Wireless Access

Hello,

I would like to manually configure a 115 AP and I was wondering if you guys had any useful documentation on how to do so?

I found a document on purging APs, but what I'm looking for is a way to set for example the aruba-master IP address manually as well as other entries.

Can you please advise?

Many thanks

H

General Variables:
 setenv ipaddr x.x.x.x
 setenv netmask x.x.x.x
 setenv gatewayip x.x.x.x
 setenv master x.x.x.x
 setenv serverip x.x.x.x
 setenv group xxxxxx

 setenv name xxxxxx

Required without DNS or option 43:

 setenv master
 setenv serverip

Required without DHCP:

 setenv ipaddr 
 setenv netmask
 setenv gatewayip

http://community.arubanetworks.com/t5/Access-Points/printenv-command-on-AP-s/td-p/2420

Many thanks for this.

I have managed to configure the AP as follows:

apboot> printenv
bootdelay=2
baudrate=9600
autoload=n
boardname=Ardbeg
servername=aruba-master
bootcmd=boot ap
autostart=yes
bootfile=mips32.ari
ethaddr=18:64:72:c1:2c:0a
ethact=eth0
ippaddr=192.168.x.x
netmask=255.255.255.128
gatewayip=192.168.x.x
master=10.181.x.x

The AP is located in a remote site connecting to the master controller over a VPN link. Would the configuration above allow the AP to communicate with the aruba-master controller and pull its image from it? The VPN link is established, and devices from the remote site can access resources on our main infrastructure..

Can you please advise in case I missed something else if you don't mind?

Much appreciated!

If the AP is able to reach the controller through PAPI/GRE it should be able to come up

I will create nodes on our firewalls allowing access from the AP (192.168.x.x) to aruba master (10.181.x.x through the VPN link using all services for the testing phase.

I just wanted to confirm that if there is a connection between AP and master controller and allowing all services (Protocols), there is nothing else I'm missing.

Many thanks for your reply.

Will deploy tomorrow .. fingers crossed.

:)

Many thanks for your input and advise....

Will do..

Many thanks!
:)

Hello,

As advised, I've connected the AP onto our WLAN network prior to deployment and it picked up an image. I have then manually changed the settings of the AP to the remote site and setup the IP, GW, master manually.

I'm on site now and the AP can ping the master controller through the VPN. However, ii'm still not getting the 4 lights up and is not advertising the SSID that I set up in the office.

I had a look at the output and noticed that it's changed its IP from the manually setup one of 192.168.x.x

I can also see that it's using ADP to access the master controller.

Can you please have a look at the output and advise if I've missed something or done something wrong you don't mind?

~ #

APBoot 1.4.0.5 (build 38142)
Built: 2013-04-21 at 22:03:44

Model: AP-11x
CPU:   QCA9550 revision: 1.0
Clock: 720 MHz, DDR rate: 600 MHz, Bus clock: 200 MHz
DRAM:  256 MB
POST1: passed
Copy:  done
Flash: 32 MB
Power: 802.3af POE
PCI:   scanning bus 0 ...
       dev fn venID devID class  rev    MBAR0    MBAR1    MBAR2    MBAR3
       00  00  168c  0033 00002   01 00000004 00000000 00000000 00000000
Net:   eth0
Radio: ar9590#0, qca9550#1

Hit <Enter> to stop autoboot:  0
apboot> printenv
bootdelay=2
baudrate=9600
autoload=n
boardname=Ardbeg
bootcmd=boot ap
autostart=yes
bootfile=mips32.ari
ethaddr=18:64:72:c1:2c:0a
num_ipsec_retry=85
name=Pembroke-VPN-Test
group=Pembroke-House
ip6prefix=64
servername=aruba-master
a_antenna=0
g_antenna=0
usb_type=0
uplink_vlan=0
auto_prov_id=0
is_rmp_enable=0
priority_ethernet=0
priority_cellular=0
cellular_nw_preference=1
usb_power_mode=0
cert_cap=0
mesh_role=0
installation=0
mesh_sae=0
ethact=eth0
ip=192.168.x.x
netmask=255.255.255.0
gateway=192.168.x.x
master=10.181.x.x
start_type=warm_start
stdin=serial
stdout=serial
stderr=serial

Environment size: 595/65532 bytes
apboot> boot
Checking image @ 0xbf100000 (bank 1)

Image is signed; verifying checksum... passed
Signer Cert OK
Policy Cert OK
RSA signature verified.
ELF file is 32 bit
Loading .text @ 0x80e00000 (4705672 bytes)
Loading .data @ 0x8127cd90 (32 bytes)
Clearing .bss @ 0x8127cdb0 (16 bytes)
## Starting application at 0x80e00000 ...
Uncompressing............................................


Aruba Networks
ArubaOS Version 6.3.1.3 (build 42233 / label #42233)
Built by p4build@port-royal on 2014-02-11 at 11:29:58 PST (gcc version 4.3.3)
CPU Rev: 1130
955x CPU
flash_size passed from bootloader = 32
arg 1: mem=256M
Flash variant: default
cpu apb ddr apb ath_955x_sys_frequency: cpu 720 ddr 600 ahb 200
Cache parity protection disabled
ath_timer_init: plat time init done
Using 360.000 MHz high precision timer. cycles_per_jiffy=720000
Memory: 251648k/262144k available (1931k kernel code, 10368k reserved, 752k data, 3832k init, 0k highmem)
 available.
detected lzma initramfs
initramfs: LZMA lc=3,lp=0,pb=2,dictSize=8388608,origSize=17670656
LZMA initramfs by Ming-Ching Tiew <mctiew@yahoo.com> ..............................................................................................................................................................................................................................................................................
qca955x_pcibios_init: bus 0
qca955x_pcibios_init(1239): PCI 0 CMD write: 0x356
qca955x_pcibios_init: bus 1
qca955x_pcibios_map_irq: IRQ 75 for bus 0
ATH GPIOC major 0
wdt: registered with refresh
Enabling Watchdog
Talisker RSSI LED initialization
Concatenating MTD devices:
(0): "bank1"
(1): "bank2"
into device "flash"
Creating 1 MTD partitions on "flash":
0x00000000-0x02000000 : "flash"
i2c /dev entries driver
i2c-talisker: using default base 0x18040000
lo: Disabled Privacy Extensions
IPv6 over IPv4 tunneling driver

Starting Kernel SHA1 KAT ...Completed Kernel SHA1 KAT
Starting Kernel HMAC-SHA1 KAT ...Completed Kernel HMAC-SHA1 KAT
Starting Kernel DES KAT ...Completed Kernel DES KAT
Starting Kernel AES KAT ...Completed Kernel AES KAT

Starting Kernel AESGCM KAT ...Completed Kernel AESGCM KAT

Domain Name: arubanetworks.com
No panic info available
qca955x_GMAC: Length per segment 1536
955x_GMAC: qca955x_gmac_attach
955x_GMAC: qca955x_set_gmac_caps
Currently in polling mode unit0
mac:0 Registering S17....
qca955x_GMAC: RX TASKLET - Pkts per Intr:100
qca955x_GMAC: Mac address for unit 0:8078ebc0
qca955x_GMAC: 18:64:72:c1:2c:0a
qca955x_GMAC: Max segments per packet :   1
qca955x_GMAC: Max tx descriptor count :   128
qca955x_GMAC: Max rx descriptor count :   2048
qca955x_GMAC: Mac capability flags    :   2201
_athrs17_mac0_intf done
athrs17_reg_init:done
Phy setup Complete
drvlog_mod: module license 'Proprietary' taints kernel.
AP xml model 72, num_radios 2 (jiffies 3486)
init_asap_mod: installation:0
radio 0: band 1 ant 0 max_ssid 16
radio 1: band 0 ant 0 max_ssid 16
Starting watchdog process...
Getting an IP address...
To set s17 LOOKUP_CTRL_REG registers, flag 0
athr_gmac_ring_alloc Allocated 2048 at 0x80648000
athr_gmac_ring_alloc Allocated 32768 at 0x807d0000
955x_GMAC: eth0 in RGMII MODE
Scorpion -----> S17 PHY
FINAL XMII VAL after RX Calibration - 0x84000101
Error: cannot be initialized twice!
athrs17_reg_init:done
Setting PHY...
Phy setup Complete
To set s17 LOOKUP_CTRL_REG registers, flag 1
ADDRCONF(NETDEV_UP): bond0: link is not ready

Enet:0 port0 up
eth0  RGMII  100Mbps  full duplex
ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
192.168.x.x 255.255.255.0 192.168.x.x
Running ADP...Done. Master is 10.181.x.x
ath_hal: 0.9.17.1 (AR5416, AR9380, REGOPS_FUNC, PRIVATE_DIAG, WRITE_EEPROM, 11D)
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved
ath_rate_atheros: Aruba Networks Rate Control Algorithm
ath_dfs: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved
ath_spectrum: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved
ath_pci: 0.9.4.5 (Atheros/multi-bss)
Restoring Cal data from Flash
Reading from Addr: 0xbffe5000
ath_attach: scn 8dd60280 sc 8dd80000 ah 8ddc0000
wifi0: Base BSSID 18:64:72:92:c0:b0, 16 available BSSID(s)
bond0 address=18:64:72:c1:2c:0a
br0 address=18:64:72:c1:2c:0a
wifi0: AP type AP-115, radio 0, max_bssids 16
wifi0: Atheros 9580: mem=0x10000000, irq=75 hw_base=0xb0000000
ath_ahb: 0.9.4.5 (Atheros/multi-bss)
ath_ahb: init_ath_wmac
Enterprise mode: 0x30000000
Restoring Cal data from Flash
Reading from Addr: 0xbffe1000
ath_attach: scn 8d860280 sc 8d880000 ah 8d8c0000
wifi1: Base BSSID 18:64:72:92:c0:a0, 16 available BSSID(s)
bond0 address=18:64:72:c1:2c:0a
br0 address=18:64:72:c1:2c:0a
wifi1: AP type AP-115, radio 1, max_bssids 16
wifi1: Atheros 955x: mem=0xb8100000, irq=2
shutting down watchdog process (nanny will restart it)...
 
        <<<<<       Welcome to the Access Point     >>>>>
 

I can see on the Controller that it can see the AP and has flagged it with I=Inactive and D=Dirty!

Looking into this at the moment... but thought I share info..

Does the "Pembroke-House" ap-group have an AP system profile that has an LMS-IP?  If yes, remove the LMS-IP

We are using VRRP, but there is an LMS entry in the configuratoin.This is a global and will affect other live APs using the same System Profile.

If I select default as the AP System profile, that should only use the master controller shouldn't it?

I've been trying to change the AP's group from the controller. However, no matter what group I put it in when provisioning AP doesn't seem to be taking the new settings. Doesn't even reboot. I manually reboot it after a while and it's still getting the Pembroke House AP Group even though I've configured it for a different group.

Should I purge and reset the AP?

Mike_Garland,

First things first:  Try to change the access point's ap-group in the RAP whitelist.  Changing it will not overwrite the printenv, but it will override the ap-name and ap-group listed in the printenv.

I would :

- create a separate ap-group

- create a separate ap system profile (without LMS-IP) and assign it to that ap-group

- Change the RAP whitelist so that AP's ap-group is that new group you created

- Let the AP come up.

If an AP shows "dirty" that means that ports from the AP to the controller are blocked, or the AP is no longer pointing to the controller that wants to control it.  Make sure you do not have a firewall between the ap's subnet and the controller and if you do...consult the article here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1557

Thanks for your input.

- Created a seperate group

- used the default AP System Profile. Identical to the one in use but without the LMS IP

- This is not a RAP, it's just an AP that is trying to access the controller from a different network using a VPN connection

When I go to the RAP Whitelist, I only have a purge option and it cannot see any RAPs

Yes, the AP is going through a firewall, but I've allowed all the traffic across for this stage. Once I get it up and runnning, I will then tie the rule base down.

The link you provided is very useful for the next fase. However, I sstill can't get the AP to run at this stage.
:(

I've changed the RAP MTU from 1200 to 1100. the SAP MTU was blank.

Still not getting any luck
:(

Hi Colin,

Changed it but it's still not working.
:(
Would there be any commands that you would like me to run the AP or the controller that will give you a better picture of what/why this is not working?

I don't mind doing so and sending them in private.

Many thanks, your assistance is much appreciated!

Type "show log system 50" to see if there is any information about your access point.

No entries for this AP

In your last "printenv", you need to set the ipaddr variable, not the ip variable for the ip address of the AP.

Thanks for pointing this out. However, the AP still picked up a DHCP address of x.x and was able to ping the controller.

I have rectified this and printenv is showing as follows:

apboot> printenv
bootdelay=2
baudrate=9600
autoload=n
boardname=Ardbeg
bootcmd=boot ap
autostart=yes
bootfile=mips32.ari
ethaddr=18:64:72:c1:2c:0a
num_ipsec_retry=85
name=Pembroke-VPN-Test
group=Pembroke-House
ip6prefix=64
servername=aruba-master
a_antenna=0
g_antenna=0
usb_type=0
uplink_vlan=0
auto_prov_id=0
is_rmp_enable=0
priority_ethernet=0
priority_cellular=0
cellular_nw_preference=1
usb_power_mode=0
cert_cap=0
mesh_role=0
installation=0
mesh_sae=0
ethact=eth0
netmask=255.255.255.0
gateway=192.168.x.x
master=10.181.x.x
start_type=cold_start
stdin=serial
stdout=serial
stderr=serial
ipaddr=192.168.x.x

These are the variables:

setenv ipaddr
setenv netmask
setenv gatewayip

You have gateway, instead of gatewayip.  What's wrong with just using DHCP and DNS so you can avoid manipulating variables?

At the start I thought I limit the devices that can come acroos the VPN. However, I've opened it up for troubleshooting and you're absolutley right.. I have used DHCP and I can see that the DNS entry has also been populated, but it's still showing an ID on the controller.

servername=aruba-master
a_antenna=0
g_antenna=0
usb_type=0
uplink_vlan=0
auto_prov_id=0
is_rmp_enable=0
priority_ethernet=0
priority_cellular=0
cellular_nw_preference=1
usb_power_mode=0
cert_cap=0
mesh_role=0
installation=0
mesh_sae=0
ethact=eth0
master=10.181.x.x
gatewayip=192.168.x.x
netmask=255.255.255.0
ipaddr=192.168.x.x
dnsip=10.181.x.x
start_type=cold_start
stdin=serial
stdout=serial
stderr=serial

Environment size: 622/65532 bytes
apboot> ping aruba-master
Usage:
ping - send ICMP ECHO_REQUEST to network host

apboot> ping 10.181.x.x
eth0 up: 100 Mb/s full duplex
Using eth0 device
host 10.181.x.x is alive
apboot>

Are you sure your firewall is wide open in both directions?

Hi Colin,

Thanks again for your reply. Everything is open on both FW. However, I will need to check the NAT configuration and make sure each device is leaving with its own address rather than the FW interface addresses.

Will feedback once I do the changes.

Many thanks,

Mike

Hi Colin,

All is working now. Many thanks for your assistance as well as Victor and everyone else.

Issue was with NAT. Even though the FW was allowing all traffic, it was leaving with the FW's external IP and not the device itself. Same was for incoming traffic.

Once again many thanks and much appreciated.

Hi, 

I have an 115 AP and I'm trying to connect via console, It boots bou after there is that ~ #, i type but is always the same message "Access denied" 

It's a new access point without any configuration.

How can i fix thios problem?

Thanks.

Hello,

During boot up if you pay attention to the output you will be promted to interupt the boot sequence, then you can purge the AP, save and reboot.

Hi, 

I already purge the device, and it's doing the same. It's not working.

Thanks for your quick answer.

a normal AP, so not an instant AP, has very limited CLI commands active. you in principle control it via the controller. as you already purged it you showed that part is working, what else do you want to do on CLI?