Wireless Access

Hi all,

I am deploying new Aruba wireless setup with 7205 controller (HA with ArubaOS 6.5.1.3) and AP305. However, when the PC client connected to the broacasted SSID, the PC client was not able to manage the controller neither via Web GUI nor SSH. But,It is manageable via wired connection through switch.The PC client can reach the controller IP with ICMP ping either via wireless or wired connection. Is there anyway to enable the controller management via wireless?

thanks

KL 

Do you have any acl rules under the user-role that might be blocking this type of access?
Do you have an access-group defined under the controller physical interface blocking this type of access?
Any ACL rules on the uplink switch ?
You can run the following commands from the controller CLI:
Show datapath session table <wireless client IP> | include <Controller Mgmt IP> - and look for any denied traffic flag with "D"

Show rights - and take a look at the ACLs

Show ip access-group - and if there's any ACLs applied under the interface

Hi Victor,

The reply as below in bold. Hereby attached my controller 1 configuration for your reference. It is a very basic wireless setup.

Do you have any acl rules under the user-role that might be blocking this type of access?No.
Do you have an access-group defined under the controller physical interface blocking this type of access?No.
Any ACL rules on the uplink switch ?No.
You can run the following commands from the controller CLI:

Will try later.

thanks!

Attachment(s)

show run.docx   18 KB 1 version

Hey, do you have any more information  in regards to your deployment? There could be a number of reasons why the controller isn't avaiable for management?

- Is there a User Role with an ACL preventing you from accessing the controller?

- Is there any routing issues between the client and the controller?

- Is there any ACL's applied to the VLAN or port in which you access the controller from?

- Do you see any traffic being denied or not reaching the controller with the below command (where xxxx is the controllers  IP)

#show datapath session | include xxx

- Do you have any inter-vlan routing enable?

Hi Zalion,

The reply as below in bold. Hereby attached my controller 1 configuration fo r your reference. It is just a very basic wireless setup. The controller act as L2 mode and all L3 inter-vlan routing at core switch.

-Is there a User Role with an ACL preventing you from accessing the controller? No.

- Is there any routing issues between the client and the controller?

   No. The client able to ping the controller via wireless. The client able to manage the controller via wired.

- Is there any ACL's applied to the VLAN or port in which you access the controller from?No.

- Do you see any traffic being denied or not reaching the controller with the below command (where xxxx is the controllers  IP).Will try later.

#show datapath session | include xxx

- Do you have any inter-vlan routing enable?

  Inter-vlan routing enable at core switch. The controller in L2 mode. 

Hey, did you attach the configuration as I believe it might have been forgotten :)

Hi Zalion,

Re-attached. :)

thanks!

Attachment(s)

show run.docx   18 KB 1 version

Hey, just taking a look now, can you confirm the output of the below for me please as well?

#show controller-ip

Only reason I ask as VLAN 1 is the default management VLAN and this may not have been changed to VLAN3, so the below ipv6 address may not be valid. 

interface vlan 1
	ipv6 address 2001::1/64
!

Hi Zalion,

I have removed the vlan 1 ipv6 address. Below are the output of show  controller ip and show datapath session table. IP 172.16 80.4 is the PC client which was not able to manage the controller via wireless.

(LWEH_ARUBA_WLC1) #show controller-ip

Switch IP Address: 192.168.189.3

Switch IP is from Loopback interface

Switch IPv6 address is not configured.

(LWEH_ARUBA_WLC1) #show datapath session table 172.16.80.4 | include 192.168.189.3
192.168.189.3 172.16.80.4 6 8080 34671 0/0 0 0 1 tunnel 13 1e 0 0 SY
192.168.189.3 172.16.80.4 6 8080 33530 0/0 0 0 0 tunnel 13 e 0 0 SY
192.168.189.3 172.16.80.4 6 8080 45435 0/0 0 0 0 tunnel 13 e 0 0 SY
192.168.189.3 172.16.80.4 6 8080 46004 0/0 0 0 1 tunnel 13 17 0 0 SY
192.168.189.3 172.16.80.4 6 8081 45466 0/0 0 0 1 tunnel 13 18 0 0 SYI
172.16.80.4 192.168.189.3 6 41137 443 1/15787 0 0 0 tunnel 13 23 4 240 NYCI
172.16.80.4 192.168.189.3 6 41138 443 1/15787 0 0 0 tunnel 13 22 4 240 NYCI
192.168.189.3 172.16.80.4 6 8081 52818 0/0 0 0 0 tunnel 13 3 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 45023 0/0 0 0 1 tunnel 13 11 0 0 SYI
192.168.189.3 172.16.80.4 6 8080 59036 0/0 0 0 1 tunnel 13 12 0 0 SY
192.168.189.3 172.16.80.4 6 8081 41138 0/0 0 0 0 tunnel 13 22 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 50049 0/0 0 0 1 tunnel 13 29 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 49166 0/0 0 0 1 tunnel 13 19 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 54654 0/0 0 0 1 tunnel 13 9 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 35011 0/0 0 0 1 tunnel 13 12 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 43550 0/0 0 0 1 tunnel 13 21 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 45691 0/0 0 0 0 tunnel 13 d 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 56738 0/0 0 0 0 tunnel 13 8 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 44495 0/0 0 0 1 tunnel 13 1e 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 33234 0/0 0 0 1 tunnel 13 22 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 43580 0/0 0 0 1 tunnel 13 18 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 45653 0/0 0 0 0 tunnel 13 10 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 43007 0/0 0 0 0 tunnel 13 0 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 39105 0/0 0 0 1 tunnel 13 19 0 0 SYI
192.168.189.3 172.16.80.4 6 8080 40932 0/0 0 0 0 tunnel 13 d 0 0 SY
192.168.189.3 172.16.80.4 6 8081 41137 0/0 0 0 0 tunnel 13 23 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 53442 0/0 0 0 0 tunnel 13 1 0 0 SYI

thanks!

Hey, I've noticed a couple of things. Are you able to provide the full output of the CLI? The AAA profiles are missing which don't allow us to determine the User Role assigned to the User and any firewall rules. The ports 8080, 8081, 443 shown in the datapath session are all used as part of the re-direct in the logon role, so I am wondering if you have this assigned to the user as opposed to any allowing ACL?

If you connect a client and run #show user-table you will be able to see the User Role assigned to the client. If you then run #show rights XXXX (where XXX is the User Role name) you will be able to see the ACL assigned to the user.

Looking at the output you provided previously, I can see the NYCI flags.

172.16.80.4 192.168.189.3 6 41137 443 1/15787 0 0 0 tunnel 13 23 4 240 NYCI
172.16.80.4 192.168.189.3 6 41138 443 1/15787 0 0 0 tunnel 13 22 4 240 NYCI

1) Have you changed the management port from 4343 to 443?

2) The N flag shows that dest NAT is occuring. Is this configured in the User Role?

FYI the Y flag means the 3-way hand shake is occuring, but we kind of know this already :D 

Hi Zalion,

I have attached the show run output. Basically,I am not configure any user role for any users and all is default configuration. Below is the show right output.

1) Have you changed the management port from 4343 to 443?

   No.All is default.

2) The N flag shows that dest NAT is occuring. Is this configured in the User Role? NO.

(LWEH_ARUBA_WLC1) #show rights

RoleTable
---------
Name ACL Bandwidth ACL List Type
---- --- --------- -------- ----
ap-role 7 Up: No Limit,Dn: No Limit ra-guard/,control/,ap-acl/,v6-control/,v6-ap-acl/ System
authenticated 64 Up: No Limit,Dn: No Limit global-sacl/,apprf-authenticated-sacl/,ra-guard/,allowall/,v6-allowall/ User
default-iap-user-role 11 Up: No Limit,Dn: No Limit allowall/ User
default-via-role 61 Up: No Limit,Dn: No Limit global-sacl/,apprf-default-via-role-sacl/,allowall/ User
default-vpn-role 63 Up: No Limit,Dn: No Limit global-sacl/,apprf-default-vpn-role-sacl/,ra-guard/,allowall/,v6-allowall/ User
guest 5 Up: No Limit,Dn: No Limit global-sacl/,apprf-guest-sacl/,ra-guard/,http-acl/,https-acl/,dhcp-acl/,icmp-acl/,dns-acl/,v6-http-acl/,v6-https-acl/,v6-dhcp-acl/,v6-icmp-acl/,v6-dns-acl/ User
guest-logon 10 Up: No Limit,Dn: No Limit ra-guard/,logon-control/,captiveportal/,v6-logon-control/,captiveportal6/ User
logon 2 Up: No Limit,Dn: No Limit ra-guard/,logon-control/,captiveportal/,vpnlogon/,v6-logon-control/,captiveportal6/ User
stateful-dot1x 8 Up: No Limit,Dn: No Limit global-sacl/,apprf-stateful-dot1x-sacl/ System
sys-ap-role 12 Up: No Limit,Dn: No Limit sys-control/,sys-ap-acl/ System
voice 62 Up: No Limit,Dn: No Limit global-sacl/,apprf-voice-sacl/,ra-guard/,sip-acl/,noe-acl/,svp-acl/,vocera-acl/,skinny-acl/,h323-acl/,dhcp-acl/,tftp-acl/,dns-acl/,icmp-acl/,wificalling-acl/ User

Total Roles:11

thanks!

Attachment(s)

show run2.txt   30 KB 1 version

Hey, we need to know what user role is configured for the client when they connect as this might be causing the issue.  So you need to check with #show rights | XXXX (where XXXX) is the user role assigned to the end user..

You also don't have a AAA profile configured on your VAP so there User Role won't be assigned.

wlan virtual-ap "LWEH-STAFF-A_VAP"
   ssid-profile "LWEH-STAFF-A"
   vlan 88
   band-steering
!

hi zalian

Yes. I am not assign user role for the users. But is it will cause this issue?

thanks!

As a test create a AAA profile and assign the "authenticated" role and can you let me know if you can access the GUI?

Hi zalion,

After put in AAA profile and role,it is working now.Thanks for all your assist.

Hey, thats great! Glad the suggested solution resolved the issue :D