Search the Community
- ClearPass Recipe Review
- ClearPass Recipe Submission
- Admin Tool - Assign Role in Bulk
- Admin Tool - User Search
- CWNP Conf 2015
- Airheads Conference Vegas 2015
- Wlan Pro Conference 2015
- Airheads Conference Shanghai 2014
- WLAN Pro Conf EU 2014
- CWNP Conference 2014 (Sep 22 - 24)
- Airheads Local 2014
- Wireless Field Day 7 (Aug 6-8, 2014)
- Black Hat 2014 Contest
- Airheads EMEA Italy 2014 (June 9 - 13)
- Americas Airheads Conference 2014
- WLAN Professionals Summit 2014
- Airheads Roadshow 2013
- EMEA Airheads Conference 2013
- APJ Airheads Conference 2013
- Americas Airheads Conference 2013
- Americas Airheads Conference 2012
- APJ Airheads Conference 2012
- EMEA Airheads Conference 2012
- Airheads EMEA 2012 Contest: How to Enter - Contest Terms & Conditions
- Airheads EMEA 2012 Contest: Create your Entry to Win Here!
- Airheads Conferences Prior to 2012
- Americas Airheads Local Events 2012
- EMEA Airheads Local Events 2012
- Wireless Field Day 3 @ Aruba Networks
- Wireless Tech Field Day 2- Silicon Valley
- Wi-Fi Mobility Symposium- San Jose, CA USA
For LLDP-MAD the following must be supported by the neighbor switch: - IP-address reachable from...
For LLDP-MAD the following must be supported by the neighbor switch:
- IP-address reachable from VSF
VSF system performs a number of checks to verify if all requirements have been met. You can verfify with "show vsf lldp-mad parameters" the "MAD readiness status".
=> therefore there is no need for an Aruba/HPE switch if the above is supported.
...:Username})(objectClass=user))) Ideally, you should choose one username format from a user experience...
First confirm in AD that the username presented is indeed the user's UPN.
If you want to support both username formats, replace your Authentication filter query with:
Ideally, you should choose one username format from a user experience standpoint. Fully qualified username (UPN) is always my recommendation these days.
Thanks Tim for the info.
Please see the errors/logs attached.
Is your AD auth source configured for both sAMAccountName and userPrincipalName?
This worked! Thanks for the help!
...attached what I beleive you are asking for. If I need to add userPrincipalName, is this done in...
It looks to be just sAMAccountName. But I don't know much about setting up attributes. I've attached what I beleive you are asking for. If I need to add userPrincipalName, is this done in the "Filter Query" under the Filter Name...which we have labeled "Authentication"? And is it either or? Or both? ...like both sAMAccountName and userPrincipalName? Thanks!
...onto traditional authorization. If you’re receiving an error, it’s likely that you need to compare a...EAP-TLS essentially has it’s own authorization as part of the Authentication phase, then it moves onto traditional authorization. If you’re receiving an error, it’s likely that you need to compare a different field or username format.
Please post screenshots of the alert and summary tabs from access tracker.
...interference will be a pair of (I)AP-274s with ANT-2x2-5314 30deg 14dBi antennas. These are narrow PtP...
You best performance and setup that will provide the highest bandwidth with the least amount of interference will be a pair of (I)AP-274s with ANT-2x2-5314 30deg 14dBi antennas. These are narrow PtP antennas that will provide the most interference rejection due to their narrow beamwidth and will be the highest gain. You will have to run a minimum of HT40 to carry 50 concurrent voip calls.
What kind of environment is betwwen building A and B? How many users are in Building B and what...
What kind of environment is betwwen building A and B?
How many users are in Building B and what kind(s) of main applications do they need?
Thank you for reply LOS is clear. 50 users in building B Application:- IP phones.  ...
Thank you for reply
LOS is clear.
50 users in building B
Application:- IP phones.
Thank you for providing solution.
I ended up using a Device Group with a Regular Expression to pick out that specific range and used...
I ended up using a Device Group with a Regular Expression to pick out that specific range and used that group to match my service
The expression I used was ^10\.100\.0\.(1([0-9][0-9])|200)$
I am pretty sure that format wont work. The field is looking for a valid ip or subnet with the...
I am pretty sure that format wont work. The field is looking for a valid ip or subnet with the masing bits, if you want to do a range you will need to put your rang into a valid subnet format which means you have to observe the correct subnet boundries.
Yes, it is true you can use a range, as long as it is expressed in accepted standard TCP notation...
Yes, it is true you can use a range, as long as it is expressed in accepted standard TCP notation. The range you specified does not fall on any subnet boundry so it is not recognized, for example
Subnet Mask Inverse Mask Subnet Size Host Range Broadcast
10.100.0.0 255.255.255.192 0.0.0.63 62 10.100.0.1 to 10.100.0.62 10.100.0.63
10.100.0.64 255.255.255.192 0.0.0.63 62 10.100.0.6
5 to 10.100.0.126 10.100.0.127
10.100.0.128 255.255.255.192 0.0.0.63 62 10.100.0.
129 to 10.100.0.190 10.100.0.191
10.100.0.192 255.255.255.192 0.0.0.63 62 10.100.0.
193 to 10.100.0.254 10.100.0.255
This is an example o how a subnet would be broken up using a /26 subnet bit size. Subnets can only be expressed in terms of the 8 bits that form the basis for each octet. your example of 100-200 does not fit on any of those boundries so CPPM will never match them in your rule since it does not know how to interpret those numbers.
...the documentation you can use a range, and in the Add Device page it also specifies you can use a...
It's in that range that i specified, see the screenshot below:
Also, it states in the documentation you can use a range, and in the Add Device page it also specifies you can use a range (you can see that it says or 192.168.1.1-20 in the screenshot in my original post)
...subnet could be a /29 network, why would it matter what mask it has if you're specifying a range...
I know how subnetting works, I don't think your answer is correct
The subnet could be a /29 network, why would it matter what mask it has if you're specifying a range, it doesn't even know what mask your subnet is using?
Our 10.100.0.0 network is a /24 subnet, even if i enter 10.100.0.1-254 it doesnt work.
If i enter 10.100.0.1-10.100.0.254 it says its an invalid format
Take a look at the AirWave sizing guide: http://support.arubanetworks.com/Documentation...
Take a look at the AirWave sizing guide:
You likely want to spec similar to the AW-HW-ENT
How do you handle/adjust sizing if the total client count is 500 for example. The sizing guide...
How do you handle/adjust sizing if the total client count is 500 for example. The sizing guide specifies either "1500" or "4000". Do I just divide the hard disk space and memory...then add the 20% because it will run on a VM?
Thank you for the document....
...% above what Tim is recommending, my personal experience with Airwave's running on a VM have not been...dzeising,
Please keep in mind that Airwave is disk I/O intensive so make sure to provision 20% above what Tim is recommending, my personal experience with Airwave's running on a VM have not been good.
Most likely because whoever provisioned them didn't know how to configure VMWare properly.
The sizing guide unfortunately does not take into account number of clients and how much data will Airwave will be seeing, it is based of number of devices.
I created this document a long time ago maybe it can help you. Let me know if you still have questions.
..., which may be out of the format that the Aruba switches expect. . . QIP does not allow for...
I think I have an idea of what's going wrong here. It looks as though QIP is including Option 66 in a different part of the packet.
In the image I've attached, you'll notice that Option 66 is set in QIP. However, the DHCP Offer holds it in the Server field (similar to the File field) rather than listing it in the DHCP options. QIP also treats the field as Text, not an IP, which may be out of the format that the Aruba switches expect. . .
QIP does not allow for multiple Option values to be defined in its database (e.g. I cannot create another Option 66 field under a different folder and change the type), so it looks like I have a few calls to make in order to get this figured out.
Update: We've discovered that QIP will, by default, move Options 66 and 67 into the Bootp header as `sname` and `file`, respectively. This is why the options are not in the list. We'll change a setting called `LeaveBootpParametersInOptions` to True which will instead copy the values. Hopefully this will work and not impact other Bootp-/TFTP-reliant devices (e.g. IP phones)
This is actually the guide that I used during my setup and linked to (thank you for making it). We...
This is actually the guide that I used during my setup and linked to (thank you for making it). We tried this before with just fetching a configuration file, however it still appears that the switches aren't attempting to reach the TFTP server. Again, the switches will try to pull the configuration file/image from the DHCP server instead of the TFTP server.
1. The switch is able to ping the TFTP server. We checked this and even manually transferred it via TFTP.
2. I'm not scheduled to return to work until Monday, but I will see if I can get someone to perform a packet capture for me to attach here before then.
...10.1.1.2 but in the switch log it's connecting to 10.1.2.2? Probably a typo but maybe good to have a look...
Just to make sure this is probably a typo but you mention in the message that IP of DHCP is 10.1.1.2 but in the switch log it's connecting to 10.1.2.2? Probably a typo but maybe good to have a look. I just quickly build up everything and btw if you have openDHCP server you need add " " around IP addr of TFTPserver option 66. Since this is string packet. For me it's all working. Can you make packet trace of the offer and ack on the DHCP server?
...and tried to use Option 66 as an alternative (added a config file for Option 67)  ...
