ArubaOS and Controllers

Reply
Occasional Contributor II

RAP issue with 802.1X auth?

So here is the deal:

Our controller is at our HQ in Dallas. We've deployed some APs to our NY office. We've put them in bridged mode on their own SSID. If we do WPA2-PSK it works fine. They get an IP address from our NY subnet and work fine. However, if we do WPA2-AES and have them authenticate back to the Radius server in Dallas, they never get an IP address. They just get a 169.254 address. I've looked at the Radius logs and don't see anything.

We do have firewalls between the 2 sites, but we've allowed full access from the NY office to the controller and the radius server.

I see the following on the controller:

Mar 2 09:22:14 station-down * 00:21:6a:02:6f:9a 00:24:6c:b0:c5:f8 - -
Mar 2 09:22:15 station-up * 00:21:6a:02:6f:9a 00:24:6c:b0:c5:f0 - - wpa2 aes
Mar 2 09:22:15 eap-id-req <- 00:21:6a:02:6f:9a 00:24:6c:b0:c5:f0 1 5
Mar 2 09:22:15 eap-start -> 00:21:6a:02:6f:9a 00:24:6c:b0:c5:f0 - -
Mar 2 09:22:15 eap-id-req <- 00:21:6a:02:6f:9a 00:24:6c:b0:c5:f0 1 5
Mar 2 09:22:44 eap-id-req <- 00:21:6a:02:6f:9a 00:24:6c:b0:c5:f0 1 5



Mar 2 09:17:44 :132030: |authmgr| Dropping EAPOL packet sent by Station 00:21:6a:02:6f:9a 00:24:6c:b0:c5:f8
Mar 2 09:22:14 :132197: |authmgr| Maximum number of retries was attempted for station 00:21:6a:02:6f:9a 00:24:6c:b0:c5:f8, deauthenticating the station
Guru Elite

Re: RAP issue with 802.1X auth?

What is the latency between the access point and the controller? Some clients do not work with more than 100ms latency.....






********************************************

Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Occasional Contributor II

Re: RAP issue with 802.1X auth?

Average is about 60-65ms. I just realized CPSec is not enabled. Is that required? I want them to utilize local resources for Internet, file serving, print, etc. That would be bridged, correct? Not split tunnel?
Guru Elite

Re: RAP issue with 802.1X auth?

If they get a 169 address, do they show up in the user table? If the show up, find out the role the end up in and do a "sow rights " on the commandline and see if dhcp is being allowed in that role.






********************************************

Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Occasional Contributor II

Re: RAP issue with 802.1X auth?

0.0.0.0 00:21:6a:02:6f:9a logon 00:00:01 Associated(Remote) Narnia-NYC/00:24:6c:b0:c5:f0/g Narnia-NYC-aaa_prof bridge


Derived Role = 'logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 1/0
Max Sessions = 65535

Captive Portal profile = default

access-list List
----------------
Position Name Location
-------- ---- --------
1 control
2 captiveportal
3 vpnlogon

control
-------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user any udp 68 deny Low
2 any any svc-dns permit Low
3 any any svc-papi permit Low
4 any any svc-adp permit Low
5 any any svc-tftp permit Low
6 any any svc-dhcp permit Low
7 any any svc-natt permit Low
8 any any svc-sec-papi permit Low
captiveportal
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user mswitch svc-https dst-nat 8081 Low
2 user any svc-http dst-nat 8080 Low
3 user any svc-https dst-nat 8081 Low
vpnlogon
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-ike permit Low
2 any any svc-esp permit Low
3 any any svc-l2tp permit Low
4 any any svc-pptp permit Low
5 any any svc-gre permit Low

Expired Policies (due to time constraints) = 0
Guru Elite

Re: RAP issue with 802.1X auth?

type show user-table verbose and send the line with that user.






********************************************

Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Occasional Contributor II

Re: RAP issue with 802.1X auth?

IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Server Vlan Bwm

0.0.0.0 00:21:6a:02:6f:9a logon 00:00:01 Associated(Remote) Narnia-NYC/00:24:6c:b0:c1:90/g Narnia-NYC-aaa_prof bridge 167 (167)
Guru Elite

Re: RAP issue with 802.1X auth?

Is VLAN 167 where you want that user? That is where it is placing him. Is there DHCP on VLAN 167?






********************************************

Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Occasional Contributor II

Re: RAP issue with 802.1X auth?

Yes to all.
Guru Elite

Re: RAP issue with 802.1X auth?

Okay. When bridging traffic VLANs are a little different. If you have users getting place on VLAN 167, that RAP expects to be placed on a trunk port and it is tagging all of the user traffic on that port with VLAN 167. What you need to do is edit that AP-Group, expand AP system profile and edit the Native VLAN for that System Profile and make it 167 so that the AP does NOT send tagged packets out of that port.






********************************************

Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: