- Integrated Systems
- About Us
- Integrated Systems
- About Us
01-24-2014 05:57 PM
MSM765 controller LAN port oddity
Noticed something strange today. I setup my MSM765 a while back with what I thought was a pretty standard config.
LAN port on one of my private internal LANs. 10.10.0.0/16 addressing
Inet port on a general Inet VLAN we use for guest Inet access in conference rooms, etc. 192.168.100.x/24 addressing
The above 2 segments cannot route to each other in any way.
2 VSCs setup. Default "HP" VSC is still on the unit as I think I remembered reading somewhere it's best to leave the default HP VSC on the unit, the "HP" VSC is not bound to ANY AP groups at all.
"SECURE" VSC: Authentication enabled, requires 802.1x authentication against our AD domain. Once authenticated successfully the user's machine is put on the primary LAN VLAN and gets a 10.10.x.x address. Affectively on my production network as much as any wired machine is.
"GUEST" VSC: Authentication and Access Control enabled. This VSC tunnels the traffic back to the controller and the user's machine grabs a 192.168.100.x IP via DHCP. Rsers are then presented with a HTTP login page, once authenticated the user's traffic is allowed to go passed the 765 and on the Internet directly.
This all has been working perfectly for a good while now.
Today one of my engineers noticed something odd and brought it to my attention.
He had a new network appliance device that he needed to configure and was doing the work on the 10.10.x.x LAN segment. The device he was working on booted up with a default IP address of 192.168.1.1/24 so he just statically changed his laptop's address to match that new devices temporary subnet so he could web into it and reconfigure it for the correct segment. Normal stuff.
The problem was when he tried to surf to 192.168.1.1 (after statically assigning his laptop a matching IP from that range) he was presented with the "wireless.hp.internal" login page. On the LAN segment. The only place that authentication page is is enabled is over on the GUEST VSC. As soon as the IP address is of the laptop is changed back to the real IP of that LAN segment (10.10.x.x) you no longer get that login page and all seems normal.
Note that 192.168.1.x is not in the config of the MSM765 AT ALL, it does not match anything in the MSM765.
I threw together a test machine with wireshark on it and decided to take a look a bit deeper. If I take ANY device, put it on the 10.10.x.x LAN (where the LAN port of the 765 lives) but statically assign it ANY address that does not match that subnet (I did this with 192.168.1.x, 12.12.12.x, 100.100.100.x, I suspect that any range will exhibit this behavior) then wireshark and a "arp -a" shows that the MSM765's LAN port is anyswering and intercepting all traffic and trying to redirect the client machine to "wireless.hp.internal".
I'm stumped. I have no idea why this would be happening or how to resolve it. MAYBE this has something to do with the default "HP" VSC merely existing on the MSM765 (even though it's not bound to anything at all, I assumed the controller would just ignore it).
01-29-2014 09:36 AM
Re: MSM765 controller LAN port oddity
Source One Technology, Inc.
MSM 5.7.x deployment guide: