS

Similar Messages

• WLC 5508 Internal DHCP server issues

  Hi,
  I am hoping to get your feedback around the dhcp issues I am facing with Two Centrally Switched Wireless LANs. I have tried to explain the setup and the problems below and would appreciate it if anyone can suggest a solution for the problems I am facing:
  The setup is as follows:
  - I have a WLC 5508 which has been configured with 4 SSIDs, out of which 2 are using Central Authentication and Switching.
  - I have an LWAP connected to the WLC in HREAP mode.
  - WLC is configured as the DHCP server for clients connecting to the SSID 'Guest'. For the rest, I am using external dhcp server.
  - Only one scope for Guest Interface is setup on the WLC. 
  Problems:
  1. As far as I know, for WLC to act as internal dhcp server, it is mandatory to have the proxy enabled, but the Clients connecting to SSID 'Internet' are
  unable to get an ip address from the external dhcp server, if dhcp proxy is enabled on the WLC. If i disable the proxy, it all works fine.
  2. DHCP does not release the ip addresses assigned to clients even after they are logged out.
  3. If a machine which was earlier connected to 'Guest' SSID connects to the 'Internet' SSID, it requests the same ip it was assigned by the WLC which it was assigned under 'Guest', but gets tagged with the Vlan configured on the management interface.  
  ************Output from the Controller********************
  (Cisco Controller) >show sysinfo
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 7.0.116.0
  Bootloader Version............................... 1.0.1
  Field Recovery Image Version..................... 6.0.182.0
  Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
  Build Type....................................... DATA + WPS + LDPE
  (Cisco Controller) >show interface summary
  Interface Name                   Port Vlan Id  IP Address         Type        Ap Mgr        Gu                                                                            
  est
  guest                                        1    301      10.255.255.30    Dynamic   No              No                                                                            
  management                          1    100      172.17.1.30        Static          Yes            No                                                          
  service-port                              N/A  N/A      192.168.0.1       Static         No               No                                                                            
  virtual                                        N/A   N/A      10.0.0.1              Static         No               No                                                                            
  (Cisco Controller) >show wlan summary
  Number of WLANs.................................. 4
  WLAN ID  WLAN Profile Name / SSID               Status    Interface Name
  1        LAN                                    Enabled   management
  2        Internet                               Enabled   management
  3        Managment Assets          Enabled   management
  4        Guest                                  Enabled   guest
  (Cisco Controller) >show dhcp detailed guest
  Scope: guest
  Enabled.......................................... Yes
  Lease Time....................................... 86400 (1 day )
  Pool Start....................................... 10.255.255.31
  Pool End......................................... 10.255.255.254
  Network.......................................... 10.255.255.0
  Netmask.......................................... 255.255.255.0
  Default Routers.................................. 10.255.255.1  0.0.0.0  0.0.0.0
  DNS Domain.......................................
  DNS.............................................. 8.8.8.8  8.8.4.4  0.0.0.0
  Netbios Name Servers............................. 0.0.0.0  0.0.0.0  0.0.0.0
  (Cisco Controller) >show interface detailed management
  Interface Name................................... management
  MAC Address...................................... e8:b7:48:9b:84:20
  IP Address....................................... 172.17.1.30
  IP Netmask....................................... 255.255.255.0
  IP Gateway....................................... 172.17.1.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. 100
  Quarantine-vlan.................................. 0
  Active Physical Port............................. 1
  Primary Physical Port............................ 1
  Backup Physical Port............................. Unconfigured
  Primary DHCP Server.............................. 172.30.50.1
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  ACL.............................................. Unconfigured
  AP Manager....................................... Yes
  Guest Interface.................................. No
  L2 Multicast..................................... Enabled
  (Cisco Controller) >show interface detailed guest
  Interface Name................................... guest
  MAC Address...................................... e8:b7:48:9b:84:24
  IP Address....................................... 10.255.255.30
  IP Netmask....................................... 255.255.255.0
  IP Gateway....................................... 10.255.255.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. 301
  Quarantine-vlan.................................. 0
  Active Physical Port............................. 1
  Primary Physical Port............................ 1
  Backup Physical Port............................. Unconfigured
  Primary DHCP Server.............................. Unconfigured
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  ACL.............................................. Unconfigured
  AP Manager....................................... No
  Guest Interface.................................. No
  L2 Multicast..................................... Enabled
  (Cisco Controller) >show dhcp leases
         MAC                IP         Lease Time Remaining
  00:21:6a:9c:03:04    10.255.255.46    23 hours 52 minutes 42 seconds        <<<<<<< lease remains even when the client is disconnected.
  *********Example of Client connected to the right Vlan with an ip address from the incorrect interface. *************
  (Cisco Controller) >show client detail 00:21:6a:9c:03:04
  Client MAC Address............................... 00:21:6a:9c:03:04
  Client Username ................................. N/A
  AP MAC Address................................... a0:cf:5b:00:49:c0
  AP Name.......................................... mel
  Client State..................................... Associated
  Client NAC OOB State............................. Access
  Wireless LAN Id.................................. 2                 <<<<<<<<   'Internet' SSID
  BSSID............................................ a0:cf:5b:00:49:ce
  Connected For ................................... 319 secs
  Channel.......................................... 36
  IP Address....................................... 10.255.255.46      <<<<<<< IP address assigned from the 'Guest' Interface or dhcp scope on the WLC
  Association Id................................... 1
  Authentication Algorithm......................... Open System
  Reason Code...................................... 1
  Status Code...................................... 0
  Session Timeout.................................. 1800
  Client CCX version............................... 4
  Client E2E version............................... 1
  QoS Level........................................ Silver
  802.1P Priority Tag.............................. disabled
  WMM Support...................................... Enabled
  Power Save....................................... OFF
  Mobility State................................... Local
  Mobility Move Count.............................. 0
  Security Policy Completed........................ Yes
  Policy Manager State............................. RUN
  Policy Manager Rule Created...................... Yes
  ACL Name......................................... none
  ACL Applied Status............................... Unavailable
  Policy Type...................................... N/A
  Encryption Cipher................................ None
  Management Frame Protection...................... No
  EAP Type......................................... Unknown
  H-REAP Data Switching............................ Central       <<<<<<<<<
  H-REAP Authentication............................ Central       <<<<<<<<<<
  Interface........................................ management
  VLAN............................................. 100           <<<<<<<<<<< right Vlan
  Quarantine VLAN.................................. 0
  Access VLAN...................................... 100

