Wireless Access

Reply
New Contributor
Posts: 3
Registered: ‎09-24-2010

RAP Split-tunnels issues with XP WPA2 Enterprise

I am having problems with my Windows XP clients that use WPA2 Enterprise. This problem seems to be with the split-tunnel mode more than using a tunnel only mode. I need some adviceconcerning the following:

 

Is this just a flaky Windows XP issue that I have to live with?

Is there a way to get the sessions to time out and go way in the RAPs?

 

 

I am running ArubaOS (MODEL: Aruba3400S), Version 6.0.1.2 

and the Windows XP systems are patched to the latestupdates.

 

I am run WPA2 Enterprise AES with EAP type "Smart Card or certificate". We use our own both computer and user certs.

 

 

This is a more detail explanation of my network and what I know about the problem.

 

I have several AP-105 running in the RAP mode at 15 remote sites. We use a split-tunnelconfiguration to terminate connections to the LAN at our remote sites which are connected via Cisco routers and an MPLS network. The authentication is WPA2 enterprise. The 3400 controllers are at the Corp data center.  The issues seems to be with Windows XP WPA2 Enterprise. We have a mix of XP and Windows 7 clients. The XP clients have intermittent problems establishing connection. They seem to authenticate and then they hang in trying to get a DHCP address. Sometimes it is necessary to reboot the AP to fix this problem or wait a very until the session data times out in the RAP.  When the problem occurs the RAP has the client with  the  ACL #1 which is the "logon: default ACL. When is works it has the proper ACL that is needed to route the packets.  

 

 

show datapath user ap-name ATEST-RAP105-01

 

******  this is the state when it will not work *******

Note: ACL 0 is not the ACL that will work for my split-tunnel

 

IP MAC ACLs Contract Location Age Sessions Flags Vlan FM
--------------- ----------------- ------- --------- -------- --- --------- ----- ---- --
0.0.0.0 00:1C:BF:17:13:93 1/00/0000/65535P1S

 

 

****** This is the state when it does work  *******

Note: the ACL 62 is the proper ACL for the split tunnel


IP MAC ACLs Contract Location Age Sessions Flags Vlan FM
--------------- ----------------- ------- --------- -------- --- --------- ----- ---- --

22.1.20.139 00:1C:BF:17:13:93 62/0 0/0 0 47 0/65535 1 S
0.0.0.0 00:1C:BF:17:13:93 62/00/0002/65535P1S

 

 

show datapath acl 62 ap-name ATEST-RAP105-01

----------------------------------------------------------------
1: any any any PR4 hits 203
2: any any any 46

 

 

 

 

 

 

New Contributor
Posts: 2
Registered: ‎02-01-2012

Re: RAP Split-tunnels issues with XP WPA2 Enterprise

I have kind of the same issue with an XP machine --- We have a 620 controller here at HQ and RAP2's at 5 homes -- split tunneling is setup....I use Win 7 with no issues BUT a co-worker has Win XP and can't pull a DHCP without being wired in....we have rebooted the controller and the PC as well as re-provisioned the RAP2.  :smileyfrustrated:

New Contributor
Posts: 2
Registered: ‎02-01-2012

Re: RAP Split-tunnels issues with XP WPA2 Enterprise

I fixed the issue that I was having by adding DHCP to my Firewall rule in the Split-Tunneling....:smileyhappy:

Guru Elite
Posts: 20,985
Registered: ‎03-29-2007

Re: RAP Split-tunnels issues with XP WPA2 Enterprise


badgdl wrote:

I am having problems with my Windows XP clients that use WPA2 Enterprise. This problem seems to be with the split-tunnel mode more than using a tunnel only mode. I need some adviceconcerning the following:

 

Is this just a flaky Windows XP issue that I have to live with?

Is there a way to get the sessions to time out and go way in the RAPs?

 

 

I am running ArubaOS (MODEL: Aruba3400S), Version 6.0.1.2 

and the Windows XP systems are patched to the latestupdates.

 

I am run WPA2 Enterprise AES with EAP type "Smart Card or certificate". We use our own both computer and user certs.

 

 

This is a more detail explanation of my network and what I know about the problem.

 

I have several AP-105 running in the RAP mode at 15 remote sites. We use a split-tunnelconfiguration to terminate connections to the LAN at our remote sites which are connected via Cisco routers and an MPLS network. The authentication is WPA2 enterprise. The 3400 controllers are at the Corp data center.  The issues seems to be with Windows XP WPA2 Enterprise. We have a mix of XP and Windows 7 clients. The XP clients have intermittent problems establishing connection. They seem to authenticate and then they hang in trying to get a DHCP address. Sometimes it is necessary to reboot the AP to fix this problem or wait a very until the session data times out in the RAP.  When the problem occurs the RAP has the client with  the  ACL #1 which is the "logon: default ACL. When is works it has the proper ACL that is needed to route the packets.  

 

 

show datapath user ap-name ATEST-RAP105-01

 

******  this is the state when it will not work *******

Note: ACL 0 is not the ACL that will work for my split-tunnel

 

IP MAC ACLs Contract Location Age Sessions Flags Vlan FM
--------------- ----------------- ------- --------- -------- --- --------- ----- ---- --
0.0.0.0 00:1C:BF:17:13:93 1/00/0000/65535P1S

 

 

****** This is the state when it does work  *******

Note: the ACL 62 is the proper ACL for the split tunnel


IP MAC ACLs Contract Location Age Sessions Flags Vlan FM
--------------- ----------------- ------- --------- -------- --- --------- ----- ---- --

22.1.20.139 00:1C:BF:17:13:93 62/0 0/0 0 47 0/65535 1 S
0.0.0.0 00:1C:BF:17:13:93 62/00/0002/65535P1S

 

 

show datapath acl 62 ap-name ATEST-RAP105-01

----------------------------------------------------------------
1: any any any PR4 hits 203
2: any any any 46

 

 

 

 

 

 


If you have APs that are connected via your private WAN at remote offices, the forwarding mode for your clients needs to be Bridged, instead of split tunnel.  Your WAN infrastructure at your remote sites can give out addresses, as well as route traffic back using your existing infrastructure.  No need to split tunnel, when your infrastructure already does that.  That will make your deployment more predictable and allow your clients to leverage what you have already built.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: