ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 35
Registered: ‎08-03-2009

Authentication problem

When i replace the AC 3400 with 2 AC 3200,and i copy the 3400's default.cfg to AC 3200.
When the client reconnected to the network,it just can't pass the authentication.
When i enter the commands test aaa-server mschap xxxx xxxx xxxx, it turned out aaa server timeout.After that i reenter the radius's key it turned out Bad or unknown response from AAA server.Was my key wrong?
But the 3400 can pass the test,So what's wrong with my situation.
Any help or suggestion will be appreciated.
Guru Elite
Posts: 20,566
Registered: ‎03-29-2007

Re: Authentication problem

You need to add a radius client on the radius server for the ip address of the new controller. Even though the new controller has the same configuration, the authentication request comes from a different ip address, and you have to add the new controller as a radius client, with the same preshared key in the radius server.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 35
Registered: ‎08-03-2009

Re: Authentication problem

The 2 AC 3200 is running the vrrp,and the vrrp's virtual ip address is 3400's ip address, the 3400 is replaced by the 2 AC 3200.
Guru Elite
Posts: 20,566
Registered: ‎03-29-2007

Re: Authentication problem

VRRP is only used for incoming, NOT outgoing traffic. The outgoing radius traffic from a controller is still the source address of the controller, NOT the VRRP.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 35
Registered: ‎08-03-2009

Re: Authentication problem

yeah, i've considered that so i cancled the vrrp's configuration.
And i changed the virtual address to the interface vlan,however it still can't pass the test
by the way, if i want the 2 ac 3200 run the redundance how to handle the radius authentication?
Thanks for your prompt reply
Guru Elite
Posts: 20,566
Registered: ‎03-29-2007

Re: Authentication problem


yeah, i've considered that so i cancled the vrrp's configuration.
And i changed the virtual address to the interface vlan,however it still can't pass the test
by the way, if i want the 2 ac 3200 run the redundance how to handle the radius authentication?
Thanks for your prompt reply




You can still have the VRRP. That is not the problem.

When a controller sends a request to the radius server, the source IP is not the VRRP. It is normally the management interface of the controller. You need to enter both management interface ip addresses into the radius server, as radius clients for this to work. When your test times out, go to the event viewer on the radius server to see what ip address the request came from. Enter that ip address as a radius client in the radius server, both with the same shared key. Bad or unknown response means that your controller exists as a radius client, but the shared key is wrong.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 35
Registered: ‎08-03-2009

Re: Authentication problem

Thanks for your reply.That's very helpful to me.
Search Airheads
Showing results for 
Search instead for 
Did you mean: