Remote Networking

Reply
Occasional Contributor II
Posts: 16
Registered: ‎08-31-2010

IKE_XAUTH provisioning error on RAP2 and 5

We have several RAP-2WG and RAP5-WNs. I'm trying to provision them on a M3 controller running 5.0.4.0. According to the docs the setup is dead simple. I have an AP group for them. I have their MACs whitelisted in the RAP Whitelist. But they won't provision.

On booting up they get to the Master Connectivity section and get "RC_ERROR_IKE_XAUTH_AUTHORIZATION_FAILED".

Both 2s and 5 do the same thing.

show datapath session | include 4500
shows traffic from the master to the RAP with the "F" Fast Age flag set only. So I'm sure I have connectivity

show crypto isakmp sa
only shows the two locals talking to the master.

This is on a very busy Master, so dumping the security logs and user table is rather impractical.

Anyone run into this and have a fix?
Guru Elite
Posts: 21,007
Registered: ‎03-29-2007

Re: IKE_XAUTH provisioning error on RAP2 and 5


We have several RAP-2WG and RAP5-WNs. I'm trying to provision them on a M3 controller running 5.0.4.0. According to the docs the setup is dead simple. I have an AP group for them. I have their MACs whitelisted in the RAP Whitelist. But they won't provision.

On booting up they get to the Master Connectivity section and get "RC_ERROR_IKE_XAUTH_AUTHORIZATION_FAILED".

Both 2s and 5 do the same thing.

show datapath session | include 4500
shows traffic from the master to the RAP with the "F" Fast Age flag set only. So I'm sure I have connectivity

show crypto isakmp sa
only shows the two locals talking to the master.

This is on a very busy Master, so dumping the security logs and user table is rather impractical.

Anyone run into this and have a fix?




The solution is most likely located in the security logs. If you cannot look at the security logs, there is little chance we can get to the bottom of this.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎08-31-2010

Re: IKE_XAUTH provisioning error on RAP2 and 5

I can look at the security logs, but the there is a huge amount of data there and doubt posting it all the forum would help. How do I narrow down whats wrong in the logs. Is there anything less verbose than

show log security all | include ike

that might help? Or what am I looking for in the ike logs?
Guru Elite
Posts: 21,007
Registered: ‎03-29-2007

Re: IKE_XAUTH provisioning error on RAP2 and 5

I would start with the word "fail", or "Fail"

Last, but not least, I would check the parameter under Configuration> security> authentication>l3 authentication> vpn authentication profile> default-rap. Make sure that the server group is "default". Click on the word "default" and make sure the Internal server is in that, as well.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎08-31-2010

Re: IKE_XAUTH provisioning error on RAP2 and 5

That last bit was the key. The Auth server had been set to something other than default for the default-rap group. That showed up in the security logs as "User Authentication Failed" with "auth method=VPN". Setting it back to default got the RAPs working.

Thanks muchly for the pointer.
Search Airheads
Showing results for 
Search instead for 
Did you mean: