06-02-2014 01:30 AM
On our Airwave server, I made a number of changes to the configuration of a group of 3 mobility controllers (model 7210 running firmware 188.8.131.52), and applied the changes to the group. The changes included creation of a new campus WLAN and associated settings such as AAA and SSID profiles, as well as a user role, and a firewall policy.
All the settings got pushed out correctly, except that the firewall policy has not been applied to the user role. Both the role and the policy were applied to the controllers, though. Airwave reports that the 3 controllers have mismatched configurations, and show the following when clicking on the "mismatched" link:
Current Device Configuration Desired Configuration
|User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Aruba AP Group||(not set)||default|
|User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Policy||(not set)||FC-RESIDENTIAL-GUEST_ACL_POLICY|
|User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Position||(not set)||1|
|User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Status||(not set)||Create|
Repairing the configuration does not change the result. I cannot see any errors logged in relation to applying the configuration.
I have not tried changing this directly in the controller GUI and would prefer not to as our policy is to use Airwave. Please advise steps I need to take to get the Airwave to apply the firewall policy.
I have one other (hopefully) simple question: under the virtual AP for the WLAN in question, I have set a VLAN ID. In the AAA profile under the virtual AP profile, the role is the "FC-RESIDENTIAL-GUEST_role" from the table above. However the role itself does not have a VLAN ID assigned. The WLAN is working fine (except that the firewall policy is not applied) and the traffic is on the right VLAN once it hits the wired network, so I'm assuming that the VLAN ID doen't need to be applied at the role level too? Or could this be related to the issue above, or be likely to cause any other complications?
Thanks in advance!
Solved! Go to Solution.
06-02-2014 03:40 AM
Do you have a PEF licenses installed on your controller ?
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
06-02-2014 03:53 AM
Login to one of the controllers (must be the master) and type "show audit-trail) to see exactly what was pushed and when. You might have to go back some to find out what happened.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
06-02-2014 06:10 PM
Thanks for the replies.
Victor, the PEF licences are installed and I have previously applied firewall policies without issue.
Colin, checking the audit trail, all I see is the commands being executed successfully (no errors). I can see that the user role command is executed, followed by the access list policy being created and the rules added. I am not sure if there is supposed to be another command that specifically applies the policy to the role or not...?
When I attempt to repair the configuration from the Airwave, the following is logged:
Jun 3 09:19:19 fpcli: USER:firstname.lastname@example.org COMMAND:<no paging > -- command executed successfully
Jun 3 09:19:19 fpcli: USER:email@example.com COMMAND:<encrypt disable > -- command executed successfully
Jun 3 09:19:58 fpcli: USER:firstname.lastname@example.org COMMAND:<user-role "FC-RESIDENTIAL-GUEST_role" > -- command executed successfully
Jun 3 09:19:59 fpcli: USER:email@example.com COMMAND:<write memory > -- command executed successfully
Jun 3 09:20:12 fpcli: USER:firstname.lastname@example.org COMMAND:<no paging > -- command executed successfully
Jun 3 09:20:12 fpcli: USER:email@example.com COMMAND:<encrypt disable > -- command executed successfully
Something else I've noticed and don't understand is the first line under the mismatched config: "User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Aruba AP Group". Current config is "not set" and desired is "default". This matches what is shown by Airwave when clicking on "Controller Config" under the group with the controllers in it: the "default" AP group (which has all APs in it) has "FC-RESIDENTIAL-GUEST_role" as the user role. There are a number of roles on these controllers, so why does Airwave want to assign this role to the AP group? If and when this applies on the controllers, will it affect any other roles? Can I stop Airwave from having this as the desired configuration?
06-03-2014 03:25 AM
06-03-2014 08:02 PM
Thanks Colin, the default AP group was set there, and removing it allowed the configuration to be applied without any problems.
To answer my own question in my original post about setting the VLAN ID on the user role to match the virtual AP: this apparently is necessary - clients had no connectivity until this was set.