Search the Community
- ClearPass Recipe Review
- ClearPass Recipe Submission
- Admin Tool - Assign Role in Bulk
- Admin Tool - User Search
- CWNP Conf 2015
- Airheads Conference Vegas 2015
- Wlan Pro Conference 2015
- Airheads Conference Shanghai 2014
- WLAN Pro Conf EU 2014
- CWNP Conference 2014 (Sep 22 - 24)
- Airheads Local 2014
- Wireless Field Day 7 (Aug 6-8, 2014)
- Black Hat 2014 Contest
- Airheads EMEA Italy 2014 (June 9 - 13)
- Americas Airheads Conference 2014
- WLAN Professionals Summit 2014
- Airheads Roadshow 2013
- EMEA Airheads Conference 2013
- APJ Airheads Conference 2013
- Americas Airheads Conference 2013
- Americas Airheads Conference 2012
- APJ Airheads Conference 2012
- EMEA Airheads Conference 2012
- Airheads EMEA 2012 Contest: How to Enter - Contest Terms & Conditions
- Airheads EMEA 2012 Contest: Create your Entry to Win Here!
- Airheads Conferences Prior to 2012
- Americas Airheads Local Events 2012
- EMEA Airheads Local Events 2012
- Wireless Field Day 3 @ Aruba Networks
- Wireless Tech Field Day 2- Silicon Valley
- Wi-Fi Mobility Symposium- San Jose, CA USA
- SDN Apps
- Connector Translation Testing area
...ssid "self-regis" on ClearPass refer aruba.jpg But if other vendor(non-aruba) use...
Now my aruba controller use ClearPass for self-register it can work by i setting service by equal ssid "self-regis" on ClearPass refer aruba.jpg
But if other vendor(non-aruba) use ClearPass for self-register too. how can i setting service ? and if i setting service refer non-aruba.jpg is that right ?
If you import the Ruckus radius dictionary into Clearpass, then you can specify the Ruckus SSID jus...
If you import the Ruckus radius dictionary into Clearpass, then you can specify the Ruckus SSID just like Aruba.
You can download the Ruckus radius dictionary on the Ruckus support site: https://support.ruckuswireless.com/answers/000005579
I've attached a picture of what it should look like.
Hi, I've got a couple of questions regarding onboarding with android devices and other...
I've got a couple of questions regarding onboarding with android devices and other devices:
1. When onboarding with android devices, I receive the part to download quickconnect. For some devices, we get an error for the following: market://details?id=com.arubanetworks.quickconnect.android (or at least something like that) and then net::ERR_UNKNOWN_URL_SCHEME. For other android devices, we don't get that error and it redirects properly to the marketplace/store to download quickconnect. Any idea what causes this?
2. Are blackberry devices and windows phone devices capable of using onboard or is this not possible?
1) that means the browser that you're using doesn't have an application association for the Google ...1) that means the browser that you're using doesn't have an application association for the Google Play store
2) There is no automated Onboarding, but web enrollment can be used.
...the AP's at one location are spoofing other AP's at the same location. This is happening at a...
In reviewing my IDS logs today I noticed that I have several entries where it's being reported that the AP's at one location are spoofing other AP's at the same location. This is happening at a remote office (6 AP's) that we manage from a centralized 7220 that also manages several other remote offices, all in the same AP Group. The issue seems to be happening primarily at 1 physical location. Although they're all AP-225's, they have different MAC OUI's and I notice that it's always one OUI attacking the other. Are these false positives due to the different OUI's, and if so how can I avoid this alert?
Hello I show you the configuration of my client and I ask you my question after: 3 SSDI: E...
Hello I show you the configuration of my client and I ask you my question after:
3 SSDI: Employee (vlan-10), garage (vlan-10) and Guest (vlan-20)
My client won’t to add another internet only for the Guest.
I would like to know if I have something to do with the controller or if the router can route the VLAN Guest to the internet GUEST?
