WLC 2006 INTERNAL DHCP FOR GUESTS CLIENTS
I would like to use the internal DHCP to issue ipaddress to the guest wireless clients.
However; when i setup the wlc internal DCHP scope and try to connect to the wireless guest vlan the WLC debug DHCP reads ...forwarding to 192.168.255.2 which i have listed as the gateway to the pix
any examples on how to do this would be great.
here is what i have for the dhcp scope:
Dhcp Scope Info
Scope: Guest.Data.DHCP
Enabled.......................................... Yes
Lease Time....................................... 86400 (1 day )
Pool Start....................................... 192.168.255.17
Pool End......................................... 192.168.255.30
Network.......................................... 192.168.255.0
Netmask.......................................... 255.255.255.0
Default Routers.................................. 192.168.255.2 0.0.0.0 0.0.0.0
DNS Domain.......................................
DNS.............................................. 0.0.0.0 0.0.0.0 0.0.0.0
Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0
Here is what i have for the wlan
WLAN Identifier.................................. 2
Network Name (SSID).............................. Guest.Data
Status........................................... Disabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. Infinity
Interface........................................ guest.data
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Enabled
Quality of Service............................... Silver (best effort)
WMM.............................................. Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
--More-- or (q)uit
Radio Policy..................................... All
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
IP Security Passthru.......................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
Management Frame Protection................... E
when i try to assocate the dhcp scope to wireless.guest.data interface using 192.168.255.1 which is the ip of the that interface it will not let me. I would have thought since i was using the interal dhcp that the .1 address would be the dhcp scope address also. i can assign 192.168.255.0 or 192.168.255.2(gateway)if i use .0 or .2 the dhcp request (discovery) process starts and then will forward to .2 (gateway) and never assign an address. the only thing that happens is that the client wireless interface will get 255.255.255.255 for a few seconds then go away.
what i am trying to accomplish is to connect the wlc port 2 directly to a pix 506 which goes to the internet so the guest traffice is not on our vlan.
any other suggestions on guest vlans would be appricated....
Tom
Interface Name................................... wireless.guest.data
IP Address....................................... 192.168.255.1
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.255.2
VLAN............................................. 150
Quarantine-vlan.................................. no
Physical Port.................................... 2
Primary DHCP Server.............................. Unconfigured
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No
Scope: wireless.guest.data.dhcp.server
Enabled.......................................... Yes
Lease Time....................................... 86400 (1 day )
Pool Start....................................... 192.168.255.17
Pool End......................................... 192.168.255.30
Network.......................................... 192.168.255.0
Netmask.......................................... 255.255.255.0
Default Routers.................................. 192.168.255.2 0.0.0.0 0.0.0.0
DNS Domain.......................................
DNS.............................................. 0.0.0.0 0.0.0.0 0.0.0.0
Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0
Similar Messages
-
WLC 5508 Internal DHCP server issues
Hi,
I am hoping to get your feedback around the dhcp issues I am facing with Two Centrally Switched Wireless LANs. I have tried to explain the setup and the problems below and would appreciate it if anyone can suggest a solution for the problems I am facing:
The setup is as follows:
- I have a WLC 5508 which has been configured with 4 SSIDs, out of which 2 are using Central Authentication and Switching.
- I have an LWAP connected to the WLC in HREAP mode.
- WLC is configured as the DHCP server for clients connecting to the SSID 'Guest'. For the rest, I am using external dhcp server.
- Only one scope for Guest Interface is setup on the WLC.
Problems:
1. As far as I know, for WLC to act as internal dhcp server, it is mandatory to have the proxy enabled, but the Clients connecting to SSID 'Internet' are
unable to get an ip address from the external dhcp server, if dhcp proxy is enabled on the WLC. If i disable the proxy, it all works fine.
2. DHCP does not release the ip addresses assigned to clients even after they are logged out.
3. If a machine which was earlier connected to 'Guest' SSID connects to the 'Internet' SSID, it requests the same ip it was assigned by the WLC which it was assigned under 'Guest', but gets tagged with the Vlan configured on the management interface.
************Output from the Controller********************
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.116.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS + LDPE
(Cisco Controller) >show interface summary
Interface Name Port Vlan Id IP Address Type Ap Mgr Gu
est
guest 1 301 10.255.255.30 Dynamic No No
management 1 100 172.17.1.30 Static Yes No
service-port N/A N/A 192.168.0.1 Static No No
virtual N/A N/A 10.0.0.1 Static No No
(Cisco Controller) >show wlan summary
Number of WLANs.................................. 4
WLAN ID WLAN Profile Name / SSID Status Interface Name
1 LAN Enabled management
2 Internet Enabled management
3 Managment Assets Enabled management
4 Guest Enabled guest
(Cisco Controller) >show dhcp detailed guest
Scope: guest
Enabled.......................................... Yes
Lease Time....................................... 86400 (1 day )
Pool Start....................................... 10.255.255.31
Pool End......................................... 10.255.255.254
Network.......................................... 10.255.255.0
Netmask.......................................... 255.255.255.0
Default Routers.................................. 10.255.255.1 0.0.0.0 0.0.0.0
DNS Domain.......................................
DNS.............................................. 8.8.8.8 8.8.4.4 0.0.0.0
Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0
(Cisco Controller) >show interface detailed management
Interface Name................................... management
MAC Address...................................... e8:b7:48:9b:84:20
IP Address....................................... 172.17.1.30
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 172.17.1.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 100
Quarantine-vlan.................................. 0
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 172.30.50.1
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. No
L2 Multicast..................................... Enabled
(Cisco Controller) >show interface detailed guest
Interface Name................................... guest
MAC Address...................................... e8:b7:48:9b:84:24
IP Address....................................... 10.255.255.30
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 10.255.255.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 301
Quarantine-vlan.................................. 0
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. Unconfigured
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No
Guest Interface.................................. No
L2 Multicast..................................... Enabled
(Cisco Controller) >show dhcp leases
MAC IP Lease Time Remaining
00:21:6a:9c:03:04 10.255.255.46 23 hours 52 minutes 42 seconds <<<<<<< lease remains even when the client is disconnected.
*********Example of Client connected to the right Vlan with an ip address from the incorrect interface. *************
(Cisco Controller) >show client detail 00:21:6a:9c:03:04
Client MAC Address............................... 00:21:6a:9c:03:04
Client Username ................................. N/A
AP MAC Address................................... a0:cf:5b:00:49:c0
AP Name.......................................... mel
Client State..................................... Associated
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 2 <<<<<<<< 'Internet' SSID
BSSID............................................ a0:cf:5b:00:49:ce
Connected For ................................... 319 secs
Channel.......................................... 36
IP Address....................................... 10.255.255.46 <<<<<<< IP address assigned from the 'Guest' Interface or dhcp scope on the WLC
Association Id................................... 1
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Session Timeout.................................. 1800
Client CCX version............................... 4
Client E2E version............................... 1
QoS Level........................................ Silver
802.1P Priority Tag.............................. disabled
WMM Support...................................... Enabled
Power Save....................................... OFF
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
Policy Type...................................... N/A
Encryption Cipher................................ None
Management Frame Protection...................... No
EAP Type......................................... Unknown
H-REAP Data Switching............................ Central <<<<<<<<<
H-REAP Authentication............................ Central <<<<<<<<<<
Interface........................................ management
VLAN............................................. 100 <<<<<<<<<<< right Vlan
Quarantine VLAN.................................. 0
Access VLAN...................................... 100Hi All,
I have a similar issue where Wireless clients are not receiving automatic addressing from an internal DHCP server. I have multiple interfaces configured on the WLC which are connected to separate VLANS. The manually specified DHCP primary server entry is the same on all interfaces. Some clients are able to authenticate and receive automatic IP configuration but some clients are failing the address assignment process. I have checked connectivity between the WLC and DHCP server, this is confirmed as working. When I carry out a "debug dhcp packet enable", I get the following outputs which seems as if the DHCP discover request from the client is skipped. Your thoughts and inputs on this are appreciated.
DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option len (including the magic cookie) 76
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: message type = DHCP DISCOVER
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 116 (len 1) - skipping
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 61 (len 7) - skipping
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: requested ip = 169.254.223.5
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 12 (len 13) - skipping
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: vendor class id = MSFT 5.0 (len 8)
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 55 (len 11) - skipping
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 43 (len 2) - skipping
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP options end, len 76, actual 68
*DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP Forwarding DHCP packet (332 octets) packet DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option len (including the magic cookie) 76
Thanks,
Raj Sandhu -
2504 WLC on edge network for guest wifi
I have a 2504 WLC with a 1042 AP and I have it placed on my edge Cisco 3750 switch.
I have the management interface of the WLC set on my WAN IP 71.x.x.x subnet range, and I have the WLC doing DHCP duties with a DHCP scope of 192.168.X.0. I have my DNS servers set on external DNS servers out on the Internet.
I have two Cisco 3845 Routers on my edge network - one for each ISP with BGP protocol.
Since my native VLAN is 71.x.x.x, I added a sub interface on my main core router and gave it a 192.168.x.1 255.255.255.0 address for the gateway. Also, I added ip prefix-list iBGP seq 10 permit 192.168.x.0/24 le 32 to my main core router. On my secondary ISP router I added
ip prefix-list iBGP seq 10 permit 192.168.X.0/24 le 32, and ip prefix-list OUT seq 10 permit 192.168.x.0/24 statements.
I added VLAN 10 to my edge switch and gave it IP 192.168.x.2 255.255.255.0, and the switchports that my core router and my WLC are connected to the edge switch, are in trunk mode with encapsulation dot1q 10. The switchport on my edge switch that the AP is connected to is in switchport access mode.
I can connect to the wifi with a 192.168.x.x IP address on my laptop, but I cannot get any Internet access.
Is it possible to have the DHCP scope be in a different subnet than my WAN IP subnet, and allow guests to get to the external Internet only? Do I need to put the WLC somewhere internal on my network i.e. the DMZ and then tunnel the traffic out to the Internet with no Internal network access?
Thanks for any help you can provide.right, and how does a 'normal/current' user access the internet? Somwhere going to your ISP there should be some sort of NAT statement when you send interwebs traffic.
if your ISP is taking care of all of that for you, you probably need to let them know you added the subnet so they can do the NAT.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
WLC to ISE authentication for Guest
Hi Experts,
Hope if you could guide me with our setup for Guest users. Below is what we are doing
a) Guest connects to SSID
b) WLC is being used to redirect Guest HTTP to WLC internal Portal
c) WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
Appreciate your helpThe first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
Please follow below guide for step by step configuration:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml -
Configuring autonomous 1141 to do DHCP for Guest WiFi
I have an existing setup consisting of:
Windows Server - doing DHCP for private wired/wireless
Cisco 1141 Autonomous WAP with only private wireless access.
ASA 5505 (with very basic licensing)
HP switch
The customer wants to have guest WiFi.
The guest WiFi is going out to the internet via a seperate VLAN/interface on the ASA.
Can the 1141 do DHCP for the guest WiFi? Or do I need to do it via the ASA?It could but you would have to relay it from the ASA. So might as well just use the ASA for the scope.
Steve
Sent from Cisco Technical Support iPhone App -
ISE 1.3 - internal CA for EAP client
Hi Experts,
Could you please give me the right way and step to configure ISE 1.3 built in CA for EAP client auth. I'm trying to complete my dual SSIDs procedure. My configure may has some missing config on Certificate section. That make client can not get through device enrollment & provisioning but auth, authorise are fine.
It s hard to config 100% correctly with out detailed guide. I know by fundamental setup the config must comprise of subordinate CA, OCSP, endpoint RA which I can not figure out those steps myself.
The steps or complete document are welcome. Official document does not help me get through.
Thank you in advance,
Nipat CCIE#29422I would like to see something similar if anyone has anything with a little more detail then what the Admin Guide has.
