ArubaOS and Controllers

Reply
Contributor I

ArubaOS 6.1.2.3 Problems?

Hi All,

Noticed 2 problems so far with AOS 6.1.2.3 in our environment and was wondering if anyone else is having the same problems as we are. Already created TAC cases for the below but so far didn't get a solution.

1. Attempted to use DNS based ACL's to resolve the iPad2 problem when it tries to access www.apple.com by following Colin's instructions found in thread http://airheads.arubanetworks.com/vBulletin/showthread.php?t=4085

Controller locks every 1-2 minutes, becoming unresponsive from WebUI as well as CLI, and I get "Authentication Module is busy.." when I try to save the configuration. I've sent crash info and logs to Aruba for analysis. Controller works fine if I disable DNS lookup (no ip domain lookup) and reboot. The DNS servers and domain that I entered are valid.

2. Clients are getting thrown back to the logon role after successfully authenticating. Problem is experienced with users on different operating systems and using different browsers in different locations. Here is some debug info that I collected.

Oct 21 12:02:17 authmgr username=stafftest MAC=00:23:14:80:ea:dc IP=10.2.5.32 Authentication result=Authentication Successful method=Web server=(Auth server name here)
Oct 21 12:02:17 authmgr MAC=00:23:14:80:ea:dc IP=?? Derived role 'staff' from server rules: server-group=(server group here), authentication=Web
Oct 21 12:02:17 authmgr MAC=00:23:14:80:ea:dc,IP=10.2.5.32 User role updated, existing Role=logon/logon, new Role=logon/staff, reason=User authenticated with auth type:1role derivation:2 l3 assigned role:None
Oct 21 12:02:17 authmgr MAC=00:23:14:80:ea:dc,IP=10.2.5.32 User data downloaded to datapath, new Role=staff/49, bw Contract=0/0,reason=Download driven by user role setting
Oct 21 12:02:17 authmgr User Authentication Successful: username=stafftest MAC=00:23:14:80:ea:dc IP=10.2.5.32 role=staff VLAN=125 AP=(AP name here) SSID=(SSID name here) AAA profile=(AAAprof name here) auth method=Web auth server=(Auth server name here)
Oct 21 12:02:19 authmgr MAC=00:23:14:80:ea:dc IP=10.2.5.32 User entry deleted: reason=essid change
Oct 21 12:02:19 authmgr MAC=00:23:14:80:ea:dc,IP=0.0.0.0 User data downloaded to datapath, new Role= logon/47, bw Contract=0/0,reason=Station resetting role
Oct 21 12:02:19 authmgr MAC=00:23:14:80:ea:dc IP=10.2.5.32 User miss: ingress=0x11d6, VLAN=125
Oct 21 12:02:19 authmgr MAC=00:23:14:80:ea:dc,IP=0.0.0.0 User role updated, existing Role= logon/staff, new Role=logon/logon, reason=First IP user created
Oct 21 12:02:19 authmgr MAC=00:23:14:80:ea:dc IP=10.2.5.32 User entry added: reason=Sibtye
Oct 21 12:02:19 authmgr User Authentication Successful: username=stafftest MAC=00:23:14:80:ea:dc IP=10.2.5.32 role=logon VLAN=125 AP=(AP name here) SSID=(SSID name here) AAA profile=(SSID name here) auth method=Web auth server=(Auth server name here)
Oct 21 12:02:19 authmgr MAC=00:23:14:80:ea:dc,IP=10.2.5.32 User data downloaded to datapath, new Role=logon/47, bw Contract=0/0,reason=New user IP processing

Controllers were running 6.0.1.3 before the upgrade, which I had to contact Aruba TAC to perform as there apparently was a bug with that too. They had to backdoor into the controllers and enter a couple of commands for the image upload to go through.

Re: ArubaOS 6.1.2.3 Problems?

