More details:
The customer's site uses RADIUS to authenticate wireless clients. It's an Aerohive environment with APs across a number of sites, and this particular site is the only one showing this issue.
There are 3 SSIDs:
- Corporate
- Staff
- Guest
The staff and guest SSIDs authenticate with a pre-shared key and live on vlan 98 and 99 respecitvely. Corporate authenticates with radius (which is working, no issue there) on vlan 97.
What I'm seeing is any client connecting to corporate is able to auth via radius and issue a DHCP discover to the onsite router. The router adds a binding to its DHCP config and responds with an offer, as seen by both the router debug, the switchport mirror AND the access point's packet sniffer. However, the client never receives the DHCP offer.
The curious thing here is the AP's own debug log showing it is forwarding a DHCP offer to the client.
Has anyone come across a similar scenario? I'm not sure if it's isolated to Aerohive specifically or something else, but the fault happens on the two ThinkPads and Lumia mobile phone we've connected so far, and it's exactly the same problem. I suspect there may be some kind of security policy on the AP which is preventing it from actually forwarding the DHCP offer, but haven't been able to find anything in the AP's config.
Another noteworthy mention is that this is only happening on one site. The exact same setup is used across a number of other sites with the same model of AP, and these work just fine.
