Network Management

Reply
seb
Occasional Contributor II
Posts: 16
Registered: ‎08-25-2010

Airwave push configuration in monitor only mode ?

Hi,
I just have a very strange error with Airwave. Airwave server push configuration on my controllers while in monitoring mode only!

 

Here is a little description of my environnement :
Main site : 2x7220 controllers in Master-Local mode ArubaOS 6.3.1.11
Branch site : 1x7030 controller in Master mode ArubaOS 6.4.2.12
Same SSID on all sites
Two Radius server (MS NPS2008) per site
One Airwave server version 8.0.4.1
Two different Airwave Groups:
1) Main Site : Manage local configuration on controllers Disable and Monitor only + Firm Upgrades
2) Branch Site : Manage local configuration on controllers Disable and Monitor only + Firm Upgrades

 

This morning at 06:50 during AP group maintenance windows, Airwave push a part of branch site configuration on Main site controllers!
The part of configuration includes Radius server so Main site clients were unable to authenticate because of the radius mismatch.
I manually change mismatched configuration to restore the service.
I delete AP group maintenance windows in case of …

 

Here is an extract of the SSH log on Airwave server
Tue Sep 8 06:50:37 2015:
>> aaa authentication-server radius "RADIUS BRANCH SITE"
>> acctport 1813
>> aaa server-group "SSID_xxx"
>> auth-server "RADIUS BRANCH SITE" position 1
>> no auth-server "RADIUS MAIN SITE"
>> !
>> aaa server-group "default"
>> auth-server "Internal" position 1
>> no auth-server "RADIUS MAIN SITE"
>> !
>> aaa authentication mgmt
>> no enable


Where are my mistakes ? What have I done wrong ?

 

Thanks for your help !

 

Guru Elite
Posts: 7,866
Registered: ‎09-08-2010

Re: Airwave push configuration in monitor only mode ?

If you run show audit-trail, does it confirm that AirWave made the change?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
seb
Occasional Contributor II
Posts: 16
Registered: ‎08-25-2010

Re: Airwave push configuration in monitor only mode ?

Hi Cappalli,

 

It's Airwave that made the change. Here is an extract of the "show audit-rail" on the master controller of Main site. The difference of 5 minutes between Airwave logs and Controllers logs is now corrected (Airwave Ntp misconfigured).

 

Sep 8 06:55:52 fpcli: USER:<user airwave>@<IP Airwave Server> COMMAND:<aaa authentication-server radius "RADIUS BRANCH SITE" > -- command executed successfully
Sep 8 06:55:52 fpcli: USER:<user airwave>@<IP Airwave Server> COMMAND:<aaa authentication-server radius "RADIUS BRANCH SITE" key ****** > -- command executed successfully
Sep 8 06:55:52 fpcli: USER:<user airwave>@<IP Airwave Server> COMMAND:<encrypt disable > -- command executed successfully
Sep 8 06:55:52 fpcli: USER:<user airwave>@<IP Airwave Server> COMMAND:<aaa authentication-server radius "RADIUS BRANCH SITE" acctport 1813 > -- command executed successfully
Sep 8 06:55:52 fpcli: USER:<user airwave>@<IP Airwave Server> COMMAND:<aaa authentication-server radius "RADIUS BRANCH SITE" mac-delimiter none > -- command executed successfully
Sep 8 06:55:52 fpcli: USER:<user airwave>@<IP Airwave Server> COMMAND:<aaa authentication-server radius "RADIUS BRANCH SITE" no service-type-framed-user > -- command executed successfully
Sep 8 06:55:52 fpcli: USER:<user airwave>@<IP Airwave Server> COMMAND:<aaa authentication-server radius "RADIUS BRANCH SITE" retransmit 3 > -- command executed successfully
Sep 8 06:55:52 fpcli: USER:<user airwave>@<IP Airwave Server> COMMAND:<aaa authentication-server radius "RADIUS BRANCH SITE" timeout 5 > -- command executed successfully
Sep 8 06:55:52 fpcli: USER:<user airwave>@<IP Airwave Server> COMMAND:<aaa authentication-server radius "RADIUS BRANCH SITE" host "x.x.x.x" > -- command executed successfully
Sep 8 06:55:52 fpcli: USER:<user airwave>@<IP Airwave Server> COMMAND:<aaa authentication-server radius "RADIUS BRANCH SITE" enable > -- command executed successfully
Sep 8 06:55:52 fpcli: USER:<user airwave>@<IP Airwave Server> COMMAND:<aaa authentication-server radius "RADIUS BRANCH SITE" no enable-ipv6 > -- command executed successfully
Sep 8 06:55:52 fpcli: USER:<user airwave>@<IP Airwave Server> COMMAND:<aaa authentication-server radius "RADIUS BRANCH SITE" authport 1812 > -- command executed successfully

MVP
Posts: 1,399
Registered: ‎10-25-2011

Re: Airwave push configuration in monitor only mode ?

If you have a maintenance window scheduled in Airwave for your devices, Airwave will push the configuration it has onto your devices regardless of them being in monitor-only mode.
Planned downtime is what you are looking for if you are not managing devices with Airwave.
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
seb
Occasional Contributor II
Posts: 16
Registered: ‎08-25-2010

Re: Airwave push configuration in monitor only mode ?

You right !

I misunderstood this function, I learn every day.

Search Airheads
Showing results for 
Search instead for 
Did you mean: