Wireless Access

Reply
Contributor I
Posts: 30
Registered: ‎03-28-2011

second ssid with dot1x

Hi,

 

Let me first state what works:

I have a Powerconnect W-620 controller running arubaOS 5.0.4.3.

I have 2 ssid's, one is for employees, the other for visitor access. The visitor ssid has an own vlan that is truncted to an ASA, so it has internet access but no internal access. Both work fine as designed, with WPA-PSK2.

 

Now for my problem :

Yesterday I decided to implement Radius (using a W2K3 server) for both ssids. 

I got it to work successfully for the employee ssid, but fail on the visitor ssid. You'd think the vlan is the culprit but no.

The controller refuses to apply my visitor AAA profile to the visitor vap, complaining about the 802.1X authentication server Group not being defined in the default/defaultdot1x AAA section.

 

But when I go there and define the missing servergroup, another error pops up : Role 'authenticated' is user defined and can't be applied without NG Policy Enforcement firewall. The weird thing is I didn't get that error when I setup the first SSID. I really don't need a firewall on the W-620, as I have my ASA handle all that.

 

Then I contacted DELL Benelux for a quote .. they don't have a clue what I'm talking about. It turns out I'm the only Aruba customer they have in the Benelux, and support is non existent. When I purchase an AP, antennas are forgotten, eventually you get those and hook up the AP only to realize you need a licence, that Dell obviously didn't quote, aruba powercubes are non unobtainable, I've burned so much time on this platform... end of rant - but I'd really like to know :

 

1. do I just need to update the firmware for this to go away ?

2. how can I order an NGPE firewall ?

3. how much does this thing cost ?  Yes, an estimate is fine.

 

kind regards

 

Ward

 

 

Guru Elite
Posts: 20,789
Registered: ‎03-29-2007

Re: second ssid with dot1x

How are you authenticating guests? Are you using the Captive Portal?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 30
Registered: ‎03-28-2011

Re: second ssid with dot1x

you got me, the visitor ssid is still proof of concept, isolation is up but now i want to setup a visitor account in ad, hence the dot1x. i' intend to change the password once a week, to prevent my collegues using the guest ssid on their phones and circumvent the fw rules.
captive portal is another chapter to read, and im strongheaded about its concept : when a visitors phone tells here she is connected to the internet, i want it to be true. i hate it when i'm sitting in a bar, there's an open network i connect to, but after 5 minutes my exchange mail doesnt appear, and in the browser theres an ' i gotcha page' ....not in my kingdom.
thx for replying !
Ward
Search Airheads
Showing results for 
Search instead for 
Did you mean: