Controllerless Networks

3 x Aruba 105 APs running 3 SSID, one corporate WPA2-Enterprise and 2 WPA2-Personal one for Mobiles other for Guest.

AP Version: 6.4.2.6-4.1.1.8_50989 (There is a new version available but I don't want to update for the sake of one device incase of other client issues)

We are using Radius Server for Authentication, the magority of other Laptop devices are authenticating well, there is the occassional connection issue but usually they resolve themselves or require minimal intervention. However a HP ProBook 430 G2 Laptop Win7 64 Prof is not wanting to connect/ reconnect to the network. "Windows was unable to connect to this network".

It has previously connected to the corp network, but after returning from the holidays it is playing up and has lost connection and will not reconnect for love nor money despite trying basic troubleshooting, resetting NIC, windows troubleshooter, removing managed network and adding profile manually, updating NIC driver, restarting device, removing the user from the Aruba AD Security Group and re-adding them.

The Aruba AP shows the client in the client table and you can see the correct MAC address for the wireless NIC of the client, but it has no name next to the IP address just '--', or another time there is no IP address either 0.0.0.0. I am trying to clear this entry from the table using the 'disconnect now' button from the Aruba WUI, but it will not remove the entry. (or it will remove it only to reappear shortly after, when I try to reconnect the client, but with the same IP or no IP).

Is there away in the Aruba CLI for me to manually clear/delete this clients MAC and IP from the client table?, just completely flush the AP of this clients information and try and reconnect?

(There is an Alert which appears occasionally also: The AP cannot receive data from this client because the integrity check of the received message (MIC) has failed. Recommend checking the encryptionsetting on the client and on the AP.)

Any questions let me now.

Appreciate any advice.

Hi, 

You can clear the client table entries using the disconnect-user command. 

IAP# disconnect-user ?
<addr> addr
all
mac
network Network 

See if a static IP or TKIP encryption helps. Maybe you can configure a separate SSID for testing. 

Thanks, 

Rajaguru Vincent 

---

@rvincent wrote:

Hi, 

 

You can clear the client table entries using the disconnect-user command. 

 

IAP# disconnect-user ?
<addr> addr
all
mac
network Network 

 

 

See if a static IP or TKIP encryption helps. Maybe you can configure a separate SSID for testing. 

 

Thanks, 

Rajaguru Vincent 

---

Hi Rajaguru

Thanks for the reply.

So I have tried the suggested command.

AP1# disconnect-user mac (mac address here)

There is no idication that this is successful just drops to next prompt line AP1#.

It is also still visible from the WUI cllient Table.

Am I missing something from the command here?

In response to your other suggestions, the Static IP address sounds like a good shout and I will try this out, but TKIP is not considered secure encryption so don't want to do this one.

Is there a debug report I can run that will give me some further insight into client authentication issues?

Thanks NS

with disconnect and such you just end the current connection. but if the client is setup as such it will probably to connect again directly. with show ap association you can see if the association time was reset.

the other things rvincent suggest are mainly to start from somewhere and then try to focus on the issue.

you might have some luck with: show ap debug auth-trace-buf

---

@boneyard wrote:

with disconnect and such you just end the current connection. but if the client is setup as such it will probably to connect again directly. with show ap association you can see if the association time was reset.

 

the other things rvincent suggest are mainly to start from somewhere and then try to focus on the issue.

 

you might have some luck with: show ap debug auth-trace-buf

---

Hi Boneyard

Apologies for the delayed response. Appreciate the comments.

I have run the aforementioned show ap debug auth-trace-buf and I see alot of mic failure, which I assume is the same as the alert message on the WUI, for message integrity check failure. Example below.

Jan 14 14:12:10  wpa2-key1             <-  54:88:0e:32:6X:XX ac:a3:1e:63:4X:XX  -  117  
Jan 14 14:12:10  wpa2-key2             ->  54:88:0e:32:6X:XX  ac:a3:1e:63:4X:XX  -  117  mic failure

What I find a little confusing is that the MAC starting ac: I assumed is the AP, but when I check the MACs of each of the 3 APs none match this MAC address?

We are currently trying static IP (DHCP Reservation) for those having issues to see if the connection drops. It only seems to be effecting Lenovo Thinkpads at the moment, so also checking WLAN drivers.

latest drivers is always a good idea.

which MAC did you exactly check? the wired ones won't be the ones used wirelessly and the wireless ones will be different per BSSID. there are some cli commands which will show the MACs per BSSID, if you do a full tech support and look for the the MAC you probably find it.

---

@niceswitches wrote:

---

@boneyard wrote:

with disconnect and such you just end the current connection. but if the client is setup as such it will probably to connect again directly. with show ap association you can see if the association time was reset.

 

the other things rvincent suggest are mainly to start from somewhere and then try to focus on the issue.

 

you might have some luck with: show ap debug auth-trace-buf

---

Hi Boneyard

Apologies for the delayed response. Appreciate the comments.

 

I have run the aforementioned show ap debug auth-trace-buf and I see alot of mic failure, which I assume is the same as the alert message on the WUI, for message integrity check failure. Example below.

Jan 14 14:12:10  wpa2-key1             <-  54:88:0e:32:6X:XX ac:a3:1e:63:4X:XX  -  117  
Jan 14 14:12:10  wpa2-key2             ->  54:88:0e:32:6X:XX  ac:a3:1e:63:4X:XX  -  117  mic failure

What I find a little confusing is that the MAC starting ac: I assumed is the AP, but when I check the MACs of each of the 3 APs none match this MAC address?

We are currently trying static IP (DHCP Reservation) for those having issues to see if the connection drops. It only seems to be effecting Lenovo Thinkpads at the moment, so also checking WLAN drivers.

---

The mac address that you see in the auth-tracebuf output is the BSSID of the AP which is the SSID-specific mac, of the AP and not the ethernet mac.  You can type "show ap bss-table | include <mac address> to see what AP this is and what band it is.  If it is the 2.4ghz band, it coudl be congestion. If you are seeing alot of Mic errors, it is either that your drivers are not up to date, like boneyard says, or there is too much congestion or contention.  Look on the Dashboard" screen of your WLAN and take a look a t AP Channel Utilization.  In general you should not have any access points that are above 30% utilization sustained.  If you do, you have to either (1) Remove unused SSIDs (2) Turn Down the max Power on your access points to reduce contention