Ok, for example:
If the internet for GUEST is pluged in the port 1 of the controller, I have to assign the vlan 20 (vlan Guest) to the port 1 and remove the vlan 20 on the other port.
...read the differences stated in this guide, referenced in other forum posts: http://www...
I'm testing out a 93H for a Dorm type environment and have it working in tunnel mode. I've read the differences stated in this guide, referenced in other forum posts:
After reading this, I have some questions and I'm not sure if its related to Bridge Mode, or Just limitations of equipment or just a suggestion from Aruba. In the Bridge Mode Section (Page 42) it states this:
Bridge mode allows the AP to bridge traffic directly on to the LAN, with firewall policies applied at the
AP. This deployment model is typically used in a deployment with a small number of users and APs on a
single /24 subnet. Aruba supports no more than 32 APs at a single Layer 2 network without a controller
being present and reverting to one of the other two forwarding modes.
This is not a mobility controller limitation, but a limitation in the number of devices that should
reasonably be deployed in a single Layer 2 network. Most network administrators will keep Layer 2
segments limited to /24 subnets to control broadcast domain size. This limitation fits with the expected
network size, providing approximately 222 station addresses, or approximately seven stations per AP.
As an example, where multiple buildings exist in a small area, such as a school, if each building is a
separate Layer 2 network, each building can have up to 32 APs deployed.
The APs still require access to the mobility controller to function, though the controller does not need
to be in the same location as the APs. If the mobility controller is remotely located, the APs need a
secure connection (VPN) between the sites with low latency. All processing is performed on the AP, so
certain centralized features are not available. To enable bridge mode, CPsec must be enabled in the
The line that is most troubling is that last sentence of the first paragraph: "Aruba supports no more than 32 APs at a single Layer 2 network without a controller being present and reverting to one of the other two forwarding modes." I understand that a good network design has each building with a /24, but in an education community, that just doesn't work. All of my networks are /23 at the minimum and I have a couple /22, thanks to the influx of Mobile devices. A couple of my networks span several buildings, due to the small user base in those areas, however, because of Construction materials used in those areas, older buildings, the AP count is going to be much higher than 32.
Can someone clarify what this section is trying to say exactly? I guess I'm confused if this is a Bridge Mode limitation or if I'm going to hit some kind of limit or is this just a suggestion, or what. I'm looking to likely deploy around 400 of the 93H if this test proves to be good, which it is looking like it is, so any suggestions would be appreciated.
The debate I'm having with the rest of my network team currently was in regards to the Bridge vs Tunneled modes. I can see arguments both ways. Has anyone else run into this? Are the Access Switches setup in a similar fashion?
For reference, Our environment is mostly AP-105 and AP-135 Currently, Total 115 Aruba APs, Replacing a Cisco Environment of Over 500 APs. We're using a 6K controller with 1 M3 blade running 220.127.116.11, Currently. Will likely buy 2 more M3's in the next year.
Any thoughts or suggestions are greatly appreciated. Thanks.
Very few bridge deployments involve 32 APs that are within earshot of each other.  ...
Very few bridge deployments involve 32 APs that are within earshot of each other.
For those 32 APs, application sessions are transferred from AP to ap as the user roams. For the 33rd, ap the device can roam, but the application sessions will not be transferred.
...it Doubles the boot times of the APs when it is enabled. Are there any other significant...
One Further question, I currently have CPSec disabled. I've noted in the documentation that it Doubles the boot times of the APs when it is enabled. Are there any other significant drawbacks to having it turned on?
The reason I ask is, I'm really considering bridge mode for the wired ports on the 93H. I currently have everything working in tunneled mode but would like to move the wired ports to bridge and leave the wireless in tunnel mode. We have a lot of Streaming DVD players and other device connected Wired in our dorms which I would rather have Bridged instead of tunneled back to the controller. This seems possible, but I haven't tested yet. Any thoughts?
...normally and it will start to emit WiFi signal. When i turn ON the other too, it will never emit WiFi...
I have an IAP 105 and an IAP 205. They are on two different switches, in two different and separate networks, with two different ESSID and using different radio channel.
The problem is: when i turn ON one of the two IAP (doesn't matter which one) it will turn on normally and it will start to emit WiFi signal. When i turn ON the other too, it will never emit WiFi signal.
So, if i turn on the IAP 105 and then the IAP 205, the second on will not work and vice versa.
The same happens when they are plugged on the same switch, with the stock configuration, with different country code, when they are very close to each other, when they are 10-15 meters far from each other, when they are using all possibile channel, when they are on different channel....
I have tried so many time adjusting the configuration and doing various combination...How can they interfere with each other?
Thanks so much for any advice.
..., make sure the APs are separated more than 3m/10ft from other APs or transmitters (like indoor...Can you make sure that both access points run the same Aruba Instant firmware version? As you have a 105 and 205 AP, they run a different hardware architecture and only cluster if the version is the same. If firmware mismatches, the new AP will not join, exactly what you describe.
Further, on the close proximity, performance will be poor if you place APs close to eachother. As a rule of thumb, make sure the APs are separated more than 3m/10ft from other APs or transmitters (like indoor cellular, DECT, or picocell stations). But the AP should come up, just performance is below what you could expect.
...you see the other IAP in the WebUI from the one that is "working"? One thing I would test...
Are they each one assigned statically as their own Virtual controller with different name? Do you see the other IAP in the WebUI from the one that is "working"?
One thing I would test is to enable the Extended SSID in System > General > Show Advanced Option. This option is to enable from 8 to 16 SSID but I had issue in the past when this option is not enable, an IAP would keep connectivity to the cluster via a hidden wireless link when isolated between 2 switches or 2 network. Might be worth trying!
...start working. If i plug in my cable on the other switch, the other ap will start working too....
Yes they have the same controller IP and, when they are attached on the same switch, if i go on the IP of the non working IAP, i am redirected on the IP of the working IAP.
Another thing that i have just discovered: when they are on different switch, to make them emit wifi,it seems that i need to connect my PC with the etherneth cable to make them work.
So: if im not plugged in with my cable, they will not work. If i plug in my cable on a switch, the ap on that switch will start working. If i plug in my cable on the other switch, the other ap will start working too....
..., same FW version, same FW release ). With the command "allowed-ap mac:address:of:the:other:ap...
Hi and thanks everybody for the replies.
The problem is solved.
I have used two IAP 205 ( Aruba, same FW version, same FW release ).
With the command "allowed-ap mac:address:of:the:other:ap" inside the two IAP ( telnet ). AP 1 must have the AP 2 mac address allowed and vice versa.
Now they are able to join the same cluster ( one became "master"/"controller" and the other "slave" ). I can clearly see the join if i go on the virtual controller IP: i see two IAP.
I will test if two different models can work together if they have the same Firmware Release.
I hope that this post will help people for future problems. Thanks all.
Hi May I know is there any list of Aruba Airwave supported other vendor switches...
May I know is there any list of Aruba Airwave supported other vendor switches?
On your AirWave server, navigate to Home -> Documentation -> Supported Infrastructure Devices...
On your AirWave server, navigate to Home -> Documentation -> Supported Infrastructure Devices. It has a list of generally supported device types. If you don't see your device on the list, feel free to submit a feature request to get support for that added sometime in the future.
hi all, In instant IAP-VPN, we can have IPsec tunnel to main controller. If master IAP goe...
In instant IAP-VPN, we can have IPsec tunnel to main controller. If master IAP goes down and another IAP becomes master, will IPSec tunnel remains up or it will re-establish ?
If it re-establishes, is there anyway to minimize the downtime like having second IPSec tunnel from a backup IAP. So far in my research i am almost sure that there is no concept of backup IAP, but please correct me if i am wrong.
Hi, I don't have the second controller but please also elaborate on other points like is there a...Hi,
I don't have the second controller but please also elaborate on other points like is there a possibility of having a backup IAP to minimize the downtime ?
