Search the Community
- ClearPass Recipe Review
- ClearPass Recipe Submission
- Admin Tool - Assign Role in Bulk
- Admin Tool - User Search
- CWNP Conf 2015
- Airheads Conference Vegas 2015
- Wlan Pro Conference 2015
- Airheads Conference Shanghai 2014
- WLAN Pro Conf EU 2014
- CWNP Conference 2014 (Sep 22 - 24)
- Airheads Local 2014
- Wireless Field Day 7 (Aug 6-8, 2014)
- Black Hat 2014 Contest
- Airheads EMEA Italy 2014 (June 9 - 13)
- Americas Airheads Conference 2014
- WLAN Professionals Summit 2014
- Airheads Roadshow 2013
- EMEA Airheads Conference 2013
- APJ Airheads Conference 2013
- Americas Airheads Conference 2013
- Americas Airheads Conference 2012
- APJ Airheads Conference 2012
- EMEA Airheads Conference 2012
- Airheads EMEA 2012 Contest: How to Enter - Contest Terms & Conditions
- Airheads EMEA 2012 Contest: Create your Entry to Win Here!
- Airheads Conferences Prior to 2012
- Americas Airheads Local Events 2012
- EMEA Airheads Local Events 2012
- Wireless Field Day 3 @ Aruba Networks
- Wireless Tech Field Day 2- Silicon Valley
- Wi-Fi Mobility Symposium- San Jose, CA USA
- SDN Apps
To turn on adp on the test controller again use the same command but instead of disable use enable...To turn on adp on the test controller again use the same command but instead of disable use enable.
Don't turn it off in your production controller just on test controller
It won't because these are not talking to each other , any config you put in place in either controller will not be share
ok victor , now the cenario is 1st controller is master. 2nd controller is in standalon...
ok victor , now the cenario is
1st controller is master.
2nd controller is in standalon.
now if i configure roles in 2nd controller, does it make any effect on master?
and also what is the command if i want again to turn on adp & igmp in ap...
You can leave as standalone if you don't wanted attached to your production controller.  ...
You can leave as standalone if you don't wanted attached to your production controller.
Make sure that you disable ADP so your APs dont try to join that controller in a reboot/bootstrapping event
adp discovery disable
adp igmp-join disable
For your testing APs , I suggest you create a new VLAN and use DHCP option 43 to discover the controller
Controllers are different from Instant. In order to utilize the same configuration and be able to...Controllers are different from Instant. In order to utilize the same configuration and be able to terminate APs, you'll have to add it as a local. Your other option would be to take a backup and then restore but I would not put them on the same subnet.
SumaN wrote: I have a Aruba 3600 controller. there is two vlan. vlan1= 172.16.0.0...
I have a Aruba 3600 controller.
there is two vlan.
vlan1= 172.16.0.0 network
vlan2= 172.18.0.0 network.
controller is on vlan 1 [controller ip =172.16.0.254]
from controller i am not able to ping any device on vlan2 & from any device in vlan2 i cant able to any device on vlan1 [controller also]
please tell me what i have to do?
i want that they can able to ping each other.
The devices on VLAN2 and VLAN1 must have the controller ip on those VLANs as their default gateway.
You also need to make sure you don't have deny inter user bridging enabled.
Hi, I found the solution here: https://www.airheads.eu/t5/Controller-Based-WLANs/How-to-u...
I found the solution here:
Thank you very much for your help
Ok, can i add different license to the second controller, To do so the second controller must...
can i add different license to the second controller,
To do so the second controller must change his role to master is it ok ?
Rafish wrote: Ok, can i add different license to the second controller, To do so the second...
can i add different license to the second controller,
To do so the second controller must change his role to master is it ok ?
Do you want the controllers to share licenses? If yes, you should turn on centralized licensing.
Did you submit the CSR on the standby controller to a CA?
...controller and us this certificyate in securtiy->authentication->L2 authentication, (the...
I have master/standby topology, i dowload certificate on the master controller and us this certificyate in securtiy->authentication->L2 authentication, (the certificate name is the controller name, and master name is diffrent from standby name).
I noticed that the certificate from master was not moved to standby,
Can i import diffrent certificate to standby ?
Is it problematic since i have database sync ?
Security > Authentication > L2 Authentication
You must upload a certificate individually to each controller. The controller certificate is not synchronized with database sync.
Sorry, I have problem with the certifaicate on the standby controller. I have two...
I have problem with the certifaicate on the standby controller.
I have two controllers active and standby i create csr on both of them.
On the master everything is ok, the problem i mentioned is on the standby.
Hey, you can check that the database sync is working as expected by running #show database sync
According to the documentation only the WMS, Local User and CPSEC DB are sync'd (along with running configuration) between the two master controllers.