-
I have one internal 4400 and one in a DMZ. I want to configure the DMZ WLC to provide Guest Internet access. I am unable to find much information on doing this. I have a WLAN called Guest defined on both controllers. And both controllers are defined in as mobility anchors. What I don't under stand is how to configure the interfaces. Do both interfaces for the WLAN Guest need to be in the same VLAN and subnet? Example:
On the internal WLC WLAN Guest to tied to an interface named Guest with an IP address of 172.26.254.5/24 What does the interface need to look like on the DMZ WLC?This should get you on the right track:
http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.html
Brad -
How to save a form for intern use for a client?
Hi,
I can only choose between using the FormCentral, email or a server (of which I can't get access). My client needs the form for ONLY intern use - like a simple PDF-doc that eventually collects their data. I used to make such forms in previous versions …
AnnaI have a very simple form, made fro my own template (Indesign > PDF)
When distributing I have to choose between Adobe Form Central, Email or a specific internal server. I can’t - because my client needs to define it for themselves later. What ca I do? I used to send them a simple form-file.
Anna -
WLC 4400 series OID for Current Clients
Can someone advise what is the OID for the number of current clients for the WLC 4400 series appliance.
Thanks.Based on the results of your walk, I would say it's reports all of the instances on that particular controller...and I say this because only one instance is reported. I would think that if you have multiple WLANS on that WLC, you would get multiple instances reported back, so, (maybe, like you) I'm confused by the description in the MIB object where it states:
"No of Mobile Stations currently associated with the WLAN."
which to me looks like "the WLAN" is used in the singular.
At this point, I think the best thing to do would be to open a TAC case with all of this info, and we can get with our developers for confirmation.
Hope this has been somewhat helpful, and please rate these posts.
Thanks,
-Joe -
WLC 2504 - French characters for guest web login page
Good day,
I have recently installed a WLC 2504 and I have the following issue:
When I modify the text for the web login page (Under security/Web Auth/Web Auth page), if I use french caracters such as (é, è, à, etc...) in the message body, it does not show up correctly on users computers. As we're a bilingual country, I must put a bilingual text message. Are there any settings or workaround out there to rectify this?
We're on version 7.2.103.0
Thanks,
EricThanks Scott, I'll have a look at the documentation.
Right after sending this post, I tried typing the actual HTML code for the character instead and it seems to be working. I'm curious about custom webauth page, we may be able to customize it more than we thought we could do.
Cheers,
Eric -
5508 WLC - need MIB/OIDs for current client associations
We installed 5508 controllers in multiple locations. We have an existing SNMP mangement system and syslog that will work fine with these 5508's. We are having issues figuring out an OID that reports current "unique" client associations (with a timestamp/MAC address/IP Address/AP Name/Protocol and 802.11 state).
We tried using the NCS reports (every 60 seconds) but, that only gives a historical view of client assocations (and 60 individual emails in an hour). We would like to have a better reporting technique to show live data with a refresh of 60 seconds of current associated "unique" clinets and what AP they are connected too. Parsing out historical data in a .CSV format is really painful and inefficient
Has anyone attempted anything like this? Would anyone know a good MIB/OID to use for something like this?
Thanks,
NickWe installed 5508 controllers in multiple locations. We have an existing SNMP mangement system and syslog that will work fine with these 5508's. We are having issues figuring out an OID that reports current "unique" client associations (with a timestamp/MAC address/IP Address/AP Name/Protocol and 802.11 state).
We tried using the NCS reports (every 60 seconds) but, that only gives a historical view of client assocations (and 60 individual emails in an hour). We would like to have a better reporting technique to show live data with a refresh of 60 seconds of current associated "unique" clinets and what AP they are connected too. Parsing out historical data in a .CSV format is really painful and inefficient
Has anyone attempted anything like this? Would anyone know a good MIB/OID to use for something like this?
Thanks,
Nick -
WAP321 - DHCP for wifi clients not working
My WAP321 connected to a office switch A.
WAP321 wifi clients unable to get DHCP
Clients wired to switch A can recieve DHCP.
Using firmware vesion 1.0.2.3
I'm perplexed still.Due to a earlier print issue I've reset the WAP321 and uploaded the latest firmware. Which seems to have fix the printer issues but not fix my DHCP request issue.
Been doing some more digging and drilled it down a little further.