If not, how much time does it takes to re-establish ? also is it a good design ?
Yes it will re-establish. If you have a second controller, you can create a backup IPSec to that co...Yes it will re-establish. If you have a second controller, you can create a backup IPSec to that controller.
...works for us. I know there are many other options out there for guest access/MAC exceptions (we also...
Please don't be toocruel... and "switch to Aruba!" really won't help me :) And there is ZERO interest in social Wi-Fi here.
I run a large Cisco WLAN, and the native guest access functionality has never been suitable for our straightforward needs. So, for years, we've used a Bluesocket gateway on a dedicated guest VLAN/SSID to accomplish the following:
- Anyone with our 802.1x credentials can sponsor a guest using either guest email address or 10-digit mobile phone number
- Any guest can self-sponsor, but only with 10 digit mobile phone number that gets the password texted to them
- We control data rate, session durations, firewall rules etc in the Bluesocket for guests
- When we need a place to stick oddball wireless devices (like Google Glass) that can't do 802.1x we give them a MAC exception in the Bluesocket
This all works great, and is what works for us. I know there are many other options out there for guest access/MAC exceptions (we also use Twillio on Meraki sites for texting/self sponsor) but I'd love to find an exact replacement for Bluesocket that replicates all the same functionality from a single appliance that could drop in instead of Bluesocket. Adtran bought Bluesocket, and I don't care for their response, support, or direction. Amigopod had me intrigued at one point, but not sure how the Aruba integration may have changed it.
So my question is this: is anything in the Aruba line a potential single-box guest acess portal apliance for non-Aruba networks, as described above?
.... One other thing to note, ClearPass can also interface with your Bluesocket...
Hi Lee, just a couple of things to add to the discussion. ClearPass can absolutely work in multi vendor networks and provide the guest registration/sponsoring and authentication services you describe. One difference though with Bluesocket is that ClearPass is not an inline device, it works out of band and uses protocols like radius and http/s to interface with the network infraestructure. So aside from bandwidth quotas, ClearPass itself does not do firewall policies or rate limiting of traffic.
You can however configure specific role based policies on ClearPass that will trigger enforcement actions on a NAS device such as your cisco WLC (same is true for Cisco switches). You can send back radius attributes and dACLs to enforce basic firewall and QoS policies. You can also configure ClearPass to send upstream messages to your internet firewall and provide a deeper layer 7 enforcement. Given you are talking maily about guest access, you can probably just plumb the guest VLAN through a specific firewall zone and policy although I would need to better understand the types of roles and FW policies currently in use on your Bluesocket boxes.
One other thing to note, ClearPass can also interface with your Bluesocket environment if you want to retain its inline firewalling capabilities. You could centralize all of the actual guest sponsoring, device registration and guest authentication with ClearPass and just use the Bluesocket boxes to enforce firewall and network policies as they are today. This is a known use case that we have working at other locations around the world and may be an interesting option for you.
We can have one of our ClearPass technical specialists reach out to you to discuss further if thats of interest. Also happy to answer any other questions on this forum
A good chunk of the CPG customer base uses the product with other vendors.
Take a look at the Clearpass solution, http://www.arubanetworks.com/products/clearpass/
It is very feature rich and will probably meet all of your needs and more. It integrates with Cisco and many other vendors.
Hi we are using 3400 controller with 18.104.22.168 code. Everything is working file but only wifi clie...Hi
we are using 3400 controller with 22.214.171.124 code. Everything is working file but only wifi clients on the same ssid aren't able to communicate. All ap-93 are configured in rap mode.
info: deny inter user traffic is not enabled... no pef lic is installed...
suggestions are invited
Perhaps you may like to check if you have a rule something like the below:
user "internal-networks" deny...
all wlan clients will not be able to connect to each other...
Sorry... command should be "no firewall prohibit-ip-spoofing". Not enough coffee this morning!