Wireless Access

last person joined: 22 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

./create_group_dump.pl & ./restore_group_dump.pl caused AMP to delete local-userdb-guest accounts?

This thread has been viewed 1 times

  • 1.  ./create_group_dump.pl & ./restore_group_dump.pl caused AMP to delete local-userdb-guest accounts?

    Posted Sep 04, 2013 04:07 PM

    *TAC case has been opened*

     

    Here is an interesting one for you all

    I decided today to move a particular Airwave group from 1 AMP to another.

    I used ./create_group_dump.pl to create the dump file on the current AMP

    I then used ./restore_group_dump.pl to re-create that same AMP group on the destination AMP.

     

    That worked no problem. Group was created, devices were moved over. I moved the devices afterwards into specific folders.

     

    I then find out soon after that the following occured.

    The "new" AMP went ahead and ran the following commands on the controllers:

    Sep  4 10:22:30  fpcli: USER:MANUAirwave@10.204.65.13 COMMAND:<local-userdb-guest del username "sdsdsdsd" > -- command executed successfully
Sep  4 10:22:30  fpcli: USER:MANUAirwave@10.204.65.13 COMMAND:<local-userdb-guest del username "sdsdss" > -- command executed successfully
Sep  4 10:22:30  fpcli: USER:MANUAirwave@10.204.65.13 COMMAND:<local-userdb-guest del username "dfdf" > -- command executed successfully
Sep  4 10:22:30  fpcli: USER:MANUAirwave@10.204.65.13 COMMAND:<local-userdb-guest del username "ÉsdsdfÉ" > -- command executed successfully
Sep  4 10:22:30  fpcli: USER:MANUAirwave@10.204.65.13 COMMAND:<local-userdb-guest del username "ffsdg" > -- command executed successfully

     I changed the usernames for security reasons

     

    None of the users were then able to authenticate to the network. I manually restored the usernames/passwords to the internal db and all was resolved.

     

    Now the question arises? Why would Airwave go ahead and remove these users??

     

    1. On the Original AMP, the devices were set to monitor-mode only

    2. The Destination Airwave already had other groups and devices being monitored in monitor-mode only.

     

    Original AMP: 7.6.2

    Destination AMP: 7.6.4

     



  • 2.  RE: ./create_group_dump.pl & ./restore_group_dump.pl caused AMP to delete local-userdb-guest accounts?

    EMPLOYEE
    Posted Sep 04, 2013 04:36 PM

    That behavior seems odd unless the controller was in management mode.  What did the device and event logs for the controller show?



  • 3.  RE: ./create_group_dump.pl & ./restore_group_dump.pl caused AMP to delete local-userdb-guest accounts?

    Posted Sep 04, 2013 05:06 PM

    What you see above your post is the audit-trail from the controller.

    Device Events (controller)
 |AP mlixw16tornt11w@10.200.64.20 nanny|  Reboot Reason: AP rebooted Fri Nov 30 06:10:29 EST 2012; SAPD: Unable

     

    ed Sep 4 10:30:11 2013     System     Alert     Configuration Mismatch: Device: MLIXWC1TOR200: Device Type is Access Point, Device Type is Controller or Device Type is Remote AP (Normal)             
Wed Sep 4 10:29:54 2013     System     Device     Aruba 6000 mlixwibmgofec2-Gough-Local-2 Configuration verification: configuration on device does not match desired configuration     288     Top > Controllers     Gough Local Controller 2
Wed Sep 4 10:24:56 2013     System     Device     Aruba AP 105 NT-12F-AP01 Discovered     2866         Access Points
Wed Sep 4 10:22:20 2013     System     Device     Aruba AP 105 mlixw10tornt12w Created     2865     Top     Manulife-POC
Wed Sep 4 10:22:19 2013     System     Device     Aruba AP 93 mlixw16tornt11w Created     2864     Top     Manulife-POC
Wed Sep 4 10:22:19 2013     System     Device     Aruba AP 93 mlixw17tornt12w Created     2863     Top     Manulife-POC
Wed Sep 4 10:22:18 2013     System     Device     Aruba AP 105 mlixw06tornt11w Created     2862     Top     Manulife-POC
Wed Sep 4 10:22:18 2013     System     Device     Aruba AP 93 mlixw15tornt11w Created     2861     Top     Manulife-POC
Wed Sep 4 10:22:17 2013     System     Device     Aruba AP 93 mlixw18tornt12w Created     2860     Top     Manulife-POC
Wed Sep 4 10:22:17 2013     System     Device     Aruba AP 105 mlixw09tornt11w Created     2859     Top     Manulife-POC
Wed Sep 4 10:22:16 2013     System     Device     Aruba AP 105 mlixw11tornt12w Created     2858     Top     Manulife-POC
Wed Sep 4 10:22:15 2013     System     Device     Aruba AP 105 mlixw05tornt11w Created     2857     Top     Manulife-POC
Wed Sep 4 10:22:15 2013     System     Device     Aruba AP 105 mlixw02tornt11w Created     2856     Top     Manulife-POC
Wed Sep 4 10:22:14 2013     System     Device     Aruba AP 105 mlixw04tornt11w Created     2855     Top     Manulife-POC
Wed Sep 4 10:22:14 2013     System     Device     Aruba AP 105 mlixw01tornt11w Created     2854     Top     Manulife-POC
Wed Sep 4 10:22:13 2013     System     Device     Aruba AP 105 mlixw08tornt11w Created     2853     Top     Manulife-POC
Wed Sep 4 10:22:13 2013     System     Device     Aruba AP 105 mlixw14tornt12w Created     2852     Top     Manulife-POC
Wed Sep 4 10:22:12 2013     System     Device     Aruba AP 105 mlixw07tornt11w Created     2851     Top     Manulife-POC
Wed Sep 4 10:22:12 2013     System     Device     Aruba AP 105 mlixw01torntb Created     2850     Top     Manulife-POC
Wed Sep 4 10:22:11 2013     System     Device     Aruba AP 105 mlixw12tornt12w Created     2849     Top     Manulife-POC
Wed Sep 4 10:22:11 2013     System     Device     Aruba AP 105 mlixw03tornt11w Created     2848     Top     Manulife-POC
Wed Sep 4 10:22:09 2013     System     Device     Aruba AP 105 mlixw13tornt12w Created     2847     Top     Manulife-POC
Wed Sep 4 10:22:08 2013     System     Device     Aruba 6000 MLIXWC1TOR200 Created     2846     Top     Manulife-POC
Wed Sep 4 10:22:05 2013     System     Device     Aruba 6000 MLIXWC2TOR200 Created     2845     Top

     

    That's all it shows....

     

    Also, why would it only erase those internal users and not overwrite it with the base AMP config for Aruba controllers?



  • 4.  RE: ./create_group_dump.pl & ./restore_group_dump.pl caused AMP to delete local-userdb-guest accounts?

    EMPLOYEE
    Posted Sep 05, 2013 10:56 AM

    Normally I'd expect to see somewhere that says mismatch, and then a following line that says changes pushed.  Not seeing that in the log portions you sent.  Let me know what support finds out, I'd be interested in the root cause.



  • 5.  RE: ./create_group_dump.pl & ./restore_group_dump.pl caused AMP to delete local-userdb-guest accounts?

    Posted Sep 05, 2013 11:12 AM
    Definitely will let you know.
    I can provide you the case number if you'd like as well so you can poke through it.





  • 6.  RE: ./create_group_dump.pl & ./restore_group_dump.pl caused AMP to delete local-userdb-guest accounts?

    EMPLOYEE
    Posted Sep 05, 2013 11:48 AM

    On the AMP Setup page of the new server, do you have guest user creation enabled for all devices?  That could definitely contribute to this. 



  • 7.  RE: ./create_group_dump.pl & ./restore_group_dump.pl caused AMP to delete local-userdb-guest accounts?

    Posted Sep 05, 2013 12:01 PM
    Unfortunately yes
    [cid:image001.png@01CEAA2F.79827260]

    Even in monitor-mode it will still push a delete command?


  • 8.  RE: ./create_group_dump.pl & ./restore_group_dump.pl caused AMP to delete local-userdb-guest accounts?

    EMPLOYEE
    Posted Sep 05, 2013 01:33 PM

    Yes.  If the new AMP doesn't think the users should be there, but they are, it would delete them. 

     

    For managing guest users, ClearPass is a better solution than AirWave in many ways.



  • 9.  RE: ./create_group_dump.pl & ./restore_group_dump.pl caused AMP to delete local-userdb-guest accounts?

    Posted Sep 05, 2013 02:28 PM
    Clearpass definitely. Unfortunately since we are an MSP, the end customer purchased the equipment through our partner, no clearpass.

    I'm still confused as to why AMP would do this, the devices are in monitor-mode only, shouldn't AMP not touch the controllers at all if that's the case?
    Is this documented somewhere.

    As you know Dan, Airwave is my baby and I haven't seen this anywhere!


  • 10.  RE: ./create_group_dump.pl & ./restore_group_dump.pl caused AMP to delete local-userdb-guest accounts?

    Posted Sep 12, 2013 07:28 AM
    TAC is still working on this even though I through out what you mentioned to them Dan.



  • 11.  RE: ./create_group_dump.pl & ./restore_group_dump.pl caused AMP to delete local-userdb-guest accounts?

    Posted Sep 17, 2013 07:11 PM
    So....TAC came back with the same answer as you Dan (as expected) but still not thrilled about it.

    I've asked them to include this in documentation or release notes of some form.

    2nd time this has happened to me. Last time was placing read-only devices in maintenance mode and then finding out maintenance mode means actually doing maintenance from Airwave to controller...config wise.

    I believe that was documented though ;)