Hi Peter,

We're seeing something similar in 6.1.2.1 and 6.1.2.3 with our MAC address authentication. We use our Internal DB to assign roles for our student game consoles and other non-802.1X devices. We've had issues getting Xbox 360s onto our network via MAC authentication. The Xbox will be placed correctly in the database, have the right role, and the role will not be assigned correctly. Then, a few days later, it will start to work.

We, too, currently have a case open with TAC to try and get to the bottom of it. Unfortunately, it is so random, that is hard to pin down an exact occurrence of the event for TAC.

-Mike

Re: ArubaOS 6.1.2.3 Problems?

Peter,

I also tried enabling the DNS ACLs on our backup controller and it hosed my authentication as well. I'll have to go over there by hand and disable that via the console - boo.

-Mike
New Contributor

Re: ArubaOS 6.1.2.3 Problems?

Just wanted to post that I am having the exact same "logon role" issue as the OP. When on 6.1.1.0, this problem never occurred. It is now occurring on 6.1.2.3.

The symptoms are the user will login and radius will note what role they are in and return the aruba-user-role value (and the number). The controller will understand this transaction and place them in the proper role. Within a matter of seconds, the user gets deauthenticated and placed back in the logon role.

Here is the relevant output of this issue occurring. I have blocked out some of the information with ****:


Nov 2 14:40:13 :522038: |authmgr| username=ajtirdil MAC=44:2a:60:f1:b9:** IP=**** Authentication result=Authentication Successful method=Web server=nps01
Nov 2 14:40:13 :522016: |authmgr| MAC=44:2a:60:f1:b9:** IP=?? Derived role '3' from Aruba VSA
Nov 2 14:40:13 :522017: |authmgr| MAC=44:2a:60:f1:b9:** IP=?? Derived role 'FacStaff' from server rules: server-group=radius, authentication=Web
Nov 2 14:40:13 :522049: |authmgr| MAC=44:2a:60:f1:b9:**,IP=**** User role updated, existing Role=logon/logon, new Role=logon/FacStaff, reason=User authenticated with auth type:1role derivation:2 l3 assigned role:None
Nov 2 14:40:13 :522050: |authmgr| MAC=44:2a:60:f1:b9:**,IP=**** User data downloaded to datapath, new Role=FacStaff/58, bw Contract=0/0,reason=Download driven by user role setting
Nov 2 14:40:13 :522008: |authmgr| User Authentication Successful: username=ajtirdil MAC=44:2a:60:f1:b9:** IP=**** role=FacStaff VLAN=197 AP=B1-113-OLD-CK.4N SSID=SU_Laptop AAA profile=AAA_Laptop auth method=Web auth server=nps01
Nov 2 14:40:13 :522038: |authmgr| username=ajtirdil MAC=44:2a:60:f1:b9:** IP=**** Authentication result=Authentication Successful method=radius-accounting server=nps01
Nov 2 14:40:16 :522005: |authmgr| MAC=44:2a:60:f1:b9:** IP=**** User entry deleted: reason=unknown
Nov 2 14:40:16 :522050: |authmgr| MAC=44:2a:60:f1:b9:**,IP=0.0.0.0 User data downloaded to datapath, new Role=logon/1, bw Contract=0/0,reason=Station resetting role




You can see within 3 seconds, the user entry gets deleted for "unknown" reason and I am put back in the logon role.
Guru Elite

Re: ArubaOS 6.1.2.3 Problems?


Just wanted to post that I am having the exact same "logon role" issue as the OP. When on 6.1.1.0, this problem never occurred. It is now occurring on 6.1.2.3.

The symptoms are the user will login and radius will note what role they are in and return the aruba-user-role value (and the number). The controller will understand this transaction and place them in the proper role. Within a matter of seconds, the user gets deauthenticated and placed back in the logon role.

Here is the relevant output of this issue occurring. I have blocked out some of the information with ****:



You can see within 3 seconds, the user entry gets deleted for "unknown" reason and I am put back in the logon role.




That is fixed in 6.1.2.4 Please upgrade.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: