ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 41
Registered: ‎04-01-2009

RAP-2wg with 800 series controller problem

I must be missing something simple, but I am trying to provision a RAP-2wg with my 800 series controller(duh) running 5.0.2.0, but for some reason it won't reconnect to the controller after provisioning the AP. I have the DHCP pool set for IPSEC and i have the IKE shared secret set the same. I statically set the controller IP in the AP provisioning profile.

I can ping the the AP's IP address from the controller so I know its can communicate with the controller.

I do have a debug log for the AP that outputs the following, not really sure what to make of it.

Dec 31 16:10:27 dnsmasq: read /etc/hosts - 1 addresses
Dec 31 16:10:27 dnsmasq: failed to load names from /etc/ld_ppp_hosts: No such file or directory
Dec 31 16:10:27 dnsmasq: read /etc/ld_eth_hosts - 1 addresses
Dec 31 16:10:32 dnsmasq: read /etc/hosts - 1 addresses
Dec 31 16:10:32 dnsmasq: failed to load names from /etc/ld_ppp_hosts: No such file or directory
Dec 31 16:10:32 dnsmasq: read /etc/ld_eth_hosts - 1 addresses
Dec 31 16:10:37 dnsmasq: read /etc/hosts - 1 addresses
Dec 31 16:10:37 dnsmasq: failed to load names from /etc/ld_ppp_hosts: No such file or directory
Dec 31 16:10:37 dnsmasq: read /etc/ld_eth_hosts - 1 addresses

I also attached screen shots from the config of the RAP and the IPSEC.

Thoughts? please help!
Occasional Contributor II
Posts: 41
Registered: ‎04-01-2009

answered my own ?

Ok after spending a bit more time digging into what I suspected was an auth error I was able to resolve my issue. I knew my RAPs at work use certs and are 3400 series controllers. Unfortunately my 800 series doesn't have the ability to use certs, I believe this is a physical module I need or at least a license(someone from Aruba please feel free to correct me) However I had thought I had used username/password combos in the past and didn't remember having to do much with them outside setting up the IKE shared password and generating a user/pass combo when provision the RAP.

so I ran the following debugs:

(Megatron) (config) #logging level debugging security process crypto subcat ike
(Megatron) (config) #logging level debugging security process crypto subcat vpn

which gave me the following output:

(Megatron) #show log errorlog 30

Nov 24 23:06:25 |ike| IKE XAuth failed for 0u_1290660149282
Nov 24 23:06:30 |localdb| User 0u_1290660149282 was not found in the database
Nov 24 23:06:30 |localdb| User 0u_1290660149282 Failed Authentication
Nov 24 23:06:30 |ike| IKE XAuth failed for 0u_1290660149282
Nov 24 23:06:35 |localdb| User 0u_1290660149282 was not found in the database
Nov 24 23:06:35 |localdb| User 0u_1290660149282 Failed Authentication
Nov 24 23:06:35 |ike| IKE XAuth failed for 0u_1290660149282

This confirmed my suspicion that the RAP wasn't getting authenticated. Also I don't think I actually needed the crypto debugs to clearly see the not found in database and failed authentication errors.

Next I created an account for my RAP in the controllers localDB and when I provisioned the RAP I used the same username.

WOW then it worked! AP connected in RAP mode!
Now I just need to set it up to use my internet route-able address and test it outside my network. I'll have to go back and do some testing with my 3400 at work to see if this works the same because I don't recall creating anything in the localDB.
Additionally the 5.0 User Guide doesn't explicitly say anything about having to add anything to the internalDB or copying the randomly generated username and password into the localDB.

Hopefully this helps others! If not it at least it helped me.... :)
Guru Elite
Posts: 20,002
Registered: ‎03-29-2007

Re: RAP-2wg with 800 series controller problem

When provisioning any RAPs to legacy (200, 800, 2400, sup-1 and sup2) controllers, you must supply an IKE preshared Key, username and password for connectivity.

Zero-Touch provisioning (RAP Whitelist) is only available on 600-series, 3000-series and M3 controllers.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Regular Contributor I
Posts: 185
Registered: ‎04-27-2009

Re: RAP-2wg with 800 series controller problem



Additionally the 5.0 User Guide doesn't explicitly say anything about having to add anything to the internalDB or copying the randomly generated username and password into the localDB.

Hopefully this helps others! If not it at least it helped me.... :)




there's no need to manually copy the random generated user/pw zu the localDB , it gets auto-copied/generated when doing the provision in the "AP-installation" area .

well you "can" use the own user/pw in the internal_DB but i think people wanted to have a sort auf auto-generating and so aruba implemented this in the provisioning area.

regards
Search Airheads
Showing results for 
Search instead for 
Did you mean: