Controller-less WLANs

Network Topology : General configuration and troubleshooting

Configuring & Troubleshooting – EAP-PEAP

1. How it works
   1. While configuring a WLAN network for EAP-PEAP authentication, the vlan assignment can be either VC assigned or Network assigned, similar to all other types of authentication.
   2. The dynamic keys can be WPA/WPA2, Mixed or Dynamic WEP with 802.1x
   3. EAP - Termination can be optionally enabled on the IAP, by default ‘Disabled’.
   4. It is possible to upload a customized certificate for 802.1x authentication on the IAP.
   5. We can use the auth server as RADIUS when EAP Termination is disabled and we can additionally use LDAP as an option when EAP termination is enabled on the AP.

1. How to configure
   1.  On Aruba Central UI, Go to Configuration > Networks and select ‘Create New’

1. On the basic info screen, Configure the ESSID and select the Primary usage as ‘Employee’

1. In the following screen, select whether the VLAN assignment needs to be VC Assigned or Network assigned.

1. Set the security level to ‘Enterprise’ and also select the necessary Key mgmt option i.e., WPA/WPA2.

1. Select whether the EAP termination should be enabled or disabled, as per the requirement.

1. In this example, we have enabled EAP – Termination, In the following step, we need to configure an authentication server. Select ‘New’ and it opens up the auth server config screen.

1.  In the following dialogue box, the options such as Auth server name, IP address, Shared Key and Auth/Accnt ports have to be configured. Once it is completed, select ‘Save Server’

1. Additionally, we can enable options such as ‘Reauth Interval’, Auth priority, etc in the following screen.

1. Select the role assignment method and click on Finish.

1. To verify whether the SSID has been successfully created or not, navigate to Configuration > Networks – Here we would be able to see the name of the SSID as indicated.

1. Troubleshooting EAP-PEAP issues

1. Check whether the users are able to view the BSSID broadcasted by the AP, if not –

the command ‘show ap bss-table’ can be run from individual AP’s that have issues
00:24:6c:cb:a5:3f# show ap bss-table
 
Aruba AP BSS Table
------------------
bss                ess       port  ip           phy   type  ch/EIRP/max-EIRP  cur-cl  ap name            in-t(s)  tot-t
---                ---       ----  --           ---   ----  ----------------  ------  -------            -------  -----
00:24:6c:3a:53:f3  eap_peap  ?/?   10.20.24.43  a-HT  ap    161-/19/24        0       00:24:6c:cb:a5:3f  0        1m:59s
 
Channel followed by "*" indicates channel selected due to unsupported configured channel.
"Spectrum" followed by "^" indicates Local Spectrum Override in effect.
 
From the Cluster-Master CLI, the below command can be used from the support console:

1. If the pre-configured 802.1x supplicant/client is unable to authenticate with the eap_peap ssid, the following command can be used from the AP support UI

The above screen shot shows the number of EAP attempts, Failures, whether the failure is due to key exchange or EAP messages and includes the exact client/AP mac which were trying to authenticate.

1. In order to check the Authentication frames between the termination server and the supplicant, we can use the below command ‘AP Authentication Frames’