Sorry i didnt understand what do you mean by "submit the CSR..."
See attached print screen from the standby controller
Management > Certificates > Upload
Based on your first post, it seems like the controller does not think the Controller Server...
Based on your first post, it seems like the controller does not think the Controller Server Certificate was signed by the CA Certificate you uploaded.
...just the single IP address of the virtual controller? Or if you have an account used by receptionist...
It gives you a single IP address for management of the IAP cluster. For example, if you have 200 AP's and are using a RADIUS server, do you want to add each of the 200 AP's as a network devices or just the single IP address of the virtual controller? Or if you have an account used by receptionist to create guest accounts, are you going to ask them to logon to each AP to work out the master AP, then log in to the master AP and create a guest account? Just give them the Virtual Controller IP and they will always logon to the elected AP.
In short it provides a single IP address for management functions :)
Or via SSH :) There will be no re-direct there unless you use the Virtual Controllers IP address.
Yes, you do need to configure a Virtual Controller IP to use a single IP for management. The...
Yes, you do need to configure a Virtual Controller IP to use a single IP for management. The "Master AP" is simply the AP in the cluster which has elected itself to "hold" the Virtual Controllers IP address. If the current master AP is disconnected or powered down, another AP will elect its self as the master AP and the Virtual Controller IP will move to the latest elected master AP.
Correct, the Virtual Controller IP will move between AP's in the event of a failure.  ...
Correct, the Virtual Controller IP will move between AP's in the event of a failure.
Yes, that was an example. Imagine if .95 goes down, this will re-direct to the next elected IAP and so on. Say for example you have a DNS record to make it easier to https to the master to create a guest account. The DNS record is pointing to .95 and .95 goes down. You would need to change your DNS record everytime a different AP is elected as master.
You could just use a Virtual Controller and point the DNS record at this.It is easier and simplier to have a single IP address (Virtual Controller) for management.
...you need to have tri-state-nat enabled in order for the controller to perform the actual...
The captive portal is bound to the role that is assigned to the user (as you found out that the logon role was assigned in your case).
In order to get your external captive portal selected, you need to create a role for that (I would try to avoid changing default/built-in roles or configuration), and make sure that is assigned.
The role is assigned in the aaa profile, which in turn is selected in the virtual-AP profile (WLAN) or the VLAN (wired). For wired, the port must be untrusted, as for a trusted port all authentication is disabled.
With the show user-table mac <mac> or show user-table ip <ip> or show user-table verbose, you can find what profiles are assigned and from there, if it is incorrect move backward in your configuration to find out why these are assigned. From there, you probably can see the error and correct it.
One more thing with captive portal, but that seems already correct as you see a redirect (but the wrong redirect), is that you need to have either an IP address assigned to the VLAN where the clients come in or you need to have tri-state-nat enabled in order for the controller to perform the actual redirection. This only applies if you don't see the redirect happen.
I was trying to look at it again, and it appears the controller is redirecting me, but it is trying...
I was trying to look at it again, and it appears the controller is redirecting me, but it is trying to redirect me to the controller's captive portal, instead of CPPM.
I belive this is because I am being assigned the user role "logon" instead of my special role with the redirects in there. Is there a way to make sure I get the initial role that i specified when coming from the vlan?
I already tried associating the aaa profile with the vlan on the port channel, but that didn't do the trick either.
How can I turn my AP to Active? Does this require the controller licence?
My AP got an IP address from my DHCP server. It was in controller mode. After a conversion to...
My AP got an IP address from my DHCP server. It was in controller mode. After a conversion to campus mode, my 7030 controller find it and I provide it but the AP is Inactive ( "I" flag).
My cp-sec is enabled with Auto cert option enabled. The AP recognize the provisionning profile but doesn't broadcast the SSID and I can't connect to the AP Wifi. Is that due to my unlicenced controller?
...the APs. Several issues can prevent the APs from showing up in the controller. During...
Normally when you register the license on the HPE portal, you can also search and find the license again on the HPE portal. If not, I would also suggest to open a TAC case.
With regards to the APs. Several issues can prevent the APs from showing up in the controller.
During the boot process the AP has several ways to contact the controller. The auto-discovery of the controller is possible via multiple options, like:
- Broadcast (ADP - Aruba Discovery Protocol): the access-points and controller(s) are in the same VLAN;
- DHCP option 43
- DNS record "aruba-master.<domain-name>"
Another issue could be the configuration of Control Plane Security. Do you have cp-sec (control plane security) enabled without the Auto Cert Provisioning option? If so, you must manually provision the APs to the AP white-list first before they show up in the controller. When you go to the Configuration tab and you see a flag next to "Save Configuration" it means that the controller is denying one or more APs access.
