CORP SSID Is Not Getting An IP Address In OEAP Mode

matthew wolf · ‎08-07-2024

I have a 9800-CL that is port forwarding CAPWAP ports (finally got this working in OEAP mode) with a 3802I. The site where the 9800-CL is located has 2 vlans (vlan 2 - 192.168.2.0/24 and a 99 - 192.168.99.0/24). Both vlan's have a dhcp server setup on the router and no dhcp is setup on the controller. This is a little new to me so I'm not sure how to get the 3802I to recognize the vlan 99 and pull a dhcp address from the server or should it get a local address from the router at the home location and recognize the split tunnel ACL that's setup to access traffic across the DTLS connection?

Layout

Non-AD Laptop < 3802i (personal and corp SSID) < Home Router > < Edge Router > 9800-CL

Rasika Nayanajith · ‎08-07-2024

corp SSID : Traffic is tunnel back to your 9800 WLC, in that way it should get IP address from your corp DHCP server

personal SSID : Traffic is locally switch to your home router, so they will get IP from your home network.

HTH
Rasika
*** Pls rate all useful responses ***

matthew wolf · ‎08-07-2024

The personal SSID is working with a 10.0.0.0 network going through the home router but I just can't figure out the corp SSID side. No matter what I can't get it to pull a dhcp from the 192.168.99.0/24 network.. I can route and ping from the 192.168.99.10 interface which is NAT'd for public discovery for the OEAP APs. Also added a show-tech export

marce1000 · ‎08-07-2024

>...Also added a show-tech export
- You may want to replace that with a show tech wireless and feed the output from that into Wireless Config Analyzer
(as stated, do not use a simple show tech as input for this procedure). This to have the controller's configuration
evaluated

That being said : OEAP is a little bit outdated these days, you could consider a flexconnect based setup
with local switching to bring the corporate SSID to the home (office) too.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

matthew wolf · ‎08-08-2024

Thanks for that. Are there any guides on how to setup a remote access point in flexconnect without a corporate router/switch at the end users house? Either a full tunnel or split tunnel configuration when accessing corporate data on the corp ssid?

marce1000 · ‎08-08-2024

- Check if this can help : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_vewlc_flex_connect.html#spilt-tunneling-for-flex

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

matthew wolf · ‎08-08-2024

Interesting. This was the article I followed and it referenced flexconnect and OEAP still https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/9800/17-3/deployment-guide/remote-workforce-solution-wireless.pdf

Rich R · ‎08-12-2024

Like Marce says OEAP is not used much anymore. The key points which distinguish OEAP:
- Mandatory CAPWAP data tunnel encryption. For companies that don't think VPN, TLS etc is enough to protect their user data. This substantially increases CPU load on the AP (and the WLC) thus limiting the throughput of the AP so performance/throughput is always worse than a similar standard AP setup.
- The AP provides a very rudimentary page for the user to setup their own local SSID. This page is not well maintained at all, looked like something out of ancient history last time I looked at it but maybe it's been updated since then.

Very few companies require that encrypted CAPWAP data these days. With zero trust networks the assumption is that all underlying transport is untrusted so the device must ensure end to end security/encryption without relying on the WiFi or network to be encrypted. This is necessary anyway if the device is allowed to access public hotspots.

Most home broadband routers provide the user with a home SSID with a much more modern and flexible GUI to manage it so the AP local SSID is usually not needed at all.

So the simple solution is:
- AP in flexconnect mode
- Corporate SSID with central authentication, central switching, central DHCP which is tunnelled back to the WLC
- Local user SSID (only if required) with local authentication, local switching, local DHCP which breaks out on the local switch port, never going anywhere near the WLC.
- The AP gets its IP address from the home broadband router just like any other client on the home network or you assign it a static IP from the reserved part of the home IP range.
- I would stay away from using split tunnels at all - corporate SSID should be corporate only and local SSID should be local only. The only use-case I've come across for split tunnel is user wanting to print to local home printer but frankly it's easier to tell the user to connect to their home SSID if they want to print.

But in fact very few companies would extend a corporate SSID to a user's home these days because Google/Microsoft 365 apps require direct cloud access - nobody wants all that traffic traversing their corporate network anymore. So in most cases users simply connect to their own home SSID and then a VPN on the client is used to route the corporate traffic to the company network over VPN while the Google/Microsoft cloud traffic routes directly to the local internet connection. That also simplifies user access to a printer on the local home network. The split tunnelling is done in the VPN client.

ps: if you desperately want to you can still enable CAPWAP data encryption for the AP even without using OEAP but remember the performance impact it will have. I've also noticed a number of bugs that have popped up over the years related to CAPWAP data encryption being enabled because it simply isn't used or tested as much as unencrypted CAPWAP data on the AP.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390