Controller Based WLANs

What does the error message "WPA policy violated by AP" mean?

by on ‎07-09-2014 02:58 PM

Product and Software: This article applies to all Aruba controllers and ArubaOS 3.1.x and later. 

If you receive a log message similar to one of the following two messages in a wireless log: 

 

Apr 19 18:59:30 :404009:  <ERRS> |AP 1.1.3@192.168.0.234 sapd|  AM 00:0b:86:31:8e:a0: Privacy policy violated by AP with SSID Guest and BSSID 00:0b:86:47:b9:41 

Apr 19 18:59:30 :404010:  <ERRS> |AP 1.1.3@192.168.0.234 sapd|  AM 00:0b:86:31:8e:a0: WPA policy violated by AP with SSID Guest and BSSID 00:0b:86:47:b9:41 

And if you check management frames, you can see: 

# show ap debug mgmt-frames 
Traced 802.11 Management Frames 
------------------------------- 
Timestamp        stype         SA                 DA                 BSS                signal  Misc 
---------        -----         --                 --                 ---                ------  ---- 
Apr 19 18:28:37  deauth        00:19:d2:c5:5d:4c  00:0b:86:31:8e:a1  00:0b:86:31:8e:a1  0       STA has left and is deauthenticated 
Apr 19 18:28:37  assoc-resp    00:0b:86:31:8e:a1  00:19:d2:c5:5d:4c  00:0b:86:31:8e:a1  15      Success 
Apr 19 18:28:37  assoc-req     00:19:d2:c5:5d:4c  00:0b:86:31:8e:a1  00:0b:86:31:8e:a1  0       - 
Apr 19 18:28:36  deauth        00:19:d2:c5:5d:4c  00:0b:86:31:8e:a1  00:0b:86:31:8e:a1  0       STA has left and is deauthenticated 
Apr 19 18:28:36  assoc-resp    00:0b:86:31:8e:a1  00:19:d2:c5:5d:4c  00:0b:86:31:8e:a1  15      Success 
Apr 19 18:28:36  assoc-req     00:19:d2:c5:5d:4c  00:0b:86:31:8e:a1  00:0b:86:31:8e:a1  0       - 

 

 

Where 00:19:d2:c5:5d:4c is a station trying to connect to a valid open or WEP SSID, and 00:0b:86:31:8e:a1 is an Aruba AP or AM. 

If you can see any of these symptoms, it is because “privacy”, “require-wpa” and “protect-misconfigured-ap” are enabled under the “ids unauthorized-device-profile”, and they keep disconnecting wireless users connected to either: 

•     WEP SSID, in case of “require-wpa” enabled 
•     Open SSID, in case of or “require-wpa” or “privacy” enabled 

You should not enable “require-wpa” if you have a virtual AP using OPENSYSTEM or WEP.  Also you should not enable “privacy” if you are running guest SSID with OPENSYSTEM.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.