Wireless Access

Hello All... I have a client who has a 3200 controller and AP105s in the field. We have an issue with only wireless clients... When they try and go to the organizations website (yourname.org) they end up at the Aruba controller... if they try it wired, they go where they are supposed to go. NSLOOKUP in wireless and wired clients reflect a different answer when I lookup the name, and the wireless answer is a Non-Authoritative answer but says it is from the correct DNS server. Where would would this be in the controller? Thanks in advance!

Is the VLAN trusted on port ?

Hi Victor,
  Thanks for you reply.

What do you mean is the VLAN trusted on port?  They are configured on one flat VLAN with wired and wireless is that helps..

If you can take at the controller interface :
interface gigabitethernet 0/0/0
description "GE0/0/0"
trusted
trusted vlan 1,10
switchport mode trunk

Victor,
   Yes, I believe it is -- I'm attaching screenshot of the port settings.

 

Port Config looks good
Can you shared the following :
- show user <user IP address>
- show rights <user-role that the devices are getting>
- show ap licenses-usage

Here is a show user and a sampling of 3 users:

172.19.10.156  70:56:81:8a:6d:95  aimguest          authenticated  00:03:31    802.1x            4th-Tech-01        Wireless  AIM/24:de:c6:45:08:78/a-HT        AIM-8021x      tunnel        OS X

172.19.10.130  2c:be:08:f1:52:f2  bcummings         authenticated  00:00:11    802.1x            1st-Stairwell-01   Wireless  AIM/00:24:6c:b1:89:18/a-HT        AIM-8021x      tunnel        OS X

172.19.10.135  00:23:6c:93:4e:44  sadams            authenticated  00:00:43    802.1x            2nd-201-01         Wireless  AIM/00:24:6c:b1:80:80/g-HT        AIM-8021x      tunnel        OS X

 

Show Rights:

RoleTable

---------

Name              ACL  Bandwidth                  ACL List                                       Type

----              ---  ---------                  --------                                       ----

ap-role           4    Up: No Limit,Dn: No Limit                                                 System

authenticated     22   Up: No Limit,Dn: No Limit  allow-all/                                     User

default-via-role  21   Up: No Limit,Dn: No Limit                                                 User

guest             3    Up: No Limit,Dn: No Limit  guest/                                         User

guest-logon       6    Up: No Limit,Dn: No Limit  captiveportal/,logon-control/,captiveportal6/  User

logon             1    Up: No Limit,Dn: No Limit  captiveportal6/                                User

stateful-dot1x    5    Up: No Limit,Dn: No Limit                                                 System

sys-ap-role       7    Up: No Limit,Dn: No Limit  sys-control/,sys-ap-acl/                       System (not editable)

 

Show AP:

AP Licenses

-----------

Type                      Number

----                      ------

AP Licenses               36

PEF Licenses              32

Overall AP License Limit  32

 

AP Usage

--------

Type            Count

----            -----

CAPs            29

RAPs            0

Tunneled nodes  0

Total APs       29

 

Remaining AP Capacity

---------------------

Type  Number

----  ------

CAPs  3

RAPs  3

 

I thought this was interesting, too -- here's a screenshot of the AP stats in the web interface that shows the controller as being the domain name, instead of aruba-master... or an IP address, which is what I've worked with in the past...  

Seems like maybe where that is set might be the key?

 

bsarte,

 

Did the organization replace the controller's web (SSL) certificate with one that has aimpa.org in the name? 

Hi cjoseph -- looking in the controller I see a certificate for the domain name...  attaching screen shot... 

 

Click on View.  What is the fqdn of the certificate?

 

The only domain name I see in the View screen is the aimpa.org domain name.

I experienced a bug in early 6.3 code (6.3.1.2-4 I think) that resulted in DNS not resolving the name of the controller correctly for any wireless clients.  So if you were a wireless client, you couldn't connect to the controller GUI via FQDN.  Not the same issue you're seeing, but thought I'd mention it in case there's more to this bug than I am aware of. 

Can you tell me what revision the code is on now?  I just took a look, and this 3200 is on 6.1.3.2

 

Thanks!

The certificate should have a fqdn or hostname. The controller would intercept any requests for the hostname and reply with the controller's IP address to facilitate the captive portal process. I have never put a certificate with a domain name instead of he hostname, bit that could be what is happening here. We could find out if that is the case by replacing the certificate with the default server certificate.