Wireless Access

Hi,

 

I have set up an AP125 with a 3200XM controller. I have set up the AP to communicate to the controller successfully. I have a Wifi adapter on my laptop that I am testing the connection to the AP with. This is also sucessful. 

 

The problem is I am not able to get out to the internet via my laptop. It keeps saying "No Internet Access" although I am getting a valid internal IP from the controller. I am using the tunnel mode as the controller is connected to a switch that can go out to the internet via its default gateway. 

 

Any ideas of what is wrong? 

What role is your device in?

You can run show user-table at the CLI.

You say internal IP from the controller.  Is this routeable or do you need NAT to make this get out to the Internet?  If so, go into the IP interface on the controller and enable Source NAT.

Are you sure that you do have internett access from your controller?

Try going to the diagnostics tab and ping something on the internet like 8.8.8.8

Actually I am not able to ping 8.8.8.8. In the controller wizard I have put in the correct static default gateway and am able to ping to that.

 

The role of the client that is connected to the AP is "guest" 

Does your DG have a route BACK TO the controller?

Seth R. Fiermonti
Sr. Systems Engineer
ACMP, ACCP, ACDX, ACMX
Mobile: 781.632.6052
Email: seth@arubanetworks.com
www.arubanetworks.com

Yes, the controller is on 102.22 and the DG is 102.1. They are both just 1 hop from each other and I am able to get out to the internet via other devices (also on the same switch) through that same DG. 

 

Edit: I am able to get to 8.8.8.8 from the AP. Tried pinging from the console connection of the AP and it works, but I am not able to get to 8.8.8.8 from the Controller 

Where does a traceroute fail?

Seth Fiermonti
781-632-6052
Sent from my iPhone

Failing on the 2nd hop after the DG. The problem may be with the IP on the Wifi adapter. I get assigned an IP of 169.254.243.83. That doesn't seem right... where can I specify the IP pool of the AP to give out? 

Is the controller the gateway for WLAN clients? However, the controller itself cannot ping out. I would focus on that first.

The second hop...does it know about the controller's network?

Can you paste a config from the controller?

Seth Fiermonti
781-632-6052
Sent from my iPhone

 

version 6.2
enable secret "9b4b9a2f014b7bb185ff783ed86d56921d9c526f829651f9de"
hostname "Aruba3200-US"
clock timezone IDLW -12
location "Building1.floor1"
controller config 83

ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0
ip access-list eth validuserethacl
permit any
!
netservice svc-pcoip2-tcp tcp 4172
netservice svc-citrix tcp 2598
netservice svc-ica tcp 1494
netservice svc-sec-papi udp 8209
netservice svc-pcoip-tcp tcp 50002
netservice svc-pcoip-udp udp 50002
netservice vnc tcp 5900 5905
netservice svc-papi udp 8211
netservice web tcp list "80 443"
netservice svc-pcoip2-udp udp 4172
netservice svc-vmware-rdp tcp 3389
netexthdr default
!
time-range Workhours periodic
weekday 07:30 to 17:30
!
ip access-list session validuser
network 169.254.0.0 255.255.0.0 any any deny
any any any permit
ipv6 host fe80:: any any deny
ipv6 any any any permit
!
ip access-list session vmware-acl
!
ip access-list session v6-control
!
ip access-list session ra-guard
!
ip access-list session citrix-acl
!
ip access-list session captiveportal6
!
ip access-list session v6-ap-acl
!
vpn-dialer default-dialer
ike authentication PRE-SHARE c00356f3cbe592bc98e43927fc4ff9f7c600af47f576f09d
!
user-role ap-role
!
user-role guest-logon
!
user-role guest
!
user-role stateful-dot1x
!
user-role logon
!

controller-ip vlan 1
interface mgmt
shutdown
!

dialer group evdo_us
init-string ATQ0V1E0
dial-string ATDT#777
!

dialer group gsm_us
init-string AT+CGDCONT=1,"IP","ISP.CINGULAR"
dial-string ATD*99#
!

dialer group gsm_asia
init-string AT+CGDCONT=1,"IP","internet"
dial-string ATD*99***1#
!

dialer group vivo_br
init-string AT+CGDCONT=1,"IP","zap.vivo.com.br"
dial-string ATD*99#
!

 

vlan-name VLAN_1
vlan VLAN_1 1
no spanning-tree

interface gigabitethernet 1/0
description "GE1/0"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 1/1
description "GE1/1"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 1/2
description "GE1/2"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 1/3
description "GE1/3"
trusted
trusted vlan 1-4094
!

interface vlan 1
ip address 10.102.102.22 255.255.254.0
!

ip default-gateway 10.102.102.1
uplink disable

ap mesh-recovery-profile cluster RecoveryfZRTEWloNc0Cuz2z wpa-hexkey 124e23a8fef9f0316d6d65f39bdb9d4166df9871c71ea842ce3c6bd1eded987d2cbcc9252abc536a3480aec33082612b36bff82a9013c6984fe43d675c983028f38cc7184ffde4b414a9e02b351c952f
crypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmac
crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac
crypto isakmp eap-passthrough eap-tls
crypto isakmp eap-passthrough eap-peap
crypto isakmp eap-passthrough eap-mschapv2

ip local pool "Wireless AP Pool" 172.16.0.50 172.16.0.59
vpdn group l2tp
!

 

!

snmp-server user "testuser" auth-prot sha 9cab4963937fec6259ccaea93f0f93595e11bede3e2e2136 priv-prot des e834bf649b66ad5882bb070c1032381748a4123afbacf249
vpdn group pptp
!

tunneled-node-address 0.0.0.0

adp discovery enable
adp igmp-join enable
adp igmp-vlan 0

ap ap-blacklist-time 3600

mgmt-user admin root 12b66d310105891a0bee83f6e1aa755be48e48508441cf3157
mgmt-user testuser guest-provisioning 5a2831720135cb2537d882c535c7162a379164dbaba7025c9b

 

no database synchronize
database synchronize rf-plan-data

ip mobile domain default
!

ip igmp
!

ipv6 mld
!

firewall attack-rate ping 1
no firewall attack-rate cp 1024
ipv6 firewall ext-hdr-parse-len 100

!

!
firewall cp
packet-capture-defaults tcp disable udp disable interprocess disable sysmsg disable other disable
!
ip domain lookup
!
country US
aaa authentication mac "default"
!
aaa authentication dot1x "default"
!
aaa authentication dot1x "dot1x_prof-ggy41"
termination enable
termination eap-type eap-peap
termination inner-eap-type eap-mschapv2
!
aaa authentication dot1x "dot1x_prof-kjj72"
termination enable
termination eap-type eap-peap
termination inner-eap-type eap-mschapv2
!
aaa authentication-server radius "10.102.102.31"
host "10.102.102.31"
key 08bc2422c246324338511d8a4a194d7ef252fe1481806bb8
authport 1645
acctport 1646
no enable
!
aaa authentication-server radius "TestRadius"
host "10.102.102.31"
key 20eca3caa76fffe3caf5d4672d924b035aa43abb151226c3
authport 1645
acctport 1646
no enable
!
aaa authentication-server ldap "TestServer"
host 10.102.102.90
admin-dn "CN=Administrator,CN=Users,DC=outside,DC=traffic,DC=devicelab,DC=local"
admin-passwd 3f76637ba54dc2f073429bbef6caa820fefdbbcd9b65c501
allow-cleartext
base-dn "CN=Users,DC=outside,DC=traffic,DC=devicelab,DC=local"
!
aaa server-group "default"
auth-server TestRadius
auth-server TestServer
auth-server Internal
!
aaa server-group "devicelab_srvgrp-zpm23"
auth-server Internal
!
aaa server-group "New_WLAN_srvgrp-ysk90"
auth-server Internal
!
aaa server-group "Test"
auth-server 10.102.102.31
!
aaa profile "default"
!
aaa profile "devicelab-aaa_prof"
authentication-dot1x "dot1x_prof-ggy41"
dot1x-server-group "devicelab_srvgrp-zpm23"
!
aaa profile "NoAuthAAAProfile"
!
aaa authentication captive-portal "default"
!
aaa authentication wispr "default"
!
aaa authentication vpn "default"
!
aaa authentication mgmt
!
aaa authentication stateful-ntlm "default"
!
aaa authentication stateful-kerberos "default"
!
aaa authentication stateful-dot1x
server-group "Test"
!
aaa authentication wired
!
web-server
!
guest-access-email
!
aaa password-policy mgmt
enable
password-not-username
password-lock-out 3
!
control-plane-security
no cpsec-enable
auto-cert-prov
!
ids management-profile
!
ids wms-general-profile
!
ids wms-local-system-profile
!
ids ap-rule-matching
!
valid-network-oui-profile
!
qos-profile "default"
!
policer-profile "default"
!
ap system-profile "default"
rap-local-network-access
!
ap regulatory-domain-profile "default"
country-code US
valid-11g-channel 1
valid-11g-channel 6
valid-11g-channel 11
valid-11a-channel 36
valid-11a-channel 40
valid-11a-channel 44
valid-11a-channel 48
valid-11a-channel 149
valid-11a-channel 153
valid-11a-channel 157
valid-11a-channel 161
valid-11a-channel 165
valid-11g-40mhz-channel-pair 1-5
valid-11g-40mhz-channel-pair 7-11
valid-11a-40mhz-channel-pair 36-40
valid-11a-40mhz-channel-pair 44-48
valid-11a-40mhz-channel-pair 52-56
valid-11a-40mhz-channel-pair 60-64
valid-11a-40mhz-channel-pair 100-104
valid-11a-40mhz-channel-pair 108-112
valid-11a-40mhz-channel-pair 132-136
valid-11a-40mhz-channel-pair 149-153
valid-11a-40mhz-channel-pair 157-161
!
ap wired-ap-profile "default"
wired-ap-enable
!
ap enet-link-profile "default"
!
ap mesh-ht-ssid-profile "default"
!
ap lldp med-network-policy-profile "default"
!
ap mesh-cluster-profile "default"
!
ap lldp profile "default"
!
ap mesh-radio-profile "default"
!
ap wired-port-profile "default"
!
ids general-profile "default"
ids-events logs-and-traps
wired-containment
!
ids rate-thresholds-profile "default"
!
ids signature-profile "default"
!
ids impersonation-profile "default"
detect-ap-impersonation
detect-beacon-wrong-channel
detect-hotspotter
!
ids unauthorized-device-profile "default"
detect-adhoc-network
detect-invalid-mac-oui
detect-misconfigured-ap
protect-misconfigured-ap
detect-bad-wep
rogue-containment
suspect-rogue-containment
detect-valid-ssid-misuse
protect-ssid
detect-wireless-bridge
!
ids signature-matching-profile "default"
signature "Deauth-Broadcast"
signature "Disassoc-Broadcast"
!
ids dos-profile "default"
detect-ap-flood
detect-chopchop-attack
detect-client-flood
detect-cts-rate-anomaly
detect-eap-rate-anomaly
detect-invalid-address-combination
detect-malformed-association-request
detect-malformed-auth-frame
detect-malformed-htie
detect-overflow-eapol-key
detect-rate-anomalies
detect-rts-rate-anomaly
detect-tkip-replay-attack
!
ids profile "default"
!
rf arm-profile "default"
rogue-ap-aware
active-scan
!
rf optimization-profile "default"
!
rf event-thresholds-profile "default"
detect-frame-rate-anomalies
!
rf am-scan-profile "default"
!
rf dot11a-radio-profile "default"
!
rf dot11a-radio-profile "default-radiosOFF"
no radio-enable
!
rf dot11g-radio-profile "default"
!
rf dot11g-radio-profile "default-radiosOFF"
no radio-enable
!
wlan handover-trigger-profile "default"
!
wlan rrm-ie-profile "default"
!
wlan bcn-rpt-req-profile "default"
!
wlan tsm-req-profile "default"
!
wlan ht-ssid-profile "default"
!
wlan ht-ssid-profile "devicelab-htssid_prof"
!
wlan dot11k-profile "default"
!
wlan ssid-profile "default"
wmm-vo-dscp "56"
wmm-vi-dscp "40"
wmm-be-dscp "24"
wmm-bk-dscp "8"
!
wlan ssid-profile "devicelab-ssid_prof"
essid "devicelab"
opmode wpa2-aes
hide-ssid
ht-ssid-profile "devicelab-htssid_prof"
!
wlan virtual-ap "default"
!
wlan virtual-ap "devicelab-vap_prof"
aaa-profile "devicelab-aaa_prof"
ssid-profile "devicelab-ssid_prof"
vlan VLAN_1
!
ap provisioning-profile "default"
!
rf arm-rf-domain-profile
arm-rf-domain-key "6bee9e4a95e54ca65c36ea3c9e736232"
!
ap spectrum local-override
!
ap-group "default"
virtual-ap "devicelab-vap_prof"
!
ap-name "00:1a:1e:c1:81:ec"
virtual-ap "devicelab-vap_prof"
ap-system-profile "default"
ids-profile "default"
authorization-profile "default"
!
logging level informational network
logging level informational security
logging level informational system
logging level informational user
logging level informational wireless
logging 10.102.102.83
logging level informational ap-debug 10.102.102.23 subcat all
logging level debugging user-debug ec:1a:59:b0:cf:f6

snmp-server enable trap

process monitor log
remote-node config-id 13

end

Your WLAN is set to get an address from the same network as the controller's ip. Vlan1

Seth Fiermonti
781-632-6052
Sent from my iPhone

So how should it be correctly set up? a VLAN for all the wireless clients while the controller is on its own vlan? 

After setting up a new VLAN, I was able to successfully connect to the AP, get an IP from the DHCP pool, and connect to the internet. The wifi adapter is connected to my 102.79 server and when it connects to the AP, after a couple seconds,  the wireless connection breaks and so does the management interface on that server (102.79). Is there some kind of IP conflict that could be going on? 

 

I can connect my phone to the AP and this doesn't happen so I believe it has something to do with 102 network. 

 

The server and controller are connected to the same switch and the AP is connected to eth1 of the controller. The AP assigns 172.16.x.x addresses to clients (which works correctly). But I believe it still routes back through the AP>controller>102.1>internet to get out. Something in this chain is wrong. 

I feel that your server is having some client type issues.  I am unsure how you have that configured but I would get a dedicated WLAN laptop test client as you say the phone is working just fine.  

Not sure where the problem lies--AP, wifi adapter, or laptop credentials. 

 

I am able to maintain a steady connection to the AP but as soon as I do anything on it, ie: ping default gateway, the wireless breaks. 

You can configure DHCP pools in the GUI under Configuration > Network > IP > DHCP Server

 

or via the CLI with the following command: ip dhcp pool <NAME>