Wireless Access

Hello all,

At a few remote sites, I have to bridge APs and every once in a while, these APs drop clients.  All APs list in the log below (with username is its mac-address) drop all clients until reboot.  My radius server are CPPM 6.2.6, the controllers are 7220, AOS 6.2.1.3, APs are 105 and terminated to the controller over L3.  Only bridging APs are problem, all other APs on the same controller that are not bridging work fine.

The errors in the log are:

(WC01) #show log user 5

May 9 09:12:40 :522048:  <WARN> |authmgr|  AP-Group is not present in the Radius server for username=24:de:c6:c2:5f:12; AP will take the ap-group as provisioned in the AP
May 9 09:13:02 :522048:  <WARN> |authmgr|  AP-Group is not present in the Radius server for username=6c:f3:7f:c6:51:92; AP will take the ap-group as provisioned in the AP
May 9 09:13:07 :522048:  <WARN> |authmgr|  AP-Group is not present in the Radius server for username=00:24:6c:cb:1f:5e; AP will take the ap-group as provisioned in the AP
May 9 09:13:07 :522048:  <WARN> |authmgr|  AP-Group is not present in the Radius server for username=00:24:6c:cb:1f:f2; AP will take the ap-group as provisioned in the AP
May 9 09:13:07 :522048:  <WARN> |authmgr|  AP-Group is not present in the Radius server for username=00:24:6c:c8:ef:69; AP will take the ap-group as provisioned in the AP

 Thank you,

Not sure if we are using any one of the below attribute given below from CPPM to controller.

(Aruba) #show aaa radius-attributes | include Group

Server-Group 313 String
Aruba-AP-Group 10 String Aruba 14823
AP-Group 314 String
Group 1005 String

You could also enable packet-capture udp 1812 on the controller and take pcap on cppm at the same time duing failure to look at the radius packets to understand the communication. Also do we see radius reject from show auth-tracebuf ? Please confirm

Sriram

Sriram,  

I don’t see any radius dropping errors in logs:

(WC01) #show auth-tracebuf | include 24:de:c6:c2:5f:12
(WC01) #show auth-tracebuf | include 6c:f3:7f:c6:51:92

(WC01) #show log errorlog all | include 24:de:c6:c2:5f:12
(WC01) #show log errorlog all | include 6c:f3:7f:c6:51:92

  The Radius Attribute:

(WC01) #show aaa radius-attributes | include Group
Aruba-AirGroup-Shared-User      25     String       Aruba      14823
Tunnel-Private-Group-Id         81     String
Aruba-AP-Group                  10     String       Aruba      14823
AP-Group                        314    String
Aruba-AirGroup-User-Name        24     String       Aruba      14823
Aruba-AirGroup-Shared-Role      26     String       Aruba      14823
Server-Group                    313    String
Group-Name                      1030   String
Group                           1005   String
Aruba-AirGroup-Device-Type      27     Integer      Aruba      14823

The problem is random, I'll see if I can simulate the problem locally and capture the packet.

Thanks,

Acknowledged. You can also enable user-debug to collect more info for client behavior.

1.from config mode, logging level debugging user-debug <mac address of the ap>

2. packet-capture udp 1812

show log user-debug all | include <client mac address>

Sriram

Now I knnow what I am looking for so I created a syslog alert to e-mail me the message, I found in the last 12 hours, 30 APs came up with "AP-Group is not present in RAdius server".  All errors were from one 7220 controller, different from the other controller.  All APs are campus in tunnel mode.

So the problem is random, it can happen to any controllers.  Unlike I said before, the problem is not just with bridge-ap but also with APs in tunnel mode.  It seems like AP drops clients when it is in bridge mode.

So, what is CPPM radius doing with the AP-group, and mac-address username?  I do have one service that requires MAC-AUTH. 

Thanks,

ngutri,

I would open up a case with support.  There are a number of things that could be happening here, but we simply do not have enough information to make an educated guess. 

Thanks Colin.  I will open the case, but I want to narrow down the problem.

I need a favor from Community.  Can you go to your controller and do:

(WC01) #show log user all | include AP-Group

If you have a log like the one below, please include if you are using CPPM (and its version), or other (like NPS) for your radius.  I’d like to narrow this issue down to if the problem with controller or CPPM

May 10 06:37:57 :522048:  <WARN> |authmgr|  AP-Group is not present in the Radius server for username=24:de:c6:c2:5e:a8; AP will take the ap-group as provisioned in the AP

Thanks to all !

ngutri,

That message would be there if you are authenticating the RAP whitelist against an external radius server.  It has nothing to do specifically with a client issue.  It indicates a RAP coming up and being authenticated against a radius server, but the ap-group not being sent back by the radius server.  This of course indicates another possible issue that you have...

EDIT:

The specific message a bug that was seen in 6.2.0.0, but it is cosmetic and it should be fixed in 6.2.1.1 and above.

@cjoseph wrote:

ngutri,

 

That message would be there if you are authenticating the RAP whitelist against an external radius server.  It has nothing to do specifically with a client issue.  It indicates a RAP coming up and being authenticated against a radius server, but the ap-group not being sent back by the radius server.  This of course indicates another possible issue that you have...

 

EDIT:

 

The specific message a bug that was seen in 6.2.0.0, but it is cosmetic and it should be fixed in 6.2.1.1 and above.

 

---

Colin,

What trigger the AP-Group bug?  Because it seems correlate to my Bridge clients issue.  When this message generates, the client, according to AirWave, has 0.0.0.0 ip address.  

Is the version 6.2.0.0 you metion for the AOS or CPPM?  Both my AOS and CPPM already above 6.2.11, but still seeing this message.

Thanks,

ngutri,

There is probably more than that message with regards to your connectivity issue.  Please open a support case in parallel.

Colin,

I think you are correct, the error message is cosmetic.  Today I have one user dropped out, an no AP-Group error message.  The user dropped out have this log:

May 15 09:58:08  authmgr[3473]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 60:67:20:xx:yy:zz 24:de:c6:a5:e3:d9

My radius authentication is CPPM, EAP-TLS

 I opened case, but have not heard from TAC.

Since upgrading AOS to 6.3.1.8 in July, I have not sees any clients drop out.