Wednesday, July 10, 2019

Client Authenticates - Yet no connectivity

Today I had an issue with a new set of client devices for some wireless EKG devices that was escalated to me to work.  These devices were on boarded and appeared in PRIME to be working okay.

1.  Devices authenticated
2. NAC state to RUN
3. Learned the IP address and mapped to a L2 interface.

Still could not ping from across the network or event from the directly connected router.  MAC address was showing on the correct VLAN.

When I ran a debug on the wireless controller and did a remove of the client so I can see the full set of messages at first it appears to me that all looked good....Till I looked closer to the detail towards the end.....


In the debug is was showing that the "Client learned IP from Orphan Packet"

This statement tells you that the controller is mapping this IP this clients MAC address for L2 to L3 mapping.  After this statement is displayed the gateway and netmask that does not agree with the subnet of the client address assigned.

For some reason this device is not being placed on the subnet for this client.

Since the controller is learning the IP from packet sent from the client (orphan packet) this tells me the client is not configured for DHCP.  In this case someone in the field in their troubleshooting decided to take matters into their own hands and configure the IP locally on the device.

The other question I had is why is the controller allowing this client behavior?

Looking at the WLAN configuration I found the other side of this issue.
DHCP required


 In order to enforce the use of DHCP addressing and not allow a client to overide your address assignment DHCP required needs to be enabled on the vlan so you can maintain control of your addressing.