  Hi All,
  I have a similar issue where Wireless clients are not receiving automatic addressing from an internal DHCP server. I have multiple interfaces configured on the WLC which are connected to separate VLANS. The manually specified DHCP primary server entry is the same on all interfaces. Some clients are able to authenticate and receive automatic IP configuration but some clients are failing the address assignment process. I have checked connectivity between the WLC and DHCP server, this is confirmed as working. When I carry out a "debug dhcp packet enable", I get the following outputs which seems as if the DHCP discover request from the client is skipped. Your thoughts and inputs on this are appreciated.
  DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option len (including the magic cookie) 76
  *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: message type = DHCP DISCOVER
  *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 116 (len 1) - skipping
  *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 61 (len 7) - skipping
  *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: requested ip = 169.254.223.5
  *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 12 (len 13) - skipping
  *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: vendor class id = MSFT 5.0 (len 8)
  *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 55 (len 11) - skipping
  *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 43 (len 2) - skipping
  *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP options end, len 76, actual 68
  *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP Forwarding DHCP packet (332 octets) packet DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option len (including the magic cookie) 76
  Thanks,
  Raj Sandhu

• 2504 WLC on edge network for guest wifi

  I have a 2504 WLC with a 1042 AP and I have it placed on my edge Cisco 3750 switch.
  I have the management interface of the WLC set on my WAN IP 71.x.x.x subnet range, and I have the WLC doing DHCP duties with a DHCP scope of 192.168.X.0. I have my DNS servers set on external DNS servers out on the Internet.
  I have two Cisco 3845 Routers on my edge network - one for each ISP with BGP protocol.
  Since my native VLAN is 71.x.x.x, I added a sub interface on my main core router and gave it a 192.168.x.1 255.255.255.0 address for the gateway. Also, I added ip prefix-list iBGP seq 10 permit 192.168.x.0/24 le 32 to my main core router. On my secondary ISP router I added
  ip prefix-list iBGP seq 10 permit 192.168.X.0/24 le 32, and ip prefix-list OUT seq 10 permit 192.168.x.0/24 statements.
  I added VLAN 10 to my edge switch and gave it IP 192.168.x.2 255.255.255.0, and the switchports that my core router and my WLC are connected to the edge switch, are in trunk mode with encapsulation dot1q 10. The switchport on my edge switch that the AP is connected to is in switchport access mode.
  I can connect to the wifi with a 192.168.x.x IP address on my laptop, but I cannot get any Internet access.
  Is it possible to have the DHCP scope be in a different subnet than my WAN IP subnet, and allow guests to get to the external Internet only? Do I need to put the WLC somewhere internal on my network i.e. the DMZ and then tunnel the traffic out to the Internet with no Internal network access?
  Thanks for any help you can provide.

  right, and how does a 'normal/current' user access the internet?  Somwhere going to your ISP there should be some sort of NAT statement when you send interwebs traffic.
  if your ISP is taking care of all of that for you, you probably need to let them know you added the subnet so they can do the NAT.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• WLC to ISE authentication for Guest

  Hi Experts,
  Hope if you could guide me with our setup for Guest users. Below is what we are doing
  a)     Guest connects to SSID
  b)     WLC is being used to redirect Guest HTTP to WLC internal Portal
  c)     WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
  The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
  'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
  Appreciate your help

  The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
  Please follow below guide for step by step configuration:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• Configuring autonomous 1141 to do DHCP for Guest WiFi

  I have an existing setup consisting of:
  Windows Server - doing DHCP for private wired/wireless
  Cisco 1141 Autonomous WAP with only private wireless access.
  ASA 5505 (with very basic licensing)
  HP switch
  The customer wants to have guest WiFi.
  The guest WiFi is going out to the internet via a seperate VLAN/interface on the ASA.
  Can the 1141 do DHCP for the guest WiFi?   Or do I need to do it via the ASA?

  It could but you would have to relay it from the ASA. So might as well just use the ASA for the scope.
  Steve
  Sent from Cisco Technical Support iPhone App

• ISE 1.3 - internal CA for EAP client

  Hi Experts,
  Could you please give me the right way and step to configure ISE 1.3 built in CA for EAP client auth. I'm trying to complete my dual SSIDs procedure. My configure may has some missing config on Certificate section. That make client can not get through device enrollment & provisioning but auth, authorise are fine.
  It s hard to config 100% correctly with out detailed guide. I know by fundamental setup the config must comprise of subordinate CA, OCSP, endpoint RA which I can not figure out those steps myself.
  The steps or complete document are welcome. Official document does not help me get through. 
  Thank you in advance,
  Nipat CCIE#29422

  I would like to see something similar if anyone has anything with a little more detail then what the Admin Guide has.

• WLC in a DMZ for guest access

  I have one internal 4400 and one in a DMZ. I want to configure the DMZ WLC to provide Guest Internet access. I am unable to find much information on doing this. I have a WLAN called Guest defined on both controllers. And both controllers are defined in as mobility anchors. What I don't under stand is how to configure the interfaces. Do both interfaces for the WLAN Guest need to be in the same VLAN and subnet? Example:
  On the internal WLC WLAN Guest to tied to an interface named Guest with an IP address of 172.26.254.5/24 What does the interface need to look like on the DMZ WLC?

  This should get you on the right track:
  http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.html
  Brad

• How to save a form for intern use for a client?

  Hi,
  I can only choose between using the FormCentral, email or a server (of which I can't get access). My client needs the form for ONLY intern use - like a simple PDF-doc that eventually collects their data. I used to make such forms in previous versions …
  Anna

  I have a very simple form, made fro my own template (Indesign > PDF)
  When distributing I have to choose between Adobe Form Central, Email or a specific internal server. I can’t - because my client needs to define it for themselves later. What ca I do? I used to send them a simple form-file.
  Anna

• WLC 4400 series OID for Current Clients

  Can someone advise what is the OID for the number of current clients for the WLC 4400 series appliance.
  Thanks.

  Based on the results of your walk, I would say it's reports all of the instances on that particular controller...and I say this because only one instance is reported. I would think that if you have multiple WLANS on that WLC, you would get multiple instances reported back, so, (maybe, like you) I'm confused by the description in the MIB object where it states:
  "No of Mobile Stations currently associated with the WLAN."
  which to me looks like "the WLAN" is used in the singular.
  At this point, I think the best thing to do would be to open a TAC case with all of this info, and we can get with our developers for confirmation.
  Hope this has been somewhat helpful, and please rate these posts.
  Thanks,
  -Joe

• WLC 2504 - French characters for guest web login page

  Good day,
  I have recently installed a WLC 2504 and I have the following issue:
  When I modify the text for the web login page (Under security/Web Auth/Web Auth page), if I use french caracters such as (é, è, à, etc...) in the message body, it does not show up correctly on users computers. As we're a bilingual country, I must put a bilingual text message. Are there any settings or workaround out there to rectify this?
  We're on version 7.2.103.0
  Thanks,
  Eric

  Thanks Scott, I'll have a look at the documentation.
  Right after sending this post, I tried typing the actual HTML code for the character instead and it seems to be working. I'm curious about custom webauth page, we may be able to customize it more than we thought we could do.
  Cheers,
  Eric

