Controller Based WLANs

What does the error message "WPA policy violated by AP" mean?

Aruba Employee

Product and Software: This article applies to all Aruba controllers and ArubaOS 3.1.x and later. 

If you receive a log message similar to one of the following two messages in a wireless log: 

 

Apr 19 18:59:30 :404009:  <ERRS> |AP 1.1.3@192.168.0.234 sapd|  AM 00:0b:86:31:8e:a0: Privacy policy violated by AP with SSID Guest and BSSID 00:0b:86:47:b9:41 

Apr 19 18:59:30 :404010:  <ERRS> |AP 1.1.3@192.168.0.234 sapd|  AM 00:0b:86:31:8e:a0: WPA policy violated by AP with SSID Guest and BSSID 00:0b:86:47:b9:41 

And if you check management frames, you can see: 

# show ap debug mgmt-frames 
Traced 802.11 Management Frames 
------------------------------- 
Timestamp        stype         SA                 DA                 BSS                signal  Misc 
---------        -----         --                 --                 ---                ------  ---- 
Apr 19 18:28:37  deauth        00:19:d2:c5:5d:4c  00:0b:86:31:8e:a1  00:0b:86:31:8e:a1  0       STA has left and is deauthenticated 
Apr 19 18:28:37  assoc-resp    00:0b:86:31:8e:a1  00:19:d2:c5:5d:4c  00:0b:86:31:8e:a1  15      Success 
Apr 19 18:28:37  assoc-req     00:19:d2:c5:5d:4c  00:0b:86:31:8e:a1  00:0b:86:31:8e:a1  0       - 
Apr 19 18:28:36  deauth        00:19:d2:c5:5d:4c  00:0b:86:31:8e:a1  00:0b:86:31:8e:a1  0       STA has left and is deauthenticated 
Apr 19 18:28:36  assoc-resp    00:0b:86:31:8e:a1  00:19:d2:c5:5d:4c  00:0b:86:31:8e:a1  15      Success 
Apr 19 18:28:36  assoc-req     00:19:d2:c5:5d:4c  00:0b:86:31:8e:a1  00:0b:86:31:8e:a1  0       - 

 

 

Where 00:19:d2:c5:5d:4c is a station trying to connect to a valid open or WEP SSID, and 00:0b:86:31:8e:a1 is an Aruba AP or AM. 

If you can see any of these symptoms, it is because “privacy”, “require-wpa” and “protect-misconfigured-ap” are enabled under the “ids unauthorized-device-profile”, and they keep disconnecting wireless users connected to either: 

•     WEP SSID, in case of “require-wpa” enabled 
•     Open SSID, in case of or “require-wpa” or “privacy” enabled 

You should not enable “require-wpa” if you have a virtual AP using OPENSYSTEM or WEP.  Also you should not enable “privacy” if you are running guest SSID with OPENSYSTEM.

 

Version history
Revision #:
1 of 1
Last update:
‎07-09-2014 02:58 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.