ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 77
Registered: ‎07-10-2009

Switch port 802.1x authentication on Aruba APs

We enabled dynamic VLANs on our switches using MAC based radius authentication.
When we applied it on the switch ports where our aruba APs were connected we experienced different kind of problems.
On one hand the APs using the radius authenticated ports accepted wireless clients but none of them had connectivity (no IP). On the controller this APs were shown as UP but without any client.
On the other hand the APs that were not in the radius authenticated switch ports had a erratic behavior. For instance on our nokia e52 phones used to make internal sip calls. There was some handsets that could not initiate calls. Others that correctly initiate the call but then only had voice on one direction.

Finally when we realized what was the problem, we disabled the radius on the aruba AP ports and reboot the controller. After that all went well again.

Does anybody had a similar experience?
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Switch port 802.1x authentication on Aruba APs

It sounds like you have multiple issues, even without the dynamic ports. You might want to open a support case to get to the bottom of this, if it is urgent. Otherwise, you should type "show log system 50" on the commandline to see if the access points are reporting any erratic behavior. You should also type "show ap debug counters" to see if the access points are bootstrapping all the time. Make sure that the ports negotiate to the correct duplex and speed, as well, on the switches.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 77
Registered: ‎07-10-2009

Re: Switch port 802.1x authentication on Aruba APs

Thanks for the help, at the moment the problem is not happening because we disabled the MAC authentication on that ports. But if the problem arises I will use that useful information you shared.
Thanks alot.
Occasional Contributor II
Posts: 77
Registered: ‎07-10-2009

Re: Switch port 802.1x authentication on Aruba APs

This is suspicious,

Show ap debug counters resets when you reboot the controller?
Because i have an AP that has 161 configs sent.

AP Counters
-----------
Name Group IP Address Configs Sent Configs Acked AP Boots Sent AP Boots Acked Bootstraps Reboots
---- ----- ---------- ------------ ------------- ------------- -------------- ---------- -------
AP01-ACB default 10.50.50.1 14 14 0 0 1 0
AP02-P0-C50 monitors 10.50.50.2 2 2 0 0 1 0
AP03-P0-CA default 10.50.50.3 8 8 0 0 1 0
AP04-P0-L12 default 10.50.50.4 2 2 0 0 1 0
AP05-P0-OF27 default 10.50.50.5 4 4 0 0 1 0
AP06-P0-OF14 default 10.50.50.6 2 2 0 0 1 1
AP07-P1-OF22 default 10.50.50.7 2 2 0 0 1 0
AP10-P2-OF27 default 10.50.50.10 3 3 0 0 1 1
AP12-Linac default 10.50.50.12 2 2 0 0 1 0
AP13-PS-G3 monitors 10.50.50.13 2 2 0 0 1 0
AP16-PS-G2 default 10.50.50.16 8 8 0 0 1 0
AP17-T0-T15 default 10.50.50.17 2 2 0 0 1 1
AP18-T0-T13 default 10.50.50.18 2 2 0 0 1 0
AP19-T0-T11 default 10.50.50.19 2 2 0 0 1 0
AP20-T0-T6 default 10.50.50.20 2 2 0 0 1 1
AP22-PS-T7 default 10.50.50.22 2 2 0 0 1 1
AP23-PS-T7 default 10.50.50.23 2 2 0 0 1 0
AP24-PS-C7 default 10.50.50.24 10 10 0 0 1 0
AP25 default 10.50.50.25 6 6 0 0 1 1
AP26-P0-COL06SA default 10.50.50.26 4 4 0 0 1 1
AP27-P0-COL48SA default 10.50.50.27 3 3 0 0 1 0
AP28-P1-COL57EA default 10.50.50.28 2 2 0 0 1 0
AP29-P1-COL42EA default 10.50.50.29 2 2 0 0 1 1
AP30-P1-COL28EA default 10.50.50.30 2 2 0 0 1 1
AP31-P1-COL18EA default 10.50.50.31 2 2 0 0 1 0
AP32-W0-COL18 default 10.50.50.32 2 2 0 0 1 1
AP33-W0-COL8 default 10.50.50.33 3 3 0 0 1 0
AP35 default 10.50.50.35 2 2 0 0 1 1
AP37 default 10.50.50.37 2 2 0 0 1 1
AP40 default 10.50.50.40 6 6 0 0 1 1
AP41 default 10.50.50.41 4 4 0 0 1 1
AP47 default 10.50.50.47 9 9 0 0 1 1


AP Counters
-----------
Name Group IP Address Configs Sent Configs Acked AP Boots Sent AP Boots Acked Bootstraps Reboots
---- ----- ---------- ------------ ------------- ------------- -------------- ---------- -------
AP48 default 10.50.50.48 7 7 0 0 1 0
AP49 default 10.50.50.49 8 8 0 0 1 0
AP50 default 10.50.50.50 5 5 0 0 1 1
AP51 default 10.50.50.51 8 8 0 0 1 1
AP52 default 10.50.50.52 6 6 0 0 1 0
AP53 default 10.50.50.53 5 5 0 0 1 0
AP59 default 10.50.50.59 161 161 0 0 1 0
AP60 default 10.50.50.60 4 4 0 0 1 1
AP61 default 10.50.50.61 3 3 0 0 1 1
AP62 default 10.50.50.62 3 3 0 0 1 1
AP63 default 10.50.50.63 5 5 0 0 1 0
AP64 default 10.50.50.64 7 7 0 0 1 0
AP65 default 10.50.50.65 5 5 0 0 1 0
Total APs :45

But the show log system 50 is very short and only talks about the firt 5 minutes after the reset.
Sep 13 12:36:54 :311002: |AP AP20-T0-T6@10.50.50.20 sapd| Rebooting: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:36:54 :303086: |AP AP20-T0-T6@10.50.50.20 nanny| Process Manager (nanny) shutting down - AP will reboot!
Sep 13 12:37:00 :311002: |AP AP62@10.50.50.62 sapd| Rebooting: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:37:00 :303086: |AP AP62@10.50.50.62 nanny| Process Manager (nanny) shutting down - AP will reboot!
Sep 13 12:37:00 :311002: |AP AP37@10.50.50.37 sapd| Rebooting: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:37:00 :303086: |AP AP37@10.50.50.37 nanny| Process Manager (nanny) shutting down - AP will reboot!
Sep 13 12:37:00 :311002: |AP AP61@10.50.50.61 sapd| Rebooting: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:37:00 :303086: |AP AP61@10.50.50.61 nanny| Process Manager (nanny) shutting down - AP will reboot!
Sep 13 12:37:01 :311002: |AP AP47@10.50.50.47 sapd| Rebooting: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:37:01 :303086: |AP AP47@10.50.50.47 nanny| Process Manager (nanny) shutting down - AP will reboot!
Sep 13 12:37:01 :311002: |AP AP17-T0-T15@10.50.50.17 sapd| Rebooting: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:37:01 :311002: |AP AP40@10.50.50.40 sapd| Rebooting: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:37:01 :303086: |AP AP40@10.50.50.40 nanny| Process Manager (nanny) shutting down - AP will reboot!
Sep 13 12:37:01 :303086: |AP AP17-T0-T15@10.50.50.17 nanny| Process Manager (nanny) shutting down - AP will reboot!
Sep 13 12:37:03 :311002: |AP AP51@10.50.50.51 sapd| Rebooting: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:37:03 :303086: |AP AP51@10.50.50.51 nanny| Process Manager (nanny) shutting down - AP will reboot!
Sep 13 12:37:03 :311002: |AP AP30-P1-COL28EA@10.50.50.30 sapd| Rebooting: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:37:04 :303086: |AP AP30-P1-COL28EA@10.50.50.30 nanny| Process Manager (nanny) shutting down - AP will reboot!
Sep 13 12:37:06 :311002: |AP AP26-P0-COL06SA@10.50.50.26 sapd| Rebooting: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:37:06 :303086: |AP AP26-P0-COL06SA@10.50.50.26 nanny| Process Manager (nanny) shutting down - AP will reboot!
Sep 13 12:37:07 :311002: |AP AP06-P0-OF14@10.50.50.6 sapd| Rebooting: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:37:08 :303086: |AP AP06-P0-OF14@10.50.50.6 nanny| Process Manager (nanny) shutting down - AP will reboot!
Sep 13 12:37:11 :311002: |AP AP25@10.50.50.25 sapd| Rebooting: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:37:11 :303086: |AP AP25@10.50.50.25 nanny| Process Manager (nanny) shutting down - AP will reboot!
Sep 13 12:37:11 :311002: |AP AP22-PS-T7@10.50.50.22 sapd| Rebooting: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:37:11 :303086: |AP AP22-PS-T7@10.50.50.22 nanny| Process Manager (nanny) shutting down - AP will reboot!
Sep 13 12:37:12 :311002: |AP AP60@10.50.50.60 sapd| Rebooting: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:37:12 :303086: |AP AP60@10.50.50.60 nanny| Process Manager (nanny) shutting down - AP will reboot!
Sep 13 12:37:13 :311002: |AP AP41@10.50.50.41 sapd| Rebooting: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:37:13 :303086: |AP AP41@10.50.50.41 nanny| Process Manager (nanny) shutting down - AP will reboot!
Sep 13 12:37:24 :303022: |AP AP50@10.50.50.50 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:36:45 CET 2011: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:37:42 :303022: |AP AP51@10.50.50.51 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:37:02 CET 2011: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:37:42 :303022: |AP AP47@10.50.50.47 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:37:00 CET 2011: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:37:55 :303022: |AP AP62@10.50.50.62 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:36:57 CET 2011: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:37:56 :303022: |AP AP61@10.50.50.61 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:37:00 CET 2011: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:37:58 :303022: |AP AP40@10.50.50.40 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:37:01 CET 2011: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:38:07 :303022: |AP AP60@10.50.50.60 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:37:11 CET 2011: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:38:09 :303022: |AP AP41@10.50.50.41 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:37:13 CET 2011: SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:38:39 :303022: |AP AP32-W0-COL18@10.50.50.32 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:36:43 CET 2011; SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:38:41 :303022: |AP AP10-P2-OF27@10.50.50.10 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:36:49 CET 2011; SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:38:42 :303022: |AP AP35@10.50.50.35 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:36:51 CET 2011; SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:38:45 :303022: |AP AP29-P1-COL42EA@10.50.50.29 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:36:53 CET 2011; SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:38:45 :303022: |AP AP20-T0-T6@10.50.50.20 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:36:54 CET 2011; SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:38:51 :303022: |AP AP37@10.50.50.37 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:37:00 CET 2011; SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:38:53 :303022: |AP AP17-T0-T15@10.50.50.17 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:37:01 CET 2011; SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:38:55 :303022: |AP AP30-P1-COL28EA@10.50.50.30 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:37:03 CET 2011; SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:38:57 :303022: |AP AP26-P0-COL06SA@10.50.50.26 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:37:05 CET 2011; SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:38:59 :303022: |AP AP06-P0-OF14@10.50.50.6 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:37:07 CET 2011; SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:39:02 :303022: |AP AP25@10.50.50.25 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:37:11 CET 2011; SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Sep 13 12:39:05 :303022: |AP AP22-PS-T7@10.50.50.22 nanny| Reboot Reason: AP rebooted Tue Sep 13 12:37:11 CET 2011; SAPD: Unable to contact switch. Called by sapd_hello_cb:4
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Switch port 802.1x authentication on Aruba APs

The counters, as well as the logs reset after you reboot the controller. The column you should be interested in is the bootstraps and reboots, which would indicate a connectivity issue.

the "show log system " would also have messges from access points having connectivity issues when they come back up.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 77
Registered: ‎07-10-2009

Re: Switch port 802.1x authentication on Aruba APs

Ok, i was worried about this ap59 having but 160 configs sent (during 20 hours).
But it has only one reboot.

Regards
Occasional Contributor II
Posts: 77
Registered: ‎07-10-2009

Re: Switch port 802.1x authentication on Aruba APs

After a while it seems that the reboots of the AP are growing.

AP Counters
-----------
Name Group IP Address Configs Sent Configs Acked AP Boots Sent AP Boots Acked Bootstraps Reboots
---- ----- ---------- ------------ ------------- ------------- -------------- ---------- -------
AP50 default 10.50.50.50 35 35 0 0 2 1
AP51 default 10.50.50.51 47 47 0 0 3 1
AP52 default 10.50.50.52 32 32 0 0 2 0
AP53 default 10.50.50.53 40 40 0 0 3 0
AP54 default 10.50.50.54 42 42 0 0 1 1
AP55 default 10.50.50.55 16 16 0 0 3 3
AP59 default 10.50.50.59 1424 1424 0 0 3 0
AP60 default 10.50.50.60 40 40 0 0 8 6
AP61 default 10.50.50.61 18 18 0 0 3 1
AP62 default 10.50.50.62 155 155 0 0 2 1
AP63 default 10.50.50.63 4 4 0 0 4 1
AP64 default 10.50.50.64 11 11 0 0 2 0
AP65 default 10.50.50.65 155 155 0 0 3 0

I exchanged AP60 with AP61 the last time to see if it was an AP problem or a network problem. This numbers makes me think about a network problem.

The AP59 1424 configs sent are not suspicious?
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Switch port 802.1x authentication on Aruba APs

Please open a TAC case. There is no telling whether or not dynamic authentication with that switch was tested to work with our access points.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 77
Registered: ‎07-10-2009

Re: Switch port 802.1x authentication on Aruba APs

Sorry for the confusion, I had to put this in a new thread because we desisted to use port authentication.
My intention was to discard any ethernet network problem prior to start a TAC.
Also i will try to upgrade to a new aruba OS release because I have 5.0.2.1 and
it seems pretty old. Then if the problem persists i will contact my vendor to learn the procedure to create a TAC. I think here in Spain is different than in USA.

Thanks for the information
Search Airheads
Showing results for 
Search instead for 
Did you mean: