Wireless Access

I have a medical network setup that is used for Draeger Infinity M300 device.

They are pretty basic in terms of their wireless functionality.

I have attached a screenshot from the Aruba Controller stating the client is associated and authenticated yet it does not show in the connected clients list.

I wanted to know what would cause that behaviour. At the moment its a case of its not you its us and vice versa.

A client would not show up in the user table if it does not get an ip address.  I would configure debugging for that client:

config t

logging level debugging user-debug <mac address of client>

<associate client to network>

Type "show log user-debug 50" and post the output.

Please see attached the debug output

Attachment(s)

putty.txt   8 KB 1 version

Broaders,

Is the client DHCP or statically addressed?  What provides DHCP for VLAN 8?

The clients are statically assigned addresses.

It would appear the device is reporting 0.0.0.0? I have seen the config of the device and it does have an IP, but these devices are pretty vague.

They are Draeger M300 Inifnity devices. I'm thinking the device is causing the issue but I just wanted proof

What is the output of "show auth-tracebuf mac 00:30:e6:03:ee:3c"

Nov 17 11:37:28 station-up * 00:30:e6:03:ee:3c d8:c7:c8:6a:a5:73 - - static wep
Nov 17 11:37:28 station-data-ready * 00:30:e6:03:ee:3c 00:00:00:00:00:00 8 -
Nov 17 11:37:28 station-data-ready_ack * 00:30:e6:03:ee:3c 00:00:00:00:00:00 8 -

Hmm...  There is not much there.  Can you try doing it with an Open SSID (no encryption),  just to see if it will connect?

Thank for the help so far.

I will come back to you on this soon as I will need to liaise with the medical team to configure the device.

Hi Colin,

Hasn't made a difference

Nov 21 15:22:33 station-up * 00:30:e6:03:ee:3c d8:c7:c8:6a:a5:73 - - open system
Nov 21 15:22:33 station-data-ready * 00:30:e6:03:ee:3c 00:00:00:00:00:00 8 -
Nov 21 15:22:33 station-data-ready_ack * 00:30:e6:03:ee:3c 00:00:00:00:00:00 8 -

New debug log attached, same thing.

Attachment(s)

M300.txt   8 KB 1 version

Okay, try disabling "Wireless Multimedia U-APSD (WMM-UAPSD) Powersave" in the SSID profile under advanced and try again.

It's already disabled (Double checked before posting)

Can we get the output of "show wlan ssid-profile <name of profile>"?

SSID Profile "CTC-M300"
-----------------------
Parameter Value
--------- -----
SSID enable Enabled
ESSID CTCM300
Encryption opensystem
DTIM Interval 1 beacon periods
802.11a Basic Rates
802.11a Transmit Rates 6 9 12 18 24 36 48 54
802.11g Basic Rates 1 2
802.11g Transmit Rates 11 12 18 24 36 48 54
Station Ageout Time 1000 sec
Max Transmit Attempts 8
RTS Threshold 2333 bytes
Short Preamble Enabled
Max Associations 64
Wireless Multimedia (WMM) Enabled
Wireless Multimedia U-APSD (WMM-UAPSD) Powersave Disabled
WMM TSPEC Min Inactivity Interval 0 msec
Override DSCP mappings for WMM clients Disabled
DSCP mapping for WMM voice AC 48
DSCP mapping for WMM video AC N/A
DSCP mapping for WMM best-effort AC N/A
DSCP mapping for WMM background AC N/A
Multiple Tx Replay Counters Disabled
Hide SSID Enabled
Deny_Broadcast Probes Disabled
Local Probe Request Threshold (dB) 0
Disable Probe Retry Enabled
Battery Boost Disabled
WEP Key 1 ********
WEP Key 2 N/A
WEP Key 3 N/A
WEP Key 4 N/A
WEP Transmit Key Index 1
WPA Hexkey N/A
WPA Passphrase ********
Maximum Transmit Failures 0
EDCA Parameters Station profile N/A
EDCA Parameters AP profile N/A
BC/MC Rate Optimization Disabled
Rate Optimization for delivering EAPOL frames Enabled
Strict Spectralink Voice Protocol (SVP) Disabled
High-throughput SSID Profile default
802.11g Beacon Rate default
802.11a Beacon Rate default
Advertise QBSS Load IE Disabled
Advertise Location Info Disabled
Advertise AP Name Disabled
802.11r Profile N/A
Enforce user vlan for open stations Disabled

Did you try with all the g transmit rates enabled, OR did you try with the basic rates of 11,12?

It seems the device wont associate while all basic rates are enabled. 

It associates again when enabling only 1/2

You are really only supposed to enable two basic rates, and they should be a subset of the TX rates, theoretically.

e.g.:

basic 11,12

tx 11,12....54

or 

basic 1,2

tx 1,2,....54

 Is it associating now?

Yes it currently is

I am seeing a similar issue with these exact devices but strangely it is only happening because we have changed the SSID they are connecting to.

I see the following in the auth-tracebuf:

Nov 21 16:29:35 mac-auth-req -> 00:30:e6:06:38:42 00:0b:86:94:63:86 - -
Nov 21 16:29:35 mac-auth-success <- 00:30:e6:06:38:42 00:0b:86:94:63:86 - -
Nov 21 16:29:35 assg-vlan-req * 00:30:e6:06:38:42 00:0b:86:94:63:86 1 71 new vlan: from mac auth for wireless
Nov 21 16:29:35 assg-vlan-resp * 00:30:e6:06:38:42 00:0b:86:94:63:86 - 71
Nov 21 16:29:35 station-up * 00:30:e6:06:38:42 00:0b:86:94:63:86 - - wpa2 psk aes
Nov 21 16:29:35 wpa2-key1 <- 00:30:e6:06:38:42 00:0b:86:94:63:86 - 117
Nov 21 16:29:35 wpa2-key2 -> 00:30:e6:06:38:42 00:0b:86:94:63:86 - 117
Nov 21 16:29:35 wpa2-key3 <- 00:30:e6:06:38:42 00:0b:86:94:63:86 - 175
Nov 21 16:29:35 wpa2-key4 -> 00:30:e6:06:38:42 00:0b:86:94:63:86 - 95

The device is associated and shows in the station-table but it doesn't appear to progress further. The IP address is statically assigned and this has not changed across the SSID move.

We have gone from a WPA2-PSK to another WPA2-PSK just with a different SSID name for consolidation purposes. The same VLAN and IP subnet are used although they are now being allocated via the Aruba VSA. This appears to be working from the auth-tracebuf output.

Anybody have any information on these devices and whether they need to have the network details reset in any way??

The supplier is not being very heplful unfortunately.

It looks like you are using MAC auth to put them into a different VLAN.  Did you want to do that?

Yes, we want the devices to be in VLAN 71 and we are using a MAC authentication rule on Clearpass to set the Aruba-User-Role attribute. The role has VLAN 71 configured.

The question is, did this ever work before mac authentication to put it into a different VLAN? 

No, previously the devices were not completing MAC authentication. They were just given the correct role as long as they entered the correct PSK.

However, the logs on both the Aruba controller and Clearpass show that MAC authentication is passing successfully and the correct user role (with VLAN) is being assigned.

Also the VLAN they are using hasn't changed. Previously VLAN 71 was the default VLAN configured on the Virtual-AP whereas now it is configured on the user-role assigned as part of MAC authentication.

dg27,

To be clear, are you saying that these devices never connected successfully to the network, even in their simplest form without mac authentication or VLAN/Role derivation?

The devices were previously connected and working.

The customer is in the process of migrating a series of PSK SSID's into a consolidated single SSID using Clearpass to do MAC authentication and derive the correct user-role and VLAN.

The original SSID was called 'uhsm-infinity' and was hidden. This was WPA2-PSK but had no MAC authentication and all users were given an allow-all policy and placed in VLAN 71.

The new SSID is called 'uhsm-psk' and is hidden. This is WPA2-PSK and is doing MAC authentication against Clearpass to assign the correct user-role where the VLAN is specified (71). Other devices connect to this SSID and are assigned different user-roles (and VLANs).

Below is a station-table output showing a device associated to the old 'uhsm-infinity' SSID and a device associated to the new 'uhsm-psk' SSID:

Station Entry
-------------
MAC Name Role Age(d:h:m) Auth AP name Essid Phy Remote Profile
------------ ------ ---- ---------- ---- ------- ----- --- ------ -------

00:30:e6:04:fa:a6 uhsm_infinity 01:16:28 No Ward F6 left uhsm-infinity g No uhsm_ infinity_aaa
00:30:e6:04:fc:01 00:30:e6:04:fc:01 uhsm-psk-infinity 00:00:05 Yes Outside Sleep Lab uhsm-psk g No uhsm-psk_ AAA

The device connected to uhsm-infinity is working the device connected to uhsm-psk is not even though both show as associated.

Appreciate the assistance with this.

David,

Thanks for taking the time to explain this.

Okay.  Let's try this:

- Remove the VLAN from the role

- In the ClearPass enforcement profile that you are using to return the role, please try to return the VLAN like this:

I'll make those changes and feed back as to whether this improves anything.

Thanks

David,

Please compare all of the SSID profile settings between the first SSID and the new SSID to make sure everything matches.  There are a few settings like the rates, and Powersave that need to match, according to the user that originally opened this thread...

Thanks Colin.

The AAA, SSID and Virtual-AP profiles are as similar as I can make them.

We just attempted a connection with the Aruba-User-Vlan assigned from Clearpass but get the same. Some outputs below:

auth-tracebuf:

Nov 24 12:55:02 mac-auth-req -> 00:30:e6:04:fc:01 00:1a:1e:01:cf:c6 - -
Nov 24 12:55:02 mac-auth-success <- 00:30:e6:04:fc:01 00:1a:1e:01:cf:c6 - -
Nov 24 12:55:02 assg-vlan-req * 00:30:e6:04:fc:01 00:1a:1e:01:cf:c6 1 71 new vlan: from mac auth for wireless
Nov 24 12:55:02 assg-vlan-resp * 00:30:e6:04:fc:01 00:1a:1e:01:cf:c6 - 71
Nov 24 12:55:02 station-up * 00:30:e6:04:fc:01 00:1a:1e:01:cf:c6 - - wpa2 psk aes
Nov 24 12:55:02 wpa2-key1 <- 00:30:e6:04:fc:01 00:1a:1e:01:cf:c6 - 117
Nov 24 12:55:02 wpa2-key2 -> 00:30:e6:04:fc:01 00:1a:1e:01:cf:c6 - 117
Nov 24 12:55:02 wpa2-key3 <- 00:30:e6:04:fc:01 00:1a:1e:01:cf:c6 - 175
Nov 24 12:55:02 wpa2-key4 -> 00:30:e6:04:fc:01 00:1a:1e:01:cf:c6 - 95

(Aruba-1) # show station-table mac 00:30:e6:04:fc:01

Association Table
-----------------
BSSID AP IP Essid AP name Phy Age
--------------- ------------ ------- ------- --- ---
00:1a:1e:01:cf:c6 192.168.196.239 uhsm-psk FB-1F-Corridor_F3/4 g- 00:00:01

(Aruba-1) #show user mac 00:30:e6:04:fc:01

The phy column shows client's operational capabilities for current association

Flags: A: Active, B: Band Steerable, H: Hotspot(802.11u) client, K: 802.11K client, R: 802.11R client, W: WMM client, w: 802.11w client

PHY Details: HT : High throughput; 20: 20MHz; 40: 40MHz
VHT : Very High throughput; 80: 80MHz; 160: 160MHz; 80p80: 80MHz + 80MHz
<n>ss: <n> spatial streams

Association Table
-----------------
Name bssid mac auth assoc aid l-int essid vlan-id tunnel-id phy assoc. time num assoc Flags Band steer moves (T/S)
---- ----- --- ---- ----- --- ----- ----- ------- --------- --- ----------- --------- ----- ----------------------
FB-1F-Corridor_F3/4 00:1a:1e:01:cf:c6 00:30:e6:04:fc:01 y y 1 16 uhsm-psk 71 0x10506 g 1m:59s 1 A 0/0

00:30:e6:04:fc:01-00:1a:1e:01:cf:c6 Stats
------------------------------------------
Parameter Value
--------- -----
Channel 11
Channel Frame Retry Rate(%) 0
Channel Frame Low Speed Rate(%) 0
Channel Frame Non Unicast Rate(%) 0
Channel Frame Fragmentation Rate(%) 0
Channel Frame Error Rate(%) 4
Channel Bandwidth Rate(kbps) 0
Channel Noise 101
Client Frame Retry Rate(%) 0
Client Frame Low Speed Rate(%) 0
Client Frame Non Unicast Rate(%) 0
Client Frame Fragmentation Rate(%) 0
Client Frame Receive Error Rate(%) 0
Client Bandwidth Rate(kbps) 0
Client Tx Packets 4
Client Rx Packets 3
Client Tx Bytes 320
Client Rx Bytes 422
Client SNR 27

(Aruba-1) # show user-table | include 00:30:e6:04:fc:01

(Aruba-1) #

I've also attached the user-debug log for this association.

Thanks

Attachment(s)

infinity-user-debug-log.txt   8 KB 1 version

David,

The main thing that matters is the SSID profile.  What differs between the two?

The auth-tracebuf looks like it completes the four-way handshake.  How is the auth-tracebuf  different from the old SSID?

Does the device appear in the user table?

I've been through the SSID profiles of both services and they are identical apart from the WMM DSCP mapping values being configured on the old service. However, WMM is not enabled and the override setting is not set.

The device does NOT appear in the user-table.

We have connected a laptop to the SSID and this works without issue with a static IP address configured. It looks like the devices causing the problem.

Same issue as me, reports the IP as 0.0.0.0.

What version of code is the the M300 device running. FYI ours is 8.10

Yes 8.10 this end as well.

The device appears to go in to a boot cycle where the configuration is not accessible. We've been told to get out of this you need to take the device out of range of the wireless. However, we've reconfigured a device from scratch and it won't connect.

I think I will raise the issue with Draeger as I just dont see the issue with the wireless side.

We can associate laptops etc to the network just fine with a static IP.

I have seen this boot loop aswell, although we experienced it when we tried to change to WPA.

I just wonder if there is something not quite right with the 8.10 firmware.

We were dealing with this exact issue.  I'm not sure if anyone tried to ping the M300 after it was connected to the AP, but this will show the client as an active user on the controller.

The real solution here is to have the Draeger Central Station poll the device.  When they did this, the M300 showed up as a client on the controller.  The Central Station may get an minor error at first, but every subsequent poll will be successful.  And these units tend to stay connected.  I did not do a sniffer trace, but my guess is that this device does not look for it's gateway (like a Windows or Apple device does) after it associates with the AP.