Equipements connected on the APs are getting IP addresses but no Internet 2

Maybe the DHCP is handing out DNS settings, and the APs hand out the DNS settings acquired by DHCP to their clients?

i called the HP support and the y could not find the solution. Im just wondered the other equipement in the network the work good and the surf ( the computers on the pool of the DHCP which are not connected to the access point) but the computers which are connected to the network trough the APs they can not surf.

You mention controller. I'm assuming you are talking about an HP wireless controller? If so, do you have the access points "access controlled"? Is your DHCP server a Windows server or are you using the controller as your DHCP server?

yes Im talking about the HP wireless Controller. I think i have something on the VSC profil what is activated Authentication and Access Control. my DHCP server is an extern DHCP ( windows ).

Ok, so here's the thing, when you have the VSC access controlled, the traffic off the AP will be solely be directed out the Internet port on the Controller. I personally use that, but only for my Public VSC. I have that Internet port configured in a DMZ and my DHCP for those clients are handled by the controller. In regards to my Secure VSC, that VSC is not access controlled, so the traffic does not go through the controller at all and operates like any other client. The only thing the controller does is provide config info to the APs.

Do you have the Colubris DHCP options being handed out to the APs from your Windows DHCP server?

Hi cajuntank,

thank you really for your help. I dunno whats Colubris DHCP. but I know that my computer when its connected to the AP, it get all parameter ( IP @, DG, DNS ...). today i saw that on my VSC Profil, i have the Access Control and authentication activated. so i think i have just to deactivate them.

our costumer have one subnet and into this it there is the servers and the router. the Wireless connection should be for the worker of this costumer and for the visitor. Im using on the my wireless controller just the LAN port. the only solution what i find to separate the visitor access from the worker access is to create another subnet for the visitor it mean on the switch another VLAN and on the controller another VSC and another VLAN and the costumer should make another ADSL line. but i just want to ask did the wireless controller make web filtering? i should secure the internet from the bad users. or i dunno may be u have better idea, Im still new with wireless controller and i need help. thank you again for ur help

HP bought out Colubris Networks which is where the current HP MSM product platform comes from. The best practice for the APs to associate with the controller is to have some DHCP options created for them to use. Look for the MSM Implementation Guide on this page and it will outline several configuration examples as well as the DHCP options to set.
As far as the VSC, you don't have to disable Authentication, just Access Control. Again, this will allow the traffic to flow through your network withouth having to go through the controller. In regards to the Public VSC, the controller itself does have firewall capabilities, but I turned that off in lieu of using the firewall capabilities of my Sonicwall which does have web filtering and IPS features.

So here's my setup as an example. My Secure VSC is WPA2 Enterprise secured using Radius, certificate, etc... (again, go through guide as there are examples of configuration on this). My Public VSC is Access Controlled and the only security I have is HTML-based authenticaion. I created a user on the controller and when someone needs Public access (visitors, etc...), we offer them the username and password when they hit the html login page that they get redirected to, to get Internet access. Also make sure that always "tunnel client traffic" is checked for this VSC. Enable DHCP server on the controller (again, since the Secure VSC is not Access Controlled, then it will not use this DHCP server). The Internet port is a IP address in one of my DMZs (so for example 172.16.1.2), but on your Public VSC toward the bottom of the configuration page, there will be a DHCP Server option to check. Check this and enter a scope to use. YOU CANNOT USE THE SAME NETWORK as your Internet port's subnet. So for example, 172.16.2.2-172.16.2.254 with 172.16.2.1 being the DNS and the Gateway IP address. It looks a little odd, but what you are doing is creating this subnet for your public users to use and the controller is your everything in that matter. It cannot share the same network with your Internet port, so it has to be on a different subnet. So the way traffic flows using that Public VSC is their traffic never touches your LAN. It backhauls all the way to the controller and exits out the Internet port (in fact, it does not touch the LAN port at all). Like I mentioned, you could very well plug that Internet port directly to your public Internet and turn on the firewall, but it's basic at best; that's why I opted for it to go through my Sonicwall where I did have those filtering and security features I could apply to that zone.

Hope that makes sense. The configuration on this thing can seem daunting at first, but after you read through the guide once or twice, you can extrapolate from it's examples whatever fits your needs.

hi cajuntank,

thank you so much for ur help. i got more ideas how to use the controller and i know right now how to resolve some issues.