What I have is unmanage switch(no vlan) which is connected to WAP321(with static IP).
I'm able to wifi SSID connect ok with the OSX laptop i.e. request DHCP work.
Now i'm running a VM on this laptop ( Virtual Box running FreeBSD )
VM/FreeBSD boots but is unable to get DHCP requests.
If i connect the laptop to another wifi AP point the same virtual box VM/FreeBSD - i'm able to get DHCP requests
(note: AP different make & connected to same unmanage switch)
Seems to surgest WAP321 could still be the issue.
Although (Virtual Box + FreeBSD VM) could also be an issue - which is beyond this forum. -
Hi,
A client wants us to use the internal DHCP server on a 5508 instead of Windows DHCP. They will have 15 APs initially and upto 25 later. The docs on the 7.2 WLC make it sound like this is discouraged:
Internal DHCP ServerThe controllers contain an internal DHCP server. This server is typically used in branch offices that do not already have a DHCP server. The wireless network generally contains 10 access points or fewer, with the access points on the same IP subnet as the controller.
In this case, the APs will not be in the same subnet as the Managment Internet.
Is it a mistake to use the internal DHCP with upto 25 APs (3 WLANs)?
Thanks.#DHCP proxy needs to be enabled to use internal dhcp on WLC. WLC uses virtual ip for dhcp and they're unicast. So keeping the AP on L3 doesn't work with internal dhcp. dhcp for wireless client works due to the packets are sent to WLC via capwap.
#The DHCP required state can cause traffic to not be forwarded properly if a client is deauthenticated or removed. To overcome this problem, ensure that the DHCP required state is always disabled.
Ans: it is expected behavior irrespective of dhcp being internal or external, it is a feature and not disadvantage.
Cons:-
#can't have dhcp reservations.
#can't have option 43 or any other dhcp options.
#DHCP service can't be restarted, WLC reboot is required if needed to so.
#If Multiple WLCs used, need to create non overlapping scope on other WLCs as well.
#Wired clients cannot get ip from internal dhcp. So need to maintain separate network & dhcp server for wired network, and this require routing.
#From WLC GUI, Can't remove the client, need to use cli.
#WLC reboot may clear the dhcp lease, though not sure 100% -
Internal dhcp with anchor and foreign
Greetings,
trying to get dhcp going for guest clients.
I can see dhcp requests coming through and getting dropped at the foreign controller.
*DHCP Socket Task: Aug 10 16:19:54.075: 58:94:6b:1d:xx:yy DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 13, encap 0xec03)
*DHCP Socket Task: Aug 10 16:19:54.075: 58:94:6b:1d:xx:yy DHCP dropping packet
Could someone tell me;
1. why would the DHCP requests processed by the foreign controller instead of the anchor ?
2. do i need to configure dhcp server under the guest WLAN interface on foreign?
I thought all L3 and security stuff is forwarded over eoip to anchor and therefore no need to configure the DHCP server under foreign.
I'm trying to utilise the internal DHCP server (firmware 7.0.220) but so far its not going well.
Thanks,
silvaHi All,
Steve you got me thinking and thanks to the debugs you provided, I managed to fix the issue.The problem was caused by local EoIP tunnel that was configured on the foreign and thus traffic was not getting forwarded.Strange thing I can't remember configuring that as it was not required.Anyway after I removed it, all worked as expected. I'm using internal DHCP and so far it is is working fine as well.
With the ACLs, for guest WLAN, do we neded to configure for both foreign and anchors so that the WLAN configs are identical?
Does not make any sense to me to configure the ACLS on the foreign but can someone confirm?
Silva -
Server 2012 NPS NAP DHCP for VPN
I have setup a server with DHCP and NPS and configured NAP DHCP.
DHCP has 1 scope and the default scope options 003 router, 005 DNS server and 015 Domain Name (domain.com).
Further In DHCP i created a DHCP policy so it assigns a different 005 DNS server and 015 Domain Name (restricted.domain.com) to non-compliant clients. NPS/NAP DHCP is working (all is setup health, shv, gpo etc.. Health Validator is only checking if firewall
is runnning) so when i connect a client with firewall i get a normal IP from the scopt with the scope options and domain suffix domain.com. When i disable the firewall i get an IP from the DHCP scope, no gateway, subnet 255.255.255.255 and domain suffix restricted.domain.com
so all works well and as NAP DHCP should work.
