802.1x over GRE Tunnel, can't get DHCP assignment

  • 1
  • Question
  • Updated 2 years ago
When using 802.1x authentication, client cannot get DHCP addressing....

In the process of setting up a "guest" setup using authentication for a special group.   We had been using WPA2, but they kept sharing the key defeating the whole point...

Changing to use AD answers it --- share info --- get potentially terminated!

That said --- I have this working just fine on non-GRE connections.

However, when it comes to those on the other side of a tunnel, I can connect, authenticate, but they cannot get a DHCP assignment.

I would ideally like to use the DHCP relay, and it's setup, but has no affect.   I can setup a small segment of the normal scope and do it that way as an alternative, but I'd really rather it use the normal method of address assignments.

I am working on this with support as well --- thought I would pose it to the masses and see if perhaps this has happened and there's that one little thing I've missed in config that would make it work...
Photo of Bryan Tetlow

Bryan Tetlow

  • 78 Posts
  • 2 Reply Likes

Posted 3 years ago

  • 1
Photo of Dianne Dunlap

Dianne Dunlap

  • 75 Posts
  • 15 Reply Likes
Does Wireshark on the dhcp-server show dhcp request incoming?  If you point to a default gateway such as HP or Cisco switch dhcp-server and run debugs (debug ip dhcp server events|packets with 'term mon' on Cisco), do you see incoming dhcp requests?
Photo of Vernon Montford

Vernon Montford

  • 17 Posts
  • 0 Reply Likes
I agree with Dianne on checking to see if dhcp is going through.  This may not have anything to do with gre or 802.1x.

Is the device where the gre tunnel terminates into able to use the vlan you want it to?  Is the switch where the gre tunnel terminates at setup with the correct vlan as well?

To make troubleshooting simpler, you could start by setting up an ssid with a gre tunnel as an open ssid with no password.  This will let you focus on the gre tunnel and your dhcp/switch configuration.  Once that works, add 802.1x on the ssid.
Photo of Bryan Tetlow

Bryan Tetlow

  • 78 Posts
  • 2 Reply Likes
I have to coordinate with our network admin for his part... so I can further troubleshoot this...

But, we have several "traditional" wireless configurations already at these sites (WPA/2 vs 802.1x), they traverse as expected.  All expected VLANS are reachable, and all these types of configurations work as expected.

I don't think 802.1x itself is at fault --- We're getting authentication.....  We're not getting a DHCP answer....and that's what I've been working on getting confirmation of.

It just seems odd that a client connection using WPA/WPA2 SSID works perfectly, but change it to 802.1x, and DHCP fails.

I am also going to test the adding of a local DHCP server at the site.  

Finally, there is no AH switch involved -- these are mostly connected to HP CORE switches, and the wireless VLAN is (NOT) available directly, which is why we're using GRE tunneling.

I don't want to muddy the water unnecessarily --- Current setup using WPA/WPA2 SSID client connections work.   Client connections using 802.1x authenticate but cannot get DHCP assignment.
So -- getting reply from DHCP, or learning why we're not is the goal...

I'll report more once I can get diagnostics in place to trace DHCP request/response.
Photo of Vernon Montford

Vernon Montford

  • 17 Posts
  • 0 Reply Likes
When you said this "It just seems odd that a client connection using WPA/WPA2 SSID works perfectly, but change it to 802.1x, and DHCP fails", do you mean that a gre tunnel ssid using WPA works from the remote sites?

If your gre tunnel is terminating on an aerohive AP, you could check on Hivemanager from Tools->Vlan Probe on the gre termination point AP to see if the vlan you are trying to use is available and what dhcp is set to for it.
Photo of Bryan Tetlow

Bryan Tetlow

  • 78 Posts
  • 2 Reply Likes
That is correct....

On the remote sites, unless I'm on a client (as opposed to AP) I cannot get VLAN probe to show...   Yet, the WPA/WPA2 client is indeed on the correct vlan and also getting DHCP address correctly for that vlan.

In talking to support, they advised that this is normal because the tunnels are built and torn down accordingly -- so until a tunnel is established, there can be no vlan assigned that would work.

This is confirmed by doing the vlan probe on a vlan that is not part of GRE tunnel configuration.  "it" always works as expected...it's the management vlan.  Clients don't use that vlan and it's on the wrong vlan for them to use if they could.    Guest users are isolated.
Photo of Vernon Montford

Vernon Montford

  • 17 Posts
  • 0 Reply Likes
Oh ok, so wpa with a gre remote vlan does not work.

What gre device are your remote site APs doing their gre connections with?  If it is an internal aerohive AP, that is the device I was curious about doing the vlan probe on.
Photo of Bryan Tetlow

Bryan Tetlow

  • 78 Posts
  • 2 Reply Likes
Perhaps I stated it wrong ---   WPA with GRE... works 100%....   it's when I use 802.1x that it (dhcp) breaks.

I have 2 AP's (redundant for fail-over) in the main campus that are the GRE devices.  With THOSE the vlan probe works properly on.   This is because they effectively are sitting on both sides of the tunnel.

If the vlan probe is done from the AP (at the client end of tunnel) then it fails --- which is expected since there's no tunnel active that way.
Photo of Dianne Dunlap

Dianne Dunlap

  • 75 Posts
  • 15 Reply Likes
Make sure your RADIUS logs or Aerohive debugs or sniffer trace show an access-accept on 802.1x.  If you don't see that, your issue is not dhcp.
Photo of Bryan Tetlow

Bryan Tetlow

  • 78 Posts
  • 2 Reply Likes
Previous debugs do show that 802.1x shows access-accept....   authentication by all counts appears to be working as intended.
Photo of Vernon Montford

Vernon Montford

  • 17 Posts
  • 0 Reply Likes
Does the client show up in Monitor->Clients->Active Clients as connected, but with no ip address?  Or does the client not show up in the Active Clients list at all?  If the client connection comes up and only dhcp doesn't work, I am curious if putting a static ip address on the remote wifi client will allow communication.

I assume you've done a radius test from Tools->Server Access Tests->Radius Test using the remote site AP as the Aerohive Radius Client? 
Photo of Bryan Tetlow

Bryan Tetlow

  • 78 Posts
  • 2 Reply Likes
I have not seen the client appear as active with no IP.  They don't seem to get far enough --- either that, or we're not hanging around long enough for it to get populated to HMOL.

On Radius tests -- yes, these test and work as expected.

I'll have to become the client myself as the user's not knowledgeable enough to know how to enter static IP address.  I'll have to do that at another time since they're across town.... :)
Photo of Arison Mercado

Arison Mercado

  • 113 Posts
  • 8 Reply Likes
Hi Bryan,

I'm having the same exact issue here, WPA2 and our guest open WiFi gets DHCP perfectly but when connected to our 802.1x authentication DHCP breaks and the only fix is to reboot the AP. Did you be any chance solved this issue?
Photo of Bryan Tetlow

Bryan Tetlow

  • 78 Posts
  • 2 Reply Likes
Alas, I have yet to resolve the issue.

In-house --- NO problems making it work....

Once it goes thru GRE tunnel, it connects to AP, authenticates properly, but never...ever...gets IP assignment.  Keeps trying, but is never answered.

I've tried all the variants of where to have DHCP served from including a localized one -- which was just a attempt at making anything work.