Ok, I've attempted two different DHCP templates today and couldn't get either setup to work. I'm certain that it's a misconfiguration somewhere on our side, but here goes:
and tried to use Option 66 as an alternative (added a config file for Option 67)
After DHCP has been negotiated, the switch will then attempt to TFTP the file image. It still attempts to pull it from the DHCP server instead of the TFTP server :(
The TFTP server is reachable by the switch. However, the logs seem to indicate that the switch is mistaking the DHCP server to be the specified TFTP server.
I 02/27/17 14:53:07 00083 dhcp: AM1: updating IP address and subnet mask I 02/27/17 14:53:07 05177 ip: AM1: Setting IP address 10.3.35.1 as default gateway. I 02/27/17 14:53:07 00025 ip: AM1: DEFAULT_VLAN: ip address 10.3.35.28/24 configured on vlan 1 I 02/27/17 14:53:07 03783 dhcp: AM1: DHCP server did not offer all the DNS parameters on Primary VLAN I 02/27/17 14:53:07 05101 amp-server: AM1: AMP server details configured. I 02/27/17 14:53:08 00091 dhcp: AM1: Trying to download Image File (using TFTP) received in DHCP from 10.8.0.26 W 02/27/17 14:53:20 00136 tftp: AM1: Connection to 10.8.0.26 failed W 02/27/17 14:53:35 00136 tftp: AM1: Connection to 10.8.0.26 failed I 02/27/17 14:53:37 00179 mgr: AM1: SME CONSOLE Session - MANAGER Mode ---- Bottom of Log : Events Listed = 103 ---- HP-Switch-5406Rzl2# ping 10.11.64.244 10.11.64.244 is alive, time = 1 ms HP-Switch-5406Rzl2#
I've included two packet captures, each one with their respective DHCP options.
Please note that I did change the IP addresses in my original post to match their actual addresses. Our security team has a legacy rule about obfuscating/"translating" our internal addresses when we post on forums (something about a breach 7 years ago), but since the packet captures have the actual addresses, there's really no point in trying to "hide" anything now :D
1. Is switch able to ping your tftp server i.e 10.1.2.2? 2. As per the event logs that you...
1. Is switch able to ping your tftp server i.e 10.1.2.2?
2. As per the event logs that you shared, switch is unable to connect TFTP server.
2. Please share the packet capture, to analyze this issue further.
Need to check what options the DHCP server is sending.
Ok, we just finished our RFC and regenerated the DHCP leases. A packet capture confirms that...
Ok, we just finished our RFC and regenerated the DHCP leases. A packet capture confirms that changing this setting will leave Options 66 and 67 in the Options list (it will still show in the Bootp `sname` and `file` fields). The switch recognized these values and successfully transferred the necessary files.
While this resolves the issue (and I will mark it as answered), I'm a little confused as to why the switches were able to read the bootfile field correctly from the Bootp header but did not read the TFTPBoot server field. I mean, why not read that as well if it's available?
...encapsulation needed for this field. Perhaps QIP is expecting a different format, and surrounding the IP with...
Thank you for pointing out the typo. I was purposefully replacing the real IP addresses with example ones and missed that. Hopefully that doesn't mislead anyone.
We're using VitalQIP and not openDHCP, but I will see if I can find any manuals that specify if there's special encapsulation needed for this field. Perhaps QIP is expecting a different format, and surrounding the IP with quotes will force it to read it as ASCII.
As I responded to another individual, I am out until Monday but will see if I can get a coworker to perform a packet capture for me to upload.
i. As far as i aware | and also from the userguide itself The IAP supports termination of a...
As far as i aware | and also from the userguide itself
The IAP supports termination of a VPN tunnel on the Aruba controller. (it can do site to site - but cannot act as VPN server by itself iAP VC<VPN>Aruba Controller)
VPN features are ideal for:
enterprises with many branches that do not have a dedicated VPN connection to the corporate office.
branch offices that require multiple APs.
Individuals working from home, connecting to the VPN.
This new architecture and form factor seamlessly adds the survivability feature of Instant APs with the VPN
connectivity of RAPs — providing corporate connectivity to non-corporate.
The VPN configuration functionality enables the IAP to create a single VPN tunnel from the Virtual
Controller to a Aruba Mobility Controller in your corporate office. Here, the VPN tunnels from the Instant
APs terminate on the Aruba Mobility Controller. The controller solely acts as a VPN end-point and does not
supply the Instant AP with any configuration.
It's from the userguide: (read chapter 29)
It hope it clearly you question - the VPN solution in the InstantAP is just for connecting to Aruba Mobility Controller.
Have a lovely day.