Re: MSM730 dhcp server problem

Cfabio · ‎03-03-2010

Hi

I would want to use my MSM730 controller in dhcp server mode on internet port (WAN).

For network architecture reasons (I can't insert a router in the network) I can't use the LAN port so I have connected the APs and the gateway to internet on the WAN port.

If I try to configure the dhcp server in address allocation section I obtain an error.
I do something wrong or it is simply impossible this configuration with this controller?

Have you some suggests to solve the problem?

Regards

P.S. This thread has been moved from Communications, Wireless (Legacy ITRC forum) to MSM Series. -HP Forum Moderator

kianwei · ‎03-04-2010

There is normal to use WAN port to do deployment. LAN DHCP server on controller will assign the IP address to the client that connect to the VSC in access control mode. Any error message you get?

Fred! · ‎03-04-2010

Is the product complaining that the subnet your are trying to define in the DHCP server is not the same as the LAN port? (or something like this, I don't remember the exact label)

Cfabio · ‎03-04-2010

Hi

The wan interface address is 147.xxx.xxx.2

I configure the dhcp server section with:
start address 147.xxx.xxx.3
stop address 147.xxx.xxx.100
gateway 147.xxx.xxx.1

The LAN port have address 192.xxx.xxx.xxx but anything is connect to this port.

I obtain error: DHCP RANGE IS INVALID

I thinked that is caused by the impossibility to configure the wan port in dhcp server mode. It isn't true? I wrong something in my configuration?

Regards

Fred! · ‎03-04-2010

Yes, that was my guess, your configuration is invalid.

To answer your original question, there is no DHCP server that sits on the WAN port.

The DHCP server resides on the LAN port only. What you see on the address allocation page is really the settings for DHCP server or DHCP relay that sits and is only active on top of the LAN port.

However, there is a way to make it work in your scenario but it is really to provide DHCP addresses to your clients and not the APs.

If that's what you want to do you can make it work. If you want to be able to give IPs to anyone on the WAN port (including APs or wired stations) then I'm afraid that will be difficult with the product.

If you want to give IPs to your clients you will have to configure the Address Allocation > DHCP Server page in a private subnet that happens to be within the same subnet as your disconnected LAN port. Basically you will have to configure the LAN port with an address (let's say 192.168.1.1) and the DHCP to give away addresses in that subnet (192.168.1.x for example).Then in the VSC make sure you force the client traffic inside the tunnel (always tunnel client traffic) and in the DHCP server that you enable the checkbox "listen for client data tunnel request". That way a client will connect to the VSC, will get tunneled to the MSM controller and reach the DHCP server. The client will get a 192.168.1.x address.

Not sure that's what you want to do, but that's kind of the only way you can do it and use the internal DHCP server of the product when only connected with the WAN port.

kianwei · ‎03-05-2010

Fred is correct. The DHCP server range in MSM Controller only can assign the IP range in LAN port.For your case 192.xxx.xxx.xxx. You don't have to connect anything in your LAN port but the DHCP server will assign 192.xxx.xxx.xxx to your wireless access control user once they connected to SSID. Actually, you may assign different IP address range to every VSC as long as the VSC is a access control VSC (check access control in VSC page). You must define the dns, gateway and range for every VSC. After perform this, a virtual gateway will create in the controller for every single VSC.

Cfabio · ‎03-05-2010

Hi

I have understand your suggest but this doesn't resolve my problem.

I want to assign public IP addresses to clients and these IP addresses must be in the same subnet of the WAN port. In my scenario I can't use nat.

My original problem is that I use EAP-TTLS authentication of the clients and for this I use an external radius server. At the moment I use an external dchp server. I enable accounting for my VSC but in the account start message I don't receive the IP address of the client (the public IP address that the external DHCP has assigned to the client just after authentication). I receive the IP address only in the account stop message (in the Framed-IP-Address field).

I tried to put the Frame-IP-Address field in the access-accept message with the public IP address for the client just authenticated but it doesn't work. The MSM730 controller don't accept this attribute in access-accept message.

So I thought to use the controller in dhcp server mode because in this way I was thinking that assigning it the IP address it would put the IP address in the account start message. (Is it true?).

However I suppose, as I said above, that I can't use the controller in dhcp server mode.

Have you a solution?

Cfabio · ‎03-08-2010

Anyone?

Fred!? kianwei?

Have you understand my problem? or I wasn't clear....

Fred! · ‎03-10-2010

Well, if you cannot use NAT, you will have no choice but to do a VSC that does not involve the controller.

If you make sure that the "use this MSC for: authentication, access-control" checkboxes are unchecked, then the traffic will flow from your client through the AP and directly on the network. Not to mention that the RADIUS authentication will also go straight from the AP to the controller.

You will be able to assign a public IP address using an external DHCP server. In your case you won't be able to use the MSC internal DHCP server for that task.

I'm afraid that's the only solution I see. There are other solution involving the controller but it will have to NAT your addresses if you are just connecting the WAN port or to be connected through the LAN port. So both don't apply in your case.

Cfabio · ‎03-11-2010

Hi

Sorry but I'm not sure I've understand what you suggested me.

I have checked in my VSC profile the options "use service controller for authentication" and " use service controller for access control". (I don't find in the configuration interface "use this MSC for: authentication, access-control"...)

I don't use NAT but the traffic go through the service controller and after on the network. The authentication also works correctly. Controller is in dhcp relay mode.

My problem is that I don't receive in the Accounting-Request start message the IP of the client (using 802.1X authentication).
I receive the IP (in Framed-IP-Address field) only in the Accounting-Request stop message. Instead everything, about the accounting, works fine if I use "HTML-based user logins authentication" in the same configuration conditions.

In your opinion this problem is due to the absence of NAS? and there aren't solutions?

Thanks
Regards

Fred! · ‎03-12-2010

Yes, "use service controller for authentication" is what I meant. MSC is the old name for the MSM service controller.

Anyway looking at your last post, I can see that your problem has shifted from the original post/topic.

But now, I understand that you have a difference in terms of behavior for the accounting request.

Looking at the manual p.232: http://cdn.procurve.com/training/Manuals/r531/MSM7xx-MCG-May09-5992-5929.pdf

The accounting request is supposed to include the framed-ip-address of the user's computer. It looks like a potential bug with the product if it is not repoorted in your case.

Maybe you should contact support or upgrade to one of the latest release to see if it fixes the issue, but from the manual it seems that this should be supported.

Cfabio · ‎03-12-2010

Yes, I did looked this page of the manual.

I thought that my problem was due to the external dhcp (maybe the controller didn't know the ip address send to the client from the dhcp when it send the accounting request start)...so I tried to use the controller in dhcp mode..........

Maybe it's really a bug of the product.
Now I'll try to contact the support...

Thanks for the support

Fred! · ‎03-12-2010

Well as I mentioned earlier, if "use service controller for authentication and access control" are both unchecked, then the controller is not involved at all (so it should not matter whether you are using an internal DHCP or not).

If the checkboxes are unchecked, the authentication request would go directly from the AP to your RADIUS and in that case, only the AP is responsible to catch and fill-up the information in the Access and Accounting requests to the RADIUS server (all by itself and without involving the controller)

Cfabio · ‎03-12-2010

Hi

Now I totally understand what you meant.

It's a good idea for solve my problem. I'll try.....

Cfabio · ‎03-12-2010

Hi

I unchecked "use service controller for authentication and access control" and I don't modify the remaining configuration.

It don't work. My radius (configured on the controller under RADIUS-profiles page) don't receive the request of authentication from the access point....and so the client can't authenticate itself.

Should I modify others parameters in configuration?

Fred! · ‎03-12-2010

You need to remember that in that case, the AP will contact the RADIUS directly. Therefore, the IP address of the RADIUS needs to be reachable by the AP. Also, the AP will be the NAS in this case, so your RADIUS server needs to be configured to accept the AP as a potential source of authentication.

Beside that there shouldn't be much parameters to touch on the MSM controller. So it is a matter of looking a traces at the AP or syslogs at the AP to understand if the authentication request goes out or not.

Cfabio · ‎03-16-2010

Now it works. There was an error in my radius configuration, so the radius didn't log and didn't reply to the access point.

Now the authentication works but accounting problem is the same.
The AP (or the controller) doesn't put in the Accounting Start Message the Framed-Ip-Address field with the IP address assigned to the client.....

Fred! · ‎03-16-2010

OK, then I'm afraid it is a bug that needs to be taken to support, as the specification/documentation says that this attribute is supported in the accounting request and it appears that it is not in your case, there is not much we can do if the product do not insert the data in the radius packet :(

Cfabio · ‎03-16-2010

Ok...thanks. Unfortunately the HP suppot service for my controller is now expired, so I can't contact it.

I will have to renounce....

Bye

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: MSM730 dhcp server problem

MSM730 dhcp server problem