ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 15
Registered: ‎03-02-2011

RAP issue with 802.1X auth?

So here is the deal:

Our controller is at our HQ in Dallas. We've deployed some APs to our NY office. We've put them in bridged mode on their own SSID. If we do WPA2-PSK it works fine. They get an IP address from our NY subnet and work fine. However, if we do WPA2-AES and have them authenticate back to the Radius server in Dallas, they never get an IP address. They just get a 169.254 address. I've looked at the Radius logs and don't see anything.

We do have firewalls between the 2 sites, but we've allowed full access from the NY office to the controller and the radius server.

I see the following on the controller:

Mar 2 09:22:14 station-down * 00:21:6a:02:6f:9a 00:24:6c:b0:c5:f8 - -
Mar 2 09:22:15 station-up * 00:21:6a:02:6f:9a 00:24:6c:b0:c5:f0 - - wpa2 aes
Mar 2 09:22:15 eap-id-req <- 00:21:6a:02:6f:9a 00:24:6c:b0:c5:f0 1 5
Mar 2 09:22:15 eap-start -> 00:21:6a:02:6f:9a 00:24:6c:b0:c5:f0 - -
Mar 2 09:22:15 eap-id-req <- 00:21:6a:02:6f:9a 00:24:6c:b0:c5:f0 1 5
Mar 2 09:22:44 eap-id-req <- 00:21:6a:02:6f:9a 00:24:6c:b0:c5:f0 1 5



Mar 2 09:17:44 :132030: |authmgr| Dropping EAPOL packet sent by Station 00:21:6a:02:6f:9a 00:24:6c:b0:c5:f8
Mar 2 09:22:14 :132197: |authmgr| Maximum number of retries was attempted for station 00:21:6a:02:6f:9a 00:24:6c:b0:c5:f8, deauthenticating the station
Guru Elite
Posts: 20,422
Registered: ‎03-29-2007

Re: RAP issue with 802.1X auth?

What is the latency between the access point and the controller? Some clients do not work with more than 100ms latency.....


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 15
Registered: ‎03-02-2011

Re: RAP issue with 802.1X auth?

Average is about 60-65ms. I just realized CPSec is not enabled. Is that required? I want them to utilize local resources for Internet, file serving, print, etc. That would be bridged, correct? Not split tunnel?
Guru Elite
Posts: 20,422
Registered: ‎03-29-2007

Re: RAP issue with 802.1X auth?

If they get a 169 address, do they show up in the user table? If the show up, find out the role the end up in and do a "sow rights " on the commandline and see if dhcp is being allowed in that role.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 15
Registered: ‎03-02-2011

Re: RAP issue with 802.1X auth?

0.0.0.0 00:21:6a:02:6f:9a logon 00:00:01 Associated(Remote) Narnia-NYC/00:24:6c:b0:c5:f0/g Narnia-NYC-aaa_prof bridge


Derived Role = 'logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 1/0
Max Sessions = 65535

Captive Portal profile = default

access-list List
----------------
Position Name Location
-------- ---- --------
1 control
2 captiveportal
3 vpnlogon

control
-------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user any udp 68 deny Low
2 any any svc-dns permit Low
3 any any svc-papi permit Low
4 any any svc-adp permit Low
5 any any svc-tftp permit Low
6 any any svc-dhcp permit Low
7 any any svc-natt permit Low
8 any any svc-sec-papi permit Low
captiveportal
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user mswitch svc-https dst-nat 8081 Low
2 user any svc-http dst-nat 8080 Low
3 user any svc-https dst-nat 8081 Low
vpnlogon
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-ike permit Low
2 any any svc-esp permit Low
3 any any svc-l2tp permit Low
4 any any svc-pptp permit Low
5 any any svc-gre permit Low

Expired Policies (due to time constraints) = 0
Guru Elite
Posts: 20,422
Registered: ‎03-29-2007

Re: RAP issue with 802.1X auth?

type show user-table verbose and send the line with that user.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 15
Registered: ‎03-02-2011

Re: RAP issue with 802.1X auth?

IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Server Vlan Bwm

0.0.0.0 00:21:6a:02:6f:9a logon 00:00:01 Associated(Remote) Narnia-NYC/00:24:6c:b0:c1:90/g Narnia-NYC-aaa_prof bridge 167 (167)
Guru Elite
Posts: 20,422
Registered: ‎03-29-2007

Re: RAP issue with 802.1X auth?

Is VLAN 167 where you want that user? That is where it is placing him. Is there DHCP on VLAN 167?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 15
Registered: ‎03-02-2011

Re: RAP issue with 802.1X auth?

Yes to all.
Guru Elite
Posts: 20,422
Registered: ‎03-29-2007

Re: RAP issue with 802.1X auth?

Okay. When bridging traffic VLANs are a little different. If you have users getting place on VLAN 167, that RAP expects to be placed on a trunk port and it is tagging all of the user traffic on that port with VLAN 167. What you need to do is edit that AP-Group, expand AP system profile and edit the Native VLAN for that System Profile and make it 167 so that the AP does NOT send tagged packets out of that port.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: