Wireless Access

Reply
MVP

BRIDGE-AP Drop Clients

Hello all,

 

At a few remote sites, I have to bridge APs and every once in a while, these APs drop clients.  All APs list in the log below (with username is its mac-address) drop all clients until reboot.  My radius server are CPPM 6.2.6, the controllers are 7220, AOS 6.2.1.3, APs are 105 and terminated to the controller over L3.  Only bridging APs are problem, all other APs on the same controller that are not bridging work fine.

 

The errors in the log are:

(WC01) #show log user 5

May 9 09:12:40 :522048:  <WARN> |authmgr|  AP-Group is not present in the Radius server for username=24:de:c6:c2:5f:12; AP will take the ap-group as provisioned in the AP
May 9 09:13:02 :522048:  <WARN> |authmgr|  AP-Group is not present in the Radius server for username=6c:f3:7f:c6:51:92; AP will take the ap-group as provisioned in the AP
May 9 09:13:07 :522048:  <WARN> |authmgr|  AP-Group is not present in the Radius server for username=00:24:6c:cb:1f:5e; AP will take the ap-group as provisioned in the AP
May 9 09:13:07 :522048:  <WARN> |authmgr|  AP-Group is not present in the Radius server for username=00:24:6c:cb:1f:f2; AP will take the ap-group as provisioned in the AP
May 9 09:13:07 :522048:  <WARN> |authmgr|  AP-Group is not present in the Radius server for username=00:24:6c:c8:ef:69; AP will take the ap-group as provisioned in the AP

 Thank you,

~Trinh Nguyen~
Boys Town

Re: BRIDGE-AP Drop Clients

Not sure if we are using any one of the below attribute given below from CPPM to controller.

 

(Aruba) #show aaa radius-attributes | include Group


Server-Group 313 String
Aruba-AP-Group 10 String Aruba 14823
AP-Group 314 String
Group 1005 String

 

You could also enable packet-capture udp 1812 on the controller and take pcap on cppm at the same time duing failure to look at the radius packets to understand the communication. Also do we see radius reject from show auth-tracebuf ? Please confirm

 

 

Sriram

MVP

Re: BRIDGE-AP Drop Clients

Sriram,  

I don’t see any radius dropping errors in logs:

(WC01) #show auth-tracebuf | include 24:de:c6:c2:5f:12
(WC01) #show auth-tracebuf | include 6c:f3:7f:c6:51:92

(WC01) #show log errorlog all | include 24:de:c6:c2:5f:12
(WC01) #show log errorlog all | include 6c:f3:7f:c6:51:92

 

  The Radius Attribute:

(WC01) #show aaa radius-attributes | include Group
Aruba-AirGroup-Shared-User      25     String       Aruba      14823
Tunnel-Private-Group-Id         81     String
Aruba-AP-Group                  10     String       Aruba      14823
AP-Group                        314    String
Aruba-AirGroup-User-Name        24     String       Aruba      14823
Aruba-AirGroup-Shared-Role      26     String       Aruba      14823
Server-Group                    313    String
Group-Name                      1030   String
Group                           1005   String
Aruba-AirGroup-Device-Type      27     Integer      Aruba      14823

 

The problem is random, I'll see if I can simulate the problem locally and capture the packet.

Thanks,

~Trinh Nguyen~
Boys Town

Re: BRIDGE-AP Drop Clients

Acknowledged. You can also enable user-debug to collect more info for client behavior.

 

1.from config mode, logging level debugging user-debug <mac address of the ap>

2. packet-capture udp 1812

 

show log user-debug all | include <client mac address>

 

Sriram

 

MVP

Re: BRIDGE-AP Drop Clients

 

Now I knnow what I am looking for so I created a syslog alert to e-mail me the message, I found in the last 12 hours, 30 APs came up with "AP-Group is not present in RAdius server".  All errors were from one 7220 controller, different from the other controller.  All APs are campus in tunnel mode.

   

So the problem is random, it can happen to any controllers.  Unlike I said before, the problem is not just with bridge-ap but also with APs in tunnel mode.  It seems like AP drops clients when it is in bridge mode.

 

So, what is CPPM radius doing with the AP-group, and mac-address username?  I do have one service that requires MAC-AUTH. 

 

Thanks,

 

~Trinh Nguyen~
Boys Town
Guru Elite

Re: BRIDGE-AP Drop Clients

ngutri,

 

I would open up a case with support.  There are a number of things that could be happening here, but we simply do not have enough information to make an educated guess. 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP

Re: BRIDGE-AP Drop Clients

Thanks Colin.  I will open the case, but I want to narrow down the problem.

 

 

I need a favor from Community.  Can you go to your controller and do:

 

(WC01) #show log user all | include AP-Group

  

If you have a log like the one below, please include if you are using CPPM (and its version), or other (like NPS) for your radius.  I’d like to narrow this issue down to if the problem with controller or CPPM

 

May 10 06:37:57 :522048:  <WARN> |authmgr|  AP-Group is not present in the Radius server for username=24:de:c6:c2:5e:a8; AP will take the ap-group as provisioned in the AP

 

Thanks to all !

~Trinh Nguyen~
Boys Town
Guru Elite

Re: BRIDGE-AP Drop Clients

ngutri,

 

That message would be there if you are authenticating the RAP whitelist against an external radius server.  It has nothing to do specifically with a client issue.  It indicates a RAP coming up and being authenticated against a radius server, but the ap-group not being sent back by the radius server.  This of course indicates another possible issue that you have...

 

EDIT:

 

The specific message a bug that was seen in 6.2.0.0, but it is cosmetic and it should be fixed in 6.2.1.1 and above.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP

Re: BRIDGE-AP Drop Clients

 

cjoseph wrote:

ngutri,

 

That message would be there if you are authenticating the RAP whitelist against an external radius server.  It has nothing to do specifically with a client issue.  It indicates a RAP coming up and being authenticated against a radius server, but the ap-group not being sent back by the radius server.  This of course indicates another possible issue that you have...

 

EDIT:

 

The specific message a bug that was seen in 6.2.0.0, but it is cosmetic and it should be fixed in 6.2.1.1 and above.

 


Colin,

 

What trigger the AP-Group bug?  Because it seems correlate to my Bridge clients issue.  When this message generates, the client, according to AirWave, has 0.0.0.0 ip address.  

Is the version 6.2.0.0 you metion for the AOS or CPPM?  Both my AOS and CPPM already above 6.2.11, but still seeing this message.

 

Thanks,

 

~Trinh Nguyen~
Boys Town
Guru Elite

Re: BRIDGE-AP Drop Clients

ngutri,

 

There is probably more than that message with regards to your connectivity issue.  Please open a support case in parallel.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: