Security, WIDS/WIPS and Aruba ECS

Reply
Frequent Contributor I
Posts: 64
Registered: ‎11-10-2009

Adding static WEP SSID breaks WPA Enterprise

We have to support a static WEP SSID for a migration from legacy access points and have configured up an SSID and virtual AP thus:

wlan ssid-profile "UUU-local-wep_ssid"
essid "XXX"
opmode static-wep
wepkey1 YYY
!
wlan virtual-ap "UUU-local-wep_vap"
ssid-profile "UUU-local-wep_ssid"
vlan 472
forward-mode bridge
broadcast-filter all
broadcast-filter arp

This works fine when I add it to an AP group and I can connect using the manual shared WEP key; traffic bridges out at the AP on VLAN 472.

However, when I add our standard WPA/WPA2 Enterprise SSID (eduroam) to the AP group, this SSID doesn't work - you can authenticate fine (and we see the dialogue with the RADIUS server, plus the client device appears to be associated), the client then tries to DHCP but nothing comes out of the controller end of the tunnel - the client traffic is effectively being lost. The WEP one does continue to work, however.

When I remove the WEP virtual AP from the AP group, the WPA/WPA2 Enterprise one springs into life and works fine.

Is there some sort of clash between old WEP (I've tried 40-bit and 128-bit keys) and WPA/WPA2 Enterprise? Or does this sound like a bug?

We're running ArubaOS 3.4.2 on a 6000 with M3 modules. I've tried AP-65s and AP-105s with the same effect. All the APs are configured as remote APs.

Thanks in advance.
Aruba Employee
Posts: 119
Registered: ‎05-16-2007

Re: Adding static WEP SSID breaks WPA Enterprise

Hey Bob....did you get closure to this issue? If so, what was the solution?
Frequent Contributor I
Posts: 64
Registered: ‎11-10-2009

Sort of...

Sort of... the bug was acknowledged by our support provider and there is a fix for 3.1 in 3.1.10 and 5 in 5.0.1.0. However, we're running 3.4 and there isn't a simple fix for this issue without a large upgrade.

We're planning to upgrade to 5.0.1.0 later in the month and have used the problem as an incentive for the site where it was required.
Search Airheads
Showing results for 
Search instead for 
Did you mean: