How to re-authenticate RAP before ISAKMP/IPSEC timer expiry?

MVP
MVP
Requirement:

By default, Aruba Remote AP re-authenticates every time when the ISAKMP/IPSEC timer expires. The default timer for ISAKMP is 8 hours and IPSEC is 2 hours. When these timer expires, Remote AP with establish a new SPI index to the controller. These values are hard-coded into the controller, and are not configurable. However in some use cases, there is a need to re-authenticate the RAP before these timer expires. 



Solution:

After Re-authentication interval kicked-in:

 

(Aruba-Master) #show crypto isakmp sa peer 10.17.168.174

 

 Initiator IP: 10.17.168.174

 Responder IP: 10.17.168.178

 Initiator: No

 Initiator cookie:1818fa09f4791dd3 Responder cookie:75c3c753255dd168

 SA Creation Date: Wed Jan 17 04:25:29 2018

 Life secs: 28800

 Initiator Phase1 ID: CN=CM0617084::84:d4:7e:c3:d9:02

 Responder Phase1 ID: CN=CG0002010::00:0b:86:9a:50:77 L=SW

 Exchange Type: IKE_SA (IKEV2) 

 Phase1 Transform:EncrAlg:AES256 HashAlg:HMAC_SHA1_96 DHGroup:2 

 Authentication Method: RSA Digital Signature 2048-bits

 CFG Inner-IP 1.1.1.3

 IPSEC SA Rekey Number: 0

 Aruba AP

 

 

(Aruba-Master) #show crypto ipsec sa peer 10.17.168.174 

 

 Initiator IP: 10.17.168.174

 Responder IP: 10.17.168.178

 Initiator: No

 SA Creation Date: Wed Jan 17 04:25:29 2018

 Life secs: 7200

 Exchange Type: IKE_SA (IKEV2) 

 Phase2 Transform:Encryption Alg: AES 256 Authentication Alg: SHA1 

 Encapsulation Mode Tunnel

 IP Compression Disabled

 PFS: no

 IN SPI: FA4A0400, OUT SPI: DBC8BB00

 CFG Inner-IP 1.1.1.3

 Responder IP: 10.17.168.178

 

 

(Aruba-Master) #show ap bss-table ap-name 84:d4:7e:c3:d9:02

 

fm (forward mode): T-Tunnel, S-Split, D-Decrypt Tunnel, B-Bridge (s-standard, p-persistent, b-backup, a-always), n-anyspot

 

Aruba AP BSS Table

------------------

bss                ess       port  ip       phy    type  ch/EIRP/max-EIRP  cur-cl  ap name            in-t(s)  tot-t  mtu   acl-state  acl  fm

---                ---       ----  --       ---    ----  ----------------  ------  -------            -------  -----  ---   ---------  ---  --

84:d4:7e:bd:90:20  aruba-ap  N/A   1.1.1.3  g-HT   ap    11/15/0           0       84:d4:7e:c3:d9:02  0        28s    1200  -          2    T

84:d4:7e:bd:90:30  aruba-ap  N/A   1.1.1.3  a-VHT  ap    60E/24/0          0       84:d4:7e:c3:d9:02  0        28s    1200  -          2    T

 

Channel followed by "*" indicates channel selected due to unsupported configured channel.

"Spectrum" followed by "^" indicates Local Spectrum Override in effect.

 

Num APs:2

Num Associations:0

 

NOTE: Although, the Remote AP re-authenticates at the time of timer expiry, it will turn off it's RADIO hence knocking off the clients. However when the Remote AP re-authenticates during the default timer expiry, it will not knock off the clients and RADIOS will not reset. 



Configuration:

Configuring Re-authentication interval from webUI:

 

Configuring Re-authentication interval from CLI:

(Hunter68st2) # show rights ap-role                       

 

Valid = 'Yes'

CleanedUp = 'No'

Derived Role = 'ap-role'

 Up BW:No Limit   Down BW:No Limit  

 L2TP Pool = default-l2tp-pool

 PPTP Pool = default-pptp-pool

 Number of users referencing it = 0

 Periodic reauthentication: Enabled, Interval = 2 minutes

 DPI Classification: Enabled

 Youtube education: Disabled

 Web Content Classification: Enabled

 ACL Number = 6/0

 Max Sessions = 65535

 

Configuring re-authentication interval from webUI:

 

 



Verification

Before re-authentication interval:

 

(Aruba-Master) #show crypto isakmp sa peer 10.17.168.174

 

 Initiator IP: 10.17.168.174

 Responder IP: 10.17.168.178

 Initiator: No

 Initiator cookie:ab8ce372b6a2c775 Responder cookie:b19517ad9e85e486

 SA Creation Date: Wed Jan 17 04:23:24 2018

 Life secs: 28800

 Initiator Phase1 ID: CN=CM0617084::84:d4:7e:c3:d9:02

 Responder Phase1 ID: CN=CG0002010::00:0b:86:9a:50:77 L=SW

 Exchange Type: IKE_SA (IKEV2) 

 Phase1 Transform:EncrAlg:AES256 HashAlg:HMAC_SHA1_96 DHGroup:2 

 Authentication Method: RSA Digital Signature 2048-bits

 CFG Inner-IP 1.1.1.2

 IPSEC SA Rekey Number: 0

 Aruba AP

 

 

(Aruba-Master) #show crypto ipsec sa peer 10.17.168.174

 

 Initiator IP: 10.17.168.174

 Responder IP: 10.17.168.178

 Initiator: No

 SA Creation Date: Wed Jan 17 04:25:29 2018

 Life secs: 7200

 Exchange Type: IKE_SA (IKEV2) 

 Phase2 Transform:Encryption Alg: AES 256 Authentication Alg: SHA1 

 Encapsulation Mode Tunnel

 IP Compression Disabled

 PFS: no

 IN SPI: FA4A0400, OUT SPI: DBC8BB00

 CFG Inner-IP 1.1.1.3

 Responder IP: 10.17.168.178

 

(Aruba-Master) #show ap bss-table ap-name 84:d4:7e:c3:d9:02

 

fm (forward mode): T-Tunnel, S-Split, D-Decrypt Tunnel, B-Bridge (s-standard, p-persistent, b-backup, a-always), n-anyspot

 

Aruba AP BSS Table

------------------

bss                ess       port  ip       phy    type  ch/EIRP/max-EIRP  cur-cl  ap name            in-t(s)  tot-t   mtu   acl-state  acl  fm

---                ---       ----  --       ---    ----  ----------------  ------  -------            -------  -----   ---   ---------  ---  --

84:d4:7e:bd:90:20  aruba-ap  N/A   1.1.1.2  g-HT   ap    11/12/21          0       84:d4:7e:c3:d9:02  0        1m:34s  1200  -          2    T

84:d4:7e:bd:90:30  aruba-ap  N/A   1.1.1.2  a-VHT  ap    60E/22/22         0       84:d4:7e:c3:d9:02  0        1m:34s  1200  -          2    T

 

Channel followed by "*" indicates channel selected due to unsupported configured channel.

"Spectrum" followed by "^" indicates Local Spectrum Override in effect.

 

Num APs:2

Num Associations:0

Version history
Revision #:
2 of 2
Last update:
‎02-28-2018 01:40 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: