Wireless Access

We have a couple of existing M3 Aruba 6000 controllers in master/local setup which we are ready to replace with 2 x 7220 controllers. We use ClearPass for our .1x  authentication such as eduroam.

I thought the least disruptive way to do this would be to add the 7220's as local controllers to our existing setup and then after testing, promote one of the new 7220's to master and retire the 2 old 6000 series controllers.

However, after adding the new 7220 controllers, I am seeing some weird stuff that makes me think they are not integrated correctly.

JPEG-1 shows the existing master controller (Aruba 6000) with the users and roles listed correctly.

JPEG-2 shows what I am seeing from the new 7220 which has been added as a local controller to our existing set up.

The new local controller seems unable to determine roles and is assigning a default-iap-user role to everyone.

I though that by adding a controller to an existing master/local pair, most of the config apart from network details was taken from the master controller?

The only thing I changed once the controllers had been added a new local controllers was to add a new AP group for new building and set the LMS IP to be one of the new 7220 controllers for testing purposes.

Where do i start to look to troubleshoot this?

Did you add Policy Enforcement Licenses to your 7220s? 

Yes, we generated a trial license for one month, just logged on and checked, we have 5 days left..

 run the "show profile-errors" command on the CLI do you see any issues?

Ok, this gets slightly stranger. we have had our AV contractors in the new building installing kit. They are reporting that the wifi is working. I looked at the time and on one 7220, i could see what I would class as correct info showing an associated user with an eduroam role.

on the other controller, Im still seeing the output posted in JPEG 2 from the first post.

I will run show profile-errors on both new controllers and report back

On the first new local controller

(ldnrpi-wire01) #show profile-errors

Invalid Profiles
----------------
Profile                           Error
-------                           -----
ap wired-port-profile "Apple-TV"  Wired AP profile "Apple-TV" does not exist
ap-group "17-36 LH"               AP system profile "WST0A-Hosted" does not exist
ap-group "AP-135 Apple TV"        AP system profile "WSS0A-Hosted" does not exist
ap-group "default"                AP system profile "WSS0A-Hosted" does not exist
ap-group "default n"              AP system profile "WST0A-Hosted" does not exist
ap-group "HWM"                    AP system profile "WST0A-Hosted" does not exist
ap-group "Lecture Theatres"       AP system profile "WSS0A-Hosted" does not exist
ap-group "Lorne Close"            AP system profile "WST0A-Hosted" does not exist
ap-group "Sainsburys"             Virtual AP profile "tac-test" does not exist
ap-group "Taunton"                AP system profile "WST0A-Hosted" does not exist
ap-group "Test Eduroam"           AP system profile "WST0A-Hosted" does not exist
ap-name "00:0b:86:cf:f3:03"       802.11g radio profile "Spectrum_Mode_G" does not exist

(ldnrpi-wire01) #

One the second new controller

(ldntpi-wire02) #show profile-errors

Invalid Profiles
----------------
Profile  Error
-------  -----

(ldntpi-wire02) #

Does this mean that they did not get the correct config from the master when they were added as local controllers?

It looks like some profiles do not exist on the local either because the config has not syncd properly or dependencies within those profile do not exist on the local.

If you run "show switches" on the master this will tell you the status of the synchronisation. Your looking for "update successful" for each local.

Try checking the problem profiles on the master to see if you are missing any dependencies and try doing a "write mem" on the CLI and immediately after run the "show switches" to check the updates are pushed.

If I run the show switches command I can see the updates are successful

(wss0a) #show switches

All Switches
------------
IP Address     Name           Location          Type    Model      Version        Status  Configuration State  Config Sync Time (sec)  Config ID
----------     ----           --------          ----    -----      -------        ------  -------------------  ----------------------  ---------
163.119.71.6   wss0a          Building1.floor1  master  Aruba6000  6.4.4.9_55980  up      UPDATE SUCCESSFUL    0                       826
163.119.0.231  ldnrpi-wire01  LDNRPI            local   Aruba7220  6.4.4.9_55980  up      UPDATE SUCCESSFUL    3                       826
163.119.0.232  ldntpi-wire02  LDNTPI            local   Aruba7220  6.4.4.9_55980  up      UPDATE SUCCESSFUL    3                       826
163.119.71.7   wst0a          Building1.floor1  local   Aruba6000  6.4.4.9_55980  up      UPDATE SUCCESSFUL    9                       826

Total Switches:4

Yet from the show profile-erros command it appears that the sync hasn't worked correctly?

Looking at the profile errors - I have chosen WST0A-Hosted
 
(ldnrpi-wire01) #show profile-errors
Invalid Profiles
----------------
Profile                           Error
-------                           -----
ap-group "17-36 LH"               AP system profile "WST0A-Hosted" does not exist
 
If I run the show run command, for these profiles I see the following
 
ap system-profile "WST0A-Hosted"
   lms-ip x.x.x.x
   shell-passwd 7d69f30b86a6a0a093169990558bbaece551c669a48547be
   bkup-passwords 3b21307eefe92bb29372c3cf06d4e31e24b1a2cde73803fc
!
 
So they do exist on the switch???