A good way to troubleshoot is to check what's happing on the console of the access-point during the boot process.
Is there a free evaluation licence( AP and PEF) for the Aruba controller 7030 that allow me to...
Is there a free evaluation licence( AP and PEF) for the Aruba controller 7030 that allow me to active my AP and connect on them? Pending the real licence.
Yes, you should purchase and register an AP and PEF (Policy Enforcement Firewall) license per ...
Yes, you should purchase and register an AP and PEF (Policy Enforcement Firewall) license per AP. If you have 10 APs, you should purchase 10 AP licenses and 10 PEF licenses. Ask you reseller for the licenses.
Easiest is via the Wizard...(requires reboot) Configuration -> Controller Wizard ...
Easiest is via the Wizard...(requires reboot)
Configuration -> Controller Wizard
Or slightly harder is via the CLI (no reboot)
#conf t #hostname XXXX #wr mem
Thanks the CLI is best. I want to achieve naming consistency. We have 3 controllers each using a...Thanks the CLI is best. I want to achieve naming consistency. We have 3 controllers each using a different naming convention.
*** Please report all problems to the help desk: http://helpdesk.wyomingseminary.org***
...Controllers will communicate with your AAA servers to authenticate users and these Locals will be added as...
I have tried to replicate your scenario from the information you have provided (though it's still quite vague). Can you confirm if attached picture represents your current deployment?
If that picture depicts correct scenario, below should be the list of events:
1. A client should try to connect to the network (automatically in case of hotspot 2.0 is enabled or manually in case you are using Plain EAP-SIM Authentication).
2. Your Access Points are connected to Airport Local, it will handle your communication with the Radius Server and terminate your session. Your Local Controllers will communicate with your AAA servers to authenticate users and these Locals will be added as clients on your AAA servers.
3. As I understand from the description, you also a L2 firewall after DMZ that swaps the authentication VLAN. So effectively, I assume your gateway should be positioned as: DMZ-->Firewall->Gateway. Everything will be L2 between Airport Local and gateway. Your firewall will flip or swap your authentication vlan at egress interface to isolcate your Core Network from direct external access. Obviously this traffic will flow through GRE tunnel towards DMZ and you have to allow that VLAN over your GRE.
4. Once your traffic reaches your gateway to reach AAA, it will be routed accordingly. AAA will validate EIP-SIM credentials and return traffic will follow same path. So, your supplicant will be end users, authenticator will be Airport Local and authentication server will be AAA server.
5. Once user authenticates successfully, user should be able to acquire IP Address and you should be able to see his session on Airport Local Controller.
Your DMZ will just be carrying authentication traffic and user traffic to your DC via GRE tunnel and firewall will be isolating your core network from direct outside access. Authentication traffic needs to be passed through firewall to avoid external controllers (I believe you dont own the Airport Controllers) have direct access to your Core network and client traffic (Post authentication) should take normal path as other EAP-SIM users are taking in your network.
...Controllers are Airport Master and Local Controllers. On Airport master they have already configured...
In our case we don't have captive portal. We have 802.1x EAP-SIM authentication.
As i uderstood from the artical you sent to me, in our case Internal Controllers are Airport Master and Local Controllers. On Airport master they have already configured groups and in that groups just i will add my SSID Profile, then the Airport APs will start to broadcast our SSID as well.
Lets assume if a user try to associate with our EAP-SIM SSID, the user authentication traffic will first hit the DMZ controller via GRE over IPSec tunnel. Now further i am confused
1. Once they reach to DMZ what will happened?
2. Where should i configure the Radius Server Group either on DMZ Controllers or Airport Master Controller or Airport Local Controllers
3. Another thing where the sessions will be terminated? on DMZ Controller or Internel Controllers (Airport master or Locals).
Why do you want a controller in the DMZ? That would allow us to answer your questions.
.../t5/Aruba-Solution-Exchange/L2-GRE-to-DMZ-controller-with-Captive-Portal-SSID/ta-p/202649 to see what a DMZ...
With that being said, please look at the post here: http://community.arubanetworks.com/t5/Aruba-Soluti
on-Exchange/L2-GRE-to-DMZ-controller-with-Captive- Portal-SSID/ta-p/202649 to see what a DMZ deployment looks like.
...bhai so i can say DMZ Controller in our case is transparent, i mean DMZ is just terminating the GRE...
Thanks for your usual support and time Jibran Bhai, Happy too much to see you here.
Jibran bhai so i can say DMZ Controller in our case is transparent, i mean DMZ is just terminating the GRE over IPSec tunnel. And simply receive the traffic (Authentication and internet) and forward to the gateway.