Our campus-wide (offices, factory, warehouse) WiFi is provided by (primarily) IAP105 access points.
We recently enabled 802.1x authentication, consolidating separate SSID's into a single SSID with dynamic VLAN's. RADIUS authentication is handled by a Windows 2019 Server using NPS.
Since doing so, we're seeing IPv6 Router Advertisements leaking across VLAN's - clients that are dynamically allocated into VLAN 3115 receive RA's from VLAN 3116. The client then SLAAC configures an IPv6 address based on that RA. It also receives the RA from VLAN 3115 (as it should) and configures an address for that subnet.
So the client ends up with IPv6 addresses for both VLAN's. They cannot actually talk in VLAN 3116, so they can't reach the router they think they can based on the RA. This causes timeouts when the client selects an address in the 3116 VLAN for a connection.
- We do not see the same with the VLAN's reversed (ie, clients in the 3116 VLAN do not receive RA's from VLAN 3115).
- It only applies to clients using WiFi. Wired clients on the same VLAN don't see the wrong RA's.
- We did not see that same in our previous configuration with multiple SSID's statically assigned to VLANs.
Has anyone seen this before, or have any ideas? We have a support case open with Aruba/HP, but their team don't seem to understand IPv6 very well (I had to explain what an RA packet is, IPv6 multicast etc).
No comments:
Post a Comment