802.1x Dynamic Vlan assignment. Client device caching old IP address and not getting assigned a new one.

  • 2
  • Question
  • Updated 3 years ago
I'm Running into an issue regarding Windows wireless clients. Dynamic Vlan assignment is working correctly. But, It seems my windows wireless clients are holding onto the last users who logged into the devices IP address. So say if Student logged into a laptop via wireless they would get 10.1.1.2 and if a teacher logged in they would get 10.1.2.2. Now this works flawlessly after a restart. But, if one of the users logs out in and the other logs in they try to keep the last users IP address. When I look at the client monitor I see the Devices is sending out DHCP requests instead of DHCP broadcasts for a new address.

I know in a perfect world 1 user to 1 device but currently that is not going to happen for me.
I've tried most of these Ideas in a similar issue in the link here: https://community.aerohive.com/aerohive/topics/vlan_steering_does_not_get_new_vlan_ip_address?topic-...  

Some things to Note:

- Not using a Super Scope.
- Windows 2008 server with NPS for radius auth
- Windows Environment
- All domain Devices
Photo of Austen Ewald

Austen Ewald

  • 6 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 2
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Prima facie, this sounds like a supplicant issue.

What do you have configured in group policy?

Have you checked things like the Authentication Mode:


And the SSO settings so that the supplicant knows a different VLAN is used with machine and user credentials:
(Edited)
Photo of Austen Ewald

Austen Ewald

  • 6 Posts
  • 0 Reply Likes
That GPO is almost exactly what I am using. It still tries to keep the same IP. It seems to ignore the wifi if the credentials are cached. I'm seeing this on the client monitor. 

(577)Send message to RADIUS Server(10.XXX.XXX.XXX): code=1 (Access-Request) identifier=128 length=322,  User-Name=XXXXXXXX\user NAS-IP-Address=10.XXX.XXX.5 Called-Station-Id=XX-XX-XX-XX-XX-XX:MYSSID Calling-Station-Id=XX-XX-XX-XX-XX-XX(578)Receive message from RADIUS Server: code=2 (Access-Accept) identifier=128 length=329  RADIUS_ATTR_TUNNEL_MEDIUM_TYPE:0=1 RADIUS_ATTR_TUNNEL_PRIVATE_GROUP_ID:0=320 RADIUS_ATTR_TUNNEL_TYPE:0=10
(579)Sending 1/4 msg of 4-Way Handshake (at if=wifi1.2)
(580)Received 2/4 msg of 4-Way Handshake (at if=wifi1.2)
(581)Sending 3/4 msg of 4-Way Handshake (at if=wifi1.2)
(582)Received 4/4 msg of 4-Way Handshake (at if=wifi1.2)
(583)PTK is set (at if=wifi1.2)
(584)Authentication is successfully finished (at if=wifi1.2)
(585)station sent out DHCP REQUEST message
(586)Authentication is successfully finished (at if=wifi1.2)
(587)IP 10.XXX.XXX.18 detected in ARP packets for station
(588)ARP packets detected from/to station, IP 10.XXX.XXX.18 assigned for station
(589)IP 10.XXX.XXX.18 assigned for station
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Which version of Windows is in use on the clients?
Photo of Austen Ewald

Austen Ewald

  • 6 Posts
  • 0 Reply Likes
Windows 7 on all Domain Clients. 
Photo of Dianne Dunlap

Dianne Dunlap

  • 75 Posts
  • 15 Reply Likes
I personally have not had this problem but have you maybe tried doing an AD login script with dhcp /release, /renew commands in it?
Photo of Austen Ewald

Austen Ewald

  • 6 Posts
  • 0 Reply Likes
I can see that causing some issues. It would probably work But, I believe there is something going wrong some where in my setup as I know people who have near identical setups to me are working flawlessly. Also, If a new user logged in it wouldn't connect to the the DC so I would get the "No Logon servers are available message"
Photo of Dianne Dunlap

Dianne Dunlap

  • 75 Posts
  • 15 Reply Likes
I would think after ip layer came up with a renew, AD would be reachable but if you want, this shows NPS debug log as well as sniffer trace where it's worked for me in the past:
https://docs.google.com/document/d/1H4pPF52FziGVAOUpHeF3QGbGs576B0EIFx7_2S8F9T0/edit?usp=sharing
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I think that you need to break your problem down to isolate its cause better.

Things like:

Get a packet capture on the DHCP server and on the RADIUS server and review these.

Get a packet capture of the client if you can and review this.

Perform tracing on the Windows client and review the logs:

netsh dhcp client trace enable
netsh ras set tracing * enabled

netsh dhcp client trace disable
netsh ras set tracing * disabled
Photo of Austen Ewald

Austen Ewald

  • 6 Posts
  • 0 Reply Likes
I have tracked down the issue further it seems it's an issue with my relay agent on my juniper switch as it is working fine on my cisco gear on a different campus. The issue seems to be the relay agent is caching the mac of the client device and not updating which vlan it is assigned to when the the vlan changes. If anyone has any input on that... That would be awesome. 
Photo of Austen Ewald

Austen Ewald

  • 6 Posts
  • 0 Reply Likes
I have fixed the issue! It was a problem with my dhcp-relay on my juniper switch. The Dchp relay was picking up dhcp hints from the client so I had to add some overrides to make it behave properly.  I am running the most current version as of the day of this posting. Here is what I did to fix the issue notice the overrides in the config:
show forwarding-optionsstorm-control-profiles default {
    all;
}
dhcp-relay {
    server-group {
        DHCP {
            <IP Address of DHCP Server>;
        }
    }
    group Wired {
        active-server-group DHCP;
        interface irb.1;
        interface irb.2;
        interface irb.3;
        interface irb.ect...;
  
    }
    group Wireless {
        active-server-group DHCP;
        overrides {
            no-allow-snooped-clients;
            no-bind-on-request;
            proxy-mode;
        }
        interface irb.4;
        interface irb.5;
        interface irb.6;
        interface irb.etc...;
    }
}