Now i have an seperate RRAS server configured as VPN server and configured my DHCP/NPS server as an Radius Authentication Provider. Also a DHCP relay agent is configured in RRAS
On my DHCP/NPS server i configured my RRAS server as a Radius Client (nap-capable).
My questions:
Q1. can i use NAP DHCP for vpn clients, as VPN clients get IP address from my DHCP server? i know there is a NAP VPN option but i want to use NAP DHCP cause NAP DHCP and NAP VPN don;t work together and i want NAP DHCP for internal clients.
My problem:
P1. with setup above i cannot setup a VPN connection from an external client i get an error "Error 812:The connection was prevented because of a policy configured on your RAS/VPN server.specfically ,the authentication method used by the server to verify
your usename and password may not match the auithentication method configured in your connection profile .Please contact the Administrator of the RAS server and notify them of this error"
I can resolve my problem P1 by running "configure VPN for Dial-Up" with the option "Radius server for Dial-Up or VPN connections." This creates 1 Connection Request Policy and 1 Network Policy, in the policy i set authtorized to windows
group domain admins
But then I have an issue with NAP DHCP...
When i have a non-domain joined external client, where i have enabled NAP client in services.msc and DHCP Enforcement in local policy i can setup a VPN connection but from the DHCP server i get an IP addres from the subnet/scope and domain suffix domain.com,
so this is working OK. But when i disconnnect the VPN client and disable and stopthe firewall and connect the VPN again its not getting restricted running ipconfig /all shows its not restricted and also Netsh nap client show state > shows its not restricted
BUT it SHOULD be restricted as the firewall is off.
What could be wrong?Hi,
After discussed with so many people, I think this will not work.
First we need know how DHCP enforcement works.
1. The DHCP client sends a DHCP request message to the DHCP server.
If the DHCP client has an SoH, the DHCP request message includes it. The SoH contains information about the health of the client. The DHCP server passes the SoH to
the NPS server. The NPS server communicates with the policy server to determine whether the SoH is valid.
2. If the SoH is valid, the DHCP server assigns the DHCP client a complete IP address configuration. The DHCP client has unlimited access to the network, as defined
by policy.
3. If the SoH is not valid, the DHCP server limits the access of the DHCP client to the restricted network and assigns it a limited access subnet mask and static
routes, as defined by policy.
But VPN clients get IPs in a different way. It uses the IP Control Protocol (IPCP) as part of the Point-to-Point Protocol (PPP) connection setup. Everything is done
in VPN tunnel.
Hope this helps.
Maybe you are looking for
-
I need to open a column of web sites from a spreadsheet at one time. How can I do this?
I have a spreadsheet of web sites. I am looking for a way to open them in Firefox. I want to open 15-30 of them at a time to see what is English and what is safe for work.
-
DMS: Objectlink to more than 50 inspection methods(QMBDOC) gives dump
Dear All, I have a requirement of attaching more than 50 objectlink for inspection methods to one document info records. So when i attach 40 to 50 inspection methds by BDC program or manualy & then i again try to attach one more inpection method obje
-
Return to Parent retaining Cache
Hello, I have a requirement, when i click on link it will open new page by keeping current page as it is.( I have done it using "Target Frame =_blank"). In second page i am querying and getting one value, this is always single value. This is similar
-
Itunes upgrade = File size 8.8 Gb to 69.7Gb!
Hiya New to this forum but something baffled me yesterday. I upgraded to the new version of iTunes, but my 1974 songs that were a mere 8.8Gb now show as 69.7Gb. How has this happened when the number of songs have remained the same. There are no dupli
-
HT204074 Manage Devices missing?
Hello, I read this article: http://support.apple.com/kb/HT4627 I would like to remove an associated device from an Apple ID I am using iTunes 11.0.2.26 I can't find the option "Manage Devices" Please advice. Thanks. Regarde, Sethide