cancel
Showing results for 
Search instead for 
Did you mean: 

AP7632 config DHCP question

AP7632 config DHCP question

AmirA
New Contributor
Hello!

Dear experts, please, kindly help me with my AP7632i configuration issue..
I'm administering a small network and our CORE firewall/router is a Juniper SRX 210H, which acts as DHCP server.
As a wi-fi AP we use WiNG AP7632i access point in local bridge mode.
My idea is to use it in transparent mode and wireless clients should receive IP addresses from my core Juniper SRX.
DHCL in a wired LAN works well, but something going wrong in the wireless segment.
DHCP does not works through my AP.
If i configure STATIC IP on my cell phone, it connects to wi-fi and works well.
If i configure DHCP IP on my cell phone, it does not connects to wi-fi and does not works.
Next...
If i configure STATIC IP on my LAPTOP, it does not connects to wi-fi and does not works.
If i configure DHCP IP on my LAPTOP, it does not connects to wi-fi and does not works.

My AP config:
AP-01.361*#sho run
!
! Configuration of AP7632 version 7.7.0.0-018R
!
!
version 2.7
!
!
client-identity-group default
load default-fingerprints
!
ip access-list ACL-MGMT-IN
permit icmp 192.168.163.0/24 any rule-precedence 1
permit tcp 192.168.163.0/24 any eq ssh log rule-precedence 2
permit tcp 192.168.163.0/24 any eq https log rule-precedence 3
deny ip any any rule-precedence 5
!
ip access-list ACL-TRFC-IN
permit ip 192.168.163.0/24 any rule-precedence 1
deny ip any any rule-precedence 4
!
ip access-list ACL-TRFC-OUT
permit ip any any rule-precedence 1
deny ip any any rule-precedence 2
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
ip snmp-access-list default
permit any
!
firewall-policy default
ip dos tcp-post-syn log-and-drop log-level warnings
ip dos tcp-bad-sequence log-and-drop log-level warnings
ip dos tcp-sequence-past-window log-and-drop log-level warnings
no stateful-packet-inspection-l2
ip tcp adjust-mss 1400
!
!
mint-policy global-default
!
meshpoint-qos-policy default
!
wlan-qos-policy default
qos trust dscp
qos trust wmm
!
radio-qos-policy default
!
wlan wlan1
ssid AP-01.361
vlan 1
bridging-mode local
encryption-type tkip-ccmp
authentication-type none
no multi-band-operation
no protected-mgmt-frames
wpa-wpa2 psk 0 xxxxxxxxxxxxxxxxx
use ip-access-list in ACL-TRFC-IN
use ip-access-list out ACL-TRFC-OUT
relay-agent dhcp-option82
!
smart-rf-policy default-smartrf
no select-shutdown
!
wips-policy default
event excessive eap-flood threshold-client 15 threshold-radio 40 filter-ageout 600
event client-anomaly dos-broadcast-deauth filter-ageout 0
event ap-anomaly ad-hoc-violation
event client-anomaly fuzzing-invalid-mgmt-frames filter-ageout 0
event client-anomaly non-conforming-data filter-ageout 0
event ap-anomaly transmitting-device-using-invalid-mac
event client-anomaly crackable-wep-iv-key-used filter-ageout 0
event ap-anomaly wireless-bridge
event excessive auth-server-failures threshold-client 5 threshold-radio 20 filter-ageout 600
event client-anomaly fuzzing-invalid-seq-num filter-ageout 0
event ap-anomaly null-probe-response
event client-anomaly fuzzing-all-zero-macs filter-ageout 0
event excessive frames-from-unassoc-station threshold-client 2 threshold-radio 0 filter-ageout 600
event ap-anomaly asleap
event excessive eap-nak-flood threshold-client 10 threshold-radio 20 filter-ageout 600
event client-anomaly wellenreiter filter-ageout 0
event ap-anomaly unencrypted-wired-leakage
event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 25 filter-ageout 600
event excessive dos-eapol-start-storm threshold-client 10 threshold-radio 20 filter-ageout 600
event client-anomaly tkip-mic-counter-measures filter-ageout 0
event client-anomaly invalid-8021x-frames filter-ageout 0
event client-anomaly identical-src-and-dest-addr filter-ageout 0
event client-anomaly non-changing-wep-iv filter-ageout 0
event excessive dos-assoc-or-auth-flood threshold-client 25 threshold-radio 45 filter-ageout 600
event client-anomaly fuzzing-invalid-frame-type filter-ageout 0
event ap-anomaly ap-ssid-broadcast-in-beacon
event excessive dos-unicast-deauth-or-disassoc threshold-client 25 threshold-radio 45 filter-ageout 600
event excessive aggressive-scanning threshold-client 30 threshold-radio 200 filter-ageout 600
event client-anomaly netstumbler-generic filter-ageout 0
event ap-anomaly airjack
event excessive decryption-failures threshold-client 25 threshold-radio 75 filter-ageout 600
event ap-anomaly impersonation-attack
ap-detection
ap-detection air-termination
ap-detection air-termination mode auto
ap-detection air-termination allow-channel-switch
!
!
management-policy default
no telnet
no http server
https server
no rest-server
ssh
user admin password 1 xxxxx role superuser access all
no snmp-server manager v3
snmp-server community 0 private rw
snmp-server community 0 public ro
snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
restrict-access ip-access-list ACL-MGMT-IN
!
event-system-policy default
!
nsight-policy default
!
profile ap7632 361
ip name-server 192.168.163.1
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip domain-name 361
ip default-gateway 192.168.163.1
autoinstall configuration
autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
wlan wlan1 bss 1 primary
antenna-mode 2x2
interface radio2
wlan wlan1 bss 1 primary
antenna-mode 2x2
interface bluetooth1
shutdown
mode le-sensor
interface ge1
spanning-tree force-version 0
interface vlan1
ip address dhcp
ip address zeroconf secondary
ip dhcp client request options all
use ip-access-list in ACL-TRFC-IN
interface pppoe1
use firewall-policy default
ntp server ntp1.stratum1.ru prefer
ntp server ntp1.stratum2.ru
use client-identity-group default
logging on
service pm sys-restart
router ospf
adoption-mode controller
!
rf-domain default
location "Moscow"
contact "ADMIN"
timezone Europe/Moscow
country-code ru
use smart-rf-policy default-smartrf
use wips-policy default
ad-wips-wireless-mitigation disable
ad-wips-wired-mitigation disable
use nsight-policy default
channel-list dynamic
!
ap7632 B4-2D-56-8A-88-90
use profile 361
use rf-domain default
hostname AP-01.361
channel-list dynamic
no mint mlcp vlan
no mint mlcp ip
ip igmp snooping
area "Moscow"
floor 7
interface vlan1
description "Virtual Interface for LAN by Wizard"
ip address 192.168.163.3/24
ip address zeroconf secondary
no ip dhcp client request options all
no virtual-controller
no rf-domain-manager capable
no adoption-mode
!
!
end
AP-01.361*#
1 ACCEPTED SOLUTION

Angelo_Cargnel
New Contributor III

Hi Andrey,

your IP access list "ACL-TRFC-IN" is blocking the DHCP request from your mobile clients.
Please add to the ACL:


permit udp any eq 68 any eq 67 rule-precedence 2 rule-description "permit DHCP requests"

any DHCP should work.

Best regards,
Angelo

View solution in original post

4 REPLIES 4

AmirA
New Contributor
Oh, thanks again!)) Thats clever!

Angelo_Cargnel
New Contributor III

Hi Andrey,

you have not permitted all ip traffic in your inbound IP ACL.
You have only permitted traffic from devices with the source IP address out of the range 192.168.163.0/24.
But your device don't have any IP address when they do the DHCP request ( that's why they are doing DHCP 🙂 ).
In the DHCP request the source IP address is 0.0.0.0.
So the IP ACL was doing what it should do!

Regards,
Angelo

AmirA
New Contributor
Hello! Angelo, you are right! Thank you very much, now it works!
Anyway, I'm surprised with this..
I've supposed, that I've permitted all the IP protocol traffic and this will automatically permit UDP..

Angelo_Cargnel
New Contributor III

Hi Andrey,

your IP access list "ACL-TRFC-IN" is blocking the DHCP request from your mobile clients.
Please add to the ACL:


permit udp any eq 68 any eq 67 rule-precedence 2 rule-description "permit DHCP requests"

any DHCP should work.

Best regards,
Angelo

GTM-P2G8KFN