• 5508 WLC - need MIB/OIDs for current client associations

  We installed 5508 controllers in multiple locations.  We have an existing SNMP mangement system and syslog that will work fine with these 5508's.  We are having issues figuring out an OID that reports current "unique" client associations (with a timestamp/MAC address/IP Address/AP Name/Protocol and 802.11 state). 
  We tried using the NCS reports (every 60 seconds) but, that only gives a historical view of client assocations (and 60 individual emails in an hour).  We would like to have a better reporting technique to show live data with a refresh of 60 seconds of current associated "unique" clinets and what AP they are connected too.  Parsing out historical data in a .CSV format is really painful and inefficient
  Has anyone attempted anything like this?  Would anyone know a good MIB/OID to use for something like this?
  Thanks,
  Nick

  We installed 5508 controllers in multiple locations.  We have an existing SNMP mangement system and syslog that will work fine with these 5508's.  We are having issues figuring out an OID that reports current "unique" client associations (with a timestamp/MAC address/IP Address/AP Name/Protocol and 802.11 state). 
  We tried using the NCS reports (every 60 seconds) but, that only gives a historical view of client assocations (and 60 individual emails in an hour).  We would like to have a better reporting technique to show live data with a refresh of 60 seconds of current associated "unique" clinets and what AP they are connected too.  Parsing out historical data in a .CSV format is really painful and inefficient
  Has anyone attempted anything like this?  Would anyone know a good MIB/OID to use for something like this?
  Thanks,
  Nick

• WAP321 - DHCP for wifi clients not working

  My WAP321 connected to a office switch A.
  WAP321 wifi clients unable to get DHCP
  Clients wired to switch A can recieve DHCP.
  Using firmware vesion 1.0.2.3
  I'm perplexed still.

  Due to a earlier print issue I've reset the WAP321 and uploaded the latest firmware. Which seems to have fix the printer issues but not fix my DHCP request issue.
  Been doing some more digging and drilled it down a little further.
  What I have is unmanage switch(no vlan) which is connected to WAP321(with static IP).
  I'm able to wifi SSID connect ok with the OSX laptop i.e. request DHCP work.
  Now i'm running a VM on this laptop ( Virtual Box running FreeBSD )
  VM/FreeBSD boots but is unable to get DHCP requests.
  If i connect the laptop to another wifi AP point the same virtual box VM/FreeBSD - i'm able to get DHCP requests
  (note: AP different make & connected to same unmanage switch)
  Seems to surgest WAP321 could still be the issue.
  Although (Virtual Box + FreeBSD VM) could also be an issue - which is beyond this forum.

• 5508 internal DHCP server

  Hi,
  A client wants us to use the internal DHCP server on a 5508 instead of Windows DHCP. They will have 15 APs initially and upto 25 later. The docs on the 7.2 WLC make it sound like this is discouraged:
  Internal DHCP ServerThe controllers contain an internal DHCP server. This server is typically used in branch offices that do not already have a DHCP server. The wireless network generally contains 10 access points or fewer, with the access points on the same IP subnet as the controller.
  In this case, the APs will not be in the same subnet as the Managment Internet.
  Is it a mistake to use the internal DHCP with upto 25 APs (3 WLANs)? 
  Thanks.

  #DHCP proxy needs to be enabled to use internal dhcp on WLC. WLC uses virtual ip for dhcp and they're unicast. So keeping the AP on L3 doesn't work with internal dhcp. dhcp for wireless client works due to the packets are sent to WLC via capwap.
  #The DHCP required state can cause traffic to not be forwarded properly if a client is deauthenticated or removed. To overcome this problem, ensure that the DHCP required state is always disabled.
  Ans: it is expected behavior irrespective of dhcp being internal or external, it is a feature and not disadvantage.
  Cons:-
  #can't have dhcp reservations.
  #can't have option 43 or any other dhcp options.
  #DHCP service can't be restarted, WLC reboot is required if needed to so.
  #If Multiple WLCs used, need to create non overlapping scope on other WLCs as well.
  #Wired clients cannot get ip from internal dhcp. So need to maintain separate network & dhcp server for wired network, and this require routing.
  #From WLC GUI, Can't remove the client, need to use cli.
  #WLC reboot may clear the dhcp lease, though not sure 100%

• Internal dhcp with anchor and foreign

  Greetings,
  trying to get dhcp going for guest clients.
  I can see dhcp requests coming through and getting dropped at the foreign controller.
  *DHCP Socket Task: Aug 10 16:19:54.075: 58:94:6b:1d:xx:yy DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 13, encap 0xec03)
  *DHCP Socket Task: Aug 10 16:19:54.075: 58:94:6b:1d:xx:yy DHCP dropping packet
  Could someone tell me;
  1. why would the DHCP requests processed by the foreign controller instead of the anchor ?
  2. do i need to configure dhcp server under the guest WLAN interface on foreign?
  I thought all L3 and security stuff is forwarded over eoip to anchor and therefore no need to configure the DHCP server under foreign.
  I'm trying to utilise the internal DHCP server (firmware 7.0.220) but so far its not going well.
  Thanks,
  silva

  Hi All,
  Steve you got me thinking and thanks to the debugs you provided, I  managed to fix the issue.The problem was caused by local EoIP tunnel that was configured on the foreign  and thus traffic was not getting forwarded.Strange thing I can't remember configuring that as it was not required.Anyway after I removed it, all worked as expected. I'm using internal DHCP and so far it is is working fine as well.
  With the ACLs, for guest WLAN, do we neded to configure for both foreign and anchors so that the WLAN configs are identical?
  Does not make any sense to me to configure the ACLS on the foreign but can someone confirm?
  Silva

• Server 2012 NPS NAP DHCP for VPN

  I have setup a server with DHCP and NPS and configured NAP DHCP.
  DHCP has 1 scope and the default scope options 003 router, 005 DNS server and 015 Domain Name (domain.com). 
  Further In DHCP i created a DHCP policy so it assigns a different 005 DNS server and 015 Domain Name (restricted.domain.com) to non-compliant clients. NPS/NAP DHCP is working (all is setup health, shv, gpo etc.. Health Validator is only checking if firewall
  is runnning) so when i connect a client with firewall i get a normal IP from the scopt with the scope options and domain suffix domain.com. When i disable the firewall i get an IP from the DHCP scope, no gateway, subnet 255.255.255.255 and domain suffix restricted.domain.com
  so all works well and as NAP DHCP should work.
  Now i have an seperate RRAS server configured as VPN server and configured my DHCP/NPS server as an Radius Authentication Provider. Also a DHCP relay agent is configured in RRAS
  On my DHCP/NPS server i configured my RRAS server as a Radius Client (nap-capable).
  My questions:
  Q1. can i use NAP DHCP for vpn clients, as VPN clients get IP address from my DHCP server? i know there is a NAP VPN option but i want to use NAP DHCP cause NAP DHCP and NAP VPN don;t work together and i want NAP DHCP for internal clients.
  My problem:
  P1. with setup above i cannot setup a VPN connection from an external client i get an error "Error 812:The connection was prevented because of a policy configured on your RAS/VPN server.specfically ,the authentication method used by the server to verify
  your usename and password may not match the auithentication method configured in your connection profile .Please contact the Administrator of the RAS server and notify them of this error"
  I can resolve my problem P1 by running "configure VPN for Dial-Up" with the option "Radius server for Dial-Up or VPN connections." This creates 1 Connection Request Policy and 1 Network Policy, in the policy i set authtorized to windows
  group domain admins
  But then I have an issue with NAP DHCP...
  When i have a non-domain joined external client, where i have enabled NAP client in services.msc and DHCP Enforcement in local policy i can setup a VPN connection but from the DHCP server i get an IP addres from the subnet/scope and domain suffix domain.com,
  so this is working OK. But when i disconnnect the VPN client and disable and stopthe firewall and connect the VPN again its not getting restricted running ipconfig /all shows its not restricted and also Netsh nap client show state > shows its not restricted
  BUT it SHOULD be restricted as the firewall is off.
  What could be wrong?

  Hi,
  After discussed with so many people, I think this will not work.
  First we need know how DHCP enforcement works.
  1. The DHCP client sends a DHCP request message to the DHCP server.
  If the DHCP client has an SoH, the DHCP request message includes it. The SoH contains information about the health of the client. The DHCP server passes the SoH to
  the NPS server. The NPS server communicates with the policy server to determine whether the SoH is valid.
  2. If the SoH is valid, the DHCP server assigns the DHCP client a complete IP address configuration. The DHCP client has unlimited access to the network, as defined
  by policy.
  3. If the SoH is not valid, the DHCP server limits the access of the DHCP client to the restricted network and assigns it a limited access subnet mask and static
  routes, as defined by policy.
  But VPN clients get IPs in a different way. It uses the IP Control Protocol (IPCP) as part of the Point-to-Point Protocol (PPP) connection setup. Everything is done
  in VPN tunnel.
  Hope this helps.