03-26-2014 02:24 PM
I have two 7210 running 184.108.40.206 for SOHO access. On the controller I have enabled a configuration to download the whitelist from activate
Controller is retrieving the list from activate but after downloading the details, most of them or in some cases all RAP are rebooted by the controller:
22:08:46 fpcli: USER:firstname.lastname@example.org COMMAND:<activate-service-whitelist > -- command executed successfully
Mar 26 22:09:02 fpcli: USER:email@example.com COMMAND:<activate-service-whitelist interval 1 > -- command executed successfully
Mar 26 22:09:09 fpcli: USER:firstname.lastname@example.org COMMAND:<activate-service-whitelist whitelist-enable > -- command executed successfully
Mar 26 22:09:23 fpcli: USER:email@example.com COMMAND:<write memory > -- command executed successfully
Mar 26 22:09:44 nanny: <303022> <WARN> |AP xx:xx:xx:xx:xx:firstname.lastname@example.org nanny| Reboot Reason: AP rebooted Wed Mar 26 22:08:17 CET 2014; SAPD: Reboot requested by controller
Mar 26 22:09:44 nanny: <303022> <WARN> |APxx:xx:xx:xx:xx:email@example.com nanny| Reboot Reason: AP rebooted Wed Mar 26 22:08:17 CET 2014; SAPD: Reboot requested by controller
Mar 26 22:09:44 nanny: <303022> <WARN> |AP xx:xx:xx:xx:xx:firstname.lastname@example.org nanny| Reboot Reason: AP rebooted Wed Mar 26 22:08:17 CET 2014; SAPD: Reboot requested by controller
Mar 26 22:09:44 nanny: <303022> <WARN> |AP xx:xx:xx:xx:xx:email@example.com nanny| Reboot Reason: AP rebooted Wed Mar 26 22:08:17 CET 2014; SAPD: Reboot requested by controller
This is causing a reset for all teleworkers and specially anoying for the ones using IP phones
Anyone facing the same problem? could it be a software bug?
Solved! Go to Solution.
03-27-2014 02:26 AM
The whitelist synchronization in the controller is only meant for IAPs at this time. If you use the whitelist synchronization in the controller for RAPs, it will download the ap-group as "default" and cause any of your RAPs that have a different ap-group to reboot. Please disable this synchronization...
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
03-27-2014 06:00 AM
03-27-2014 09:43 AM
As Colin has indicated, the whitelist sync feature on the controller was meant for IAP. However, Zero Touch RAP deployment can be supported with Clearpass which will account for AP-Group and AP-Name.
1. At a high level, Clearpass will synchronize with Activate and maintain the "global" whitelist.
2. When RAP attempts to authenticate, instead of performing a local lookup, it will authenticate against Clearpass.
03-27-2014 10:11 AM
We did a session at Airheads on configuring this service. Please refer to this link for the slides: http://community.arubanetworks.com/t5/Americas-Air
03-27-2014 10:25 AM
Thanks all for the answers.
I have two problems with this scenario:
1) On ClearPass 6.3 the active connection doesn't work. Endpoint Database is not updated at all. Only if you restart "Async network services" under Servcie Control on the Publisher of the Cluster will trigger the retrieval from Activate Service, otherwise the database is not being updated. Also, even I have the Activate Connetion under Endpoint Context Server with a device filter to retieve only RAP devices , CPPM is getting alot more devices I want, so definetily there is an issue here.
2) I might be doing something wrong but the AP needs to terminated the IPSec tunnel to the controller at the initial provisioning otherwise the AP won't be able to connect and the IPsec Session won't be completed.
03-27-2014 08:57 PM
1) Clearpass will sync the whitelist every 60 minutes by default. If the Endpoint db is not getting updated, I would suggest opening a case to investigate further. Can you elaborate more on what is a lot more? When Activate service is enabled in Clearpass, there is some basic filtering to pick up RAP*,IAP*. Even without the filter, if you are getting more devices, it is okay, Clearpass is designed to handle many entries.
2) I missed out one piece of info that may be important. The controller needs to be running AOS 6.3.1 or better. The termination should work.
03-28-2014 03:10 AM
I already have a case with TAC as this is very important to elaborate the zero touch scenario. What I mean by a lot more is that for testing I have 20 RAP and even with the filter to just retriebe RAP* units , CPPM is receiveed about 800 more.
My pair of controllers are running 220.127.116.11
03-31-2014 02:30 PM
Issue is fixed now.
Basically a missing configuration on the controller based on the assumption that RAP AP didn't need any IAP configuration.
When the AP boot from factory is booting as IAP so in other to be autorized I needed the below entry as well
aaa authentication vpn "default-iap"
Thanks all for your support and feedback