Controllerless Networks

I have seen a few other postings similar to this but none of the ideas presented have helped (not that there was ever a real solution or fix presented on those posts....just sayin').

I have set up two IAP-105 APs (maybe adding more later if this can be fixed). Only one of the APs will authenticate to Radius (Win 2003 IAS) at a time and that AP has to also be the Master AP which hosts the virtual controller. If the working AP is taken down and the other AP takes over the VC role then it WILL also authenticate properly. However, when both APs are powered on at the same time only the master AP will authenticate. Our guest wireless works fine on both APs at all times. If I try to authenticate near the non-master AP "trying to authenticate" is all I will see (for as long as I remain in the vicinity). If I take that laptop and walk toward the VC hosting master AP the signal will be passed to that AP and the login will be authenticated and the connection completes.

Please help...we have saved no $$$ with this purchase if we take into consideration the amount of lost time trying to get this "easier than toast"  (yeah right!) wifi solution working.

So, allowing each AP to be the master on its own has not solved the problem as stated in several other posts. Any help will be greatly appreciated...

Please Enable Radius Proxy.

Radius Proxy IS and HAS been enabled throughout.

I don't know if this is related but when using telnet with PuTTY to the VC most attempts to "dig around" or generally run commands generate this message: % Parse error

then goes back to the APname#  prompt.

Do you have the latest version of the firmware?

What does the radius server say the source ip address of the messages are?

6.1.2.3-2.0.0.4_32946.

Successful or access denied authentication is logged in event viewer giving the NAS-IP-Address = the internal IP of the virtual contoller. The NAS-Identifier is the IP of the IAP-105 that is hosting the VC.  It appears that ONLY messages from the VC and its hosting AP are showing up in Event Viewer. When the other AP was hosting the VC it would generate messages to the Radius server which makes sense since it worked when it was the only AP on the network. Currently no new messages have been generated by the non-hosting AP since it lost the VC role.

What is your remote access policy rule?  You should be seeing failures, as well as successes in the event viewer, under SYSTEM if this is IAS.  If not, you might want to open a case so that we can get to the bottom of this.

The only messages in system/IAS are generated when the AP and the VC are on the same device. There are messages from both APs but they are only from the times when the particular AP was the VC. It's as though the non-hosting AP is not communicating with the VC.

Should we consider rolling back to the previous firmware? Or reloading the current one?

We have a case open with Aruba support but UNLESS I call them they are slow to respond. They called last night after we had closed. I might have to call them after I return from lunch.

Okay, last question.  Do you have a static ip address configured as the "Virtual Controller address"?

Yes we do and all the APs are staticly assigned also.

BTW, just to be clear the VC has its own IP such as 172.12.3.2 and the APs are addressed such as 172.12.3.3, 172.12.3.4, etc. I have even tested this problem with a previous unopened AP....same results.

..and when you take the current VC offline, the newly elected VC can be reached via the VC address, correct?

Yes. All device and the VC have static IPs.

Sorry, disregard that last IP related post. Yes, when I take down either one of the two IAP-105 access points the other becomes the VC AND the RADIUS authentication works also. It is only when more than one AP is powered on that we see this problem. It also does not matter if we have two or three APs on (we own 5 which we want to deploy one day) only the AP hosting the VC will authenticate to the domain. Also, again, the guest wifi works no matter how many APs are on...as it should.

It would also be help ful to get the output of "show tech-support".  You can do this by clicking the "Support" link on the upper right

of the UI, select "AP Tech Support Dump" from the Command drop-down list, and clicking run.  Then click save results to display the result in a new browser window.  Finally, you can copy and paste the content of this into a new message in Airheads social, for us to debug.

I am uploading the dump file. See attached. Thanks.

Attachment(s)

AP tech support dump.docx   44 KB 1 version

Is this the access point WITH the problem?  Please upload the tech support WITH the auth problem...  This one seems to be working.

I'm coming to this conversation late, but I don't see this point yet:

In RADIUS server setup, be sure to put the "NAS IP Address" as the VC IP address, and

In Advanced tab enable "Dynamic RADIUS Proxy"

I'd had similar issues until I set those both.

msabin,

The Author of this thread says that he has already done both of those things, so we have to take a closer look.

OK, I hadn't seen them both set in the show-tech, but it's hard for the layman to read.

Both are set:

virtual-controller-ip 172.16.9.2

dyanmic radius-proxy

We need to see the tech support from the AP with the problems.  This one seems to be getting responses from the Radius Server from the "auth-tracebuf" output.

The more I read the more it seems that the problem is the cert creation process. In the hodgepodge of documentation we had to try several approaches..let me back up. We have a Windows pki infrastructure set up and working. We initially tried to create and upload certs to the instant (self signed) and created in Linux Centos per docs found at Aruba support. The self signed CAcert uploaded fine but the instantservercert had a format error or RSA decode error (I cannot remember now). I contacted support and eventually they sent a doc on exporting the server cert that is created in windows on our cert server. We did that and the upload worked. Immediately we were able to authenticate and we thought all was well. It was several days before we realized that we could only authenticate from the AP that hosts the virtual controller. 

Could the problem be that the two certs are really from different authorities? Would we, can we, export the rootCA cert from our CA  windows server and then export the web server cert according to the attached instructions, upload them on the IAP-105 and maybe solve this issue. Again we think our basic set up is working since computers and users who are placed into the appropriate GPO's can boot up (after they get the policy) to the wireless, authenticate, and receive appropriate mappings, etc. as long as they are near the virtual controller hosting AP.  So autoenrollment is working.  I am new to certificates so forgive me if i am missing something that will one day seem obvious (after I figure this out!).

Attachment(s)

Aruba Instant Certificate generation and upload edited.pdf   385 KB 1 version

Hi,

Please drop me an email and I will send over a doc that may help.

I don't want to add to your misery in the cert creation process  - but I hope it may explain certain things about the certificate itself.

Thanks,

Shashi

ssastry@arubanetworks.com

BTW..the dump from an AP that is NOT hosting the virtual contoller is attached..

I know this has been stagnant for a while, but I have a similar issue but my internal CA at the customer is 2003 not 2008. Got the CA cert installed no problem, but creating the Server cert for the IAP 105s I am getting the RSA decode error. Any guide on doing it on 2003 CA?

Are you doing EAP-PEAP or EAP-TLS

Where are you applying the certificate?

PEAP, trying to upload the server cert under the maintence>certificates tab.

why not just put a certificate on the radius server instead?

also trying to get rid of the cert error message for the default securelogin.arubanetworks.com cert.

---

@wmorris wrote:

PEAP, trying to upload the server cert under the maintence>certificates tab.

---

What format of cert are you using to upload....?

just created a web server certificate on a server 2003 CA. RSA2048 uploads as PEM.