Can we configure controller to send out traps for missing whitelist entries for IAP?
When an IAP forms an IPsec tunnel to the controller, Aruba TPM certificates in the IAP and controller are used for IPsec authentication. After authenticating the IAP, the controller will authorize the IAP by comparing the CN in the certificate (CN in the certificate is the MAC address of the IAP) to the MAC address in the RAP whitelist. If the MAC address is not present in the RAP whitelist, the IAP will not be allowed to terminate its IPsec tunnel on the controller. Hence WLAN admin can configure traps to receive notification for failed IAP and add them to the RAP Whitelist after validating the MAC address.
- Ensure the below TRAP is enabled on the Mobility Controller.
(Aruba3400) # show snmp trap-list | include Authentication wlsxNUserAuthenticationFailed Yes Enabled
- Below are the events triggered by Mobility Controller when any MAC address found missing from RAP whitelist database.
(Aruba3400) #show log errorlog 2 Jul 7 10:56:55 <localdb 133006> <ERRS> |localdb| User 18:64:72:c8:20:a0 Failed Authentication Jul 7 10:56:55 <authmgr 522275> <ERRS> |authmgr| User Authentication failed. username=18:64:72:c8:20:a0 userip=192.168.1.251 usermac=18:64:72:c8:20:a0 servername=Internal serverip=172.16.0.253 apname=N/A bssid=00:00:00:00:00:00
- Trap Sent out by Controller to Airwave Server.
(Aruba3400) #show snmp trap-queue | include "Authentication failed" 2015-07-07 09:56:00 User Authentication failed for user 18:64:72:c8:20:a0 userip 192.168.1.251 usermac 18:64:72:c8:20:a0 servername Internal serverip 172.16.0.253 bssid 00:00:00:00:00:00 apname N/A 2015-07-07 09:56:54 User Authentication failed for user 18:64:72:c8:20:a0 userip 192.168.1.251 usermac 18:64:72:c8:20:a0 servername Internal serverip 172.16.0.253 bssid 00:00:00:00:00:00 apname N/A