Controllerless Networks

Hi Guys iam driving crazy to find a issue i normally don't have any issues with. I try to configure a very easy straightforward WPA2-Enterprise (EAP-PEAP) in an Aruba instant cluster managed by central. For some reason WPA2-Enterprise turns every time in an EAP time out issue in the ClearPass event logs. I configured this many times without issues and now iam struggling for about 8 hours (grrr).

Error Code 9002 RADIUS

Client did not complete EAP transaction

I re-install anything out of frustrating. Re-install a new instant group in Aruba Central and re-install ClearPass to be sure. It's not a client side issue. Didn't had any issues with the ClearPass configuration before. I guess i do something wrong in the Aruba Central part because since i move to a new central account when the issue appear.

ArubaOS Instant 8.6.0.9
ClearPass 6.9.5
IAP-325
AP-505

Find my config below.. Hope somebody have a clue...

Zaltbommel-AP02# show run
version 8.6.0.0-8.6.0
virtual-controller-country NL
virtual-controller-key *********
name Zaltbommel-VC
virtual-controller-ip 172.16.200.240
virtual-controller-vlan 200 255.255.255.0 172.16.200.254
virtual-controller-dnsip 172.16.200.1
terminal-access
ntp-server 0.nl.pool.ntp.org
clock timezone Amsterdam 01 00
clock summer-time CEST recurring last sunday march 00:00 last sunday october 03:00
rf-band all
dynamic-radius-proxy
dynamic-tacacs-proxy
report-rssi-to-central unassociated-and-associated-clients

allow-new-aps

allowed-ap d0:15:a6:c3:cd:8e
allowed-ap f0:5c:19:ca:49:22

arm
wide-bands 5ghz
80mhz-support
a-channels 100,104,108,112,100+,108+,100E
min-tx-power 15
max-tx-power 15
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning

rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40

rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off

syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

extended-ssid

hash-mgmt-password
hash-mgmt-user admin password hash *******

wlan access-rule HomeLAB-IOT
utf8
index 0
rule any any match any any any permit

wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule HomeLAB-Corp
utf8
index 3
rule any any match any any any permit

wlan ssid-profile HomeLAB-IOT
enable
index 0
type employee
essid HomeLAB-IOT
utf8
wpa-passphrase **********
opmode wpa2-psk-aes
max-authentication-failures 0
vlan 201
auth-server InternalServer
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter none
g-min-tx-rate 24
a-min-tx-rate 24
blacklist
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile HomeLAB-Corp
enable
index 1
type employee
essid HomeLAB-Corp
utf8
opmode wpa2-aes
max-authentication-failures 0
vlan 201
auth-server ClearPass
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
g-min-tx-rate 24
a-min-tx-rate 24
blacklist
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

auth-survivability cache-time-out 24

wlan auth-server ClearPass
ip 172.16.200.2
port 1812
acctport 1813
key *************
nas-ip 172.16.200.240

wlan captive-portal
background-color 16777215
banner-color 15329769
decoded-texts banner/terms/policy
banner-text "Welcome to Guest Network"
terms-of-use "This network is not secure and use it at your own risk."
use-policy "Please read and accept terms and conditions and then login."

wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https

blacklist-time 3600
auth-failure-blacklist-time 3600

ids
wireless-containment none

wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
no shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x

enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180

airgroup
disable

airgroupservice airplay
disable
description AirPlay

airgroupservice airprint
disable
description AirPrint

clarity
inline-sta-stats
inline-auth-stats
inline-dhcp-stats
inline-dns-stats

cluster-security
allow-low-assurance-devices

Zaltbommel-AP02#




------------------------------
Marcel Koedijk | MVP Guru 2021 | ACMP | ACCP | ACDA | Ekahau ECSE | Not an HPE Employee | Opionions are my own
------------------------------

Update...

By removing the NAS IP Address, disable the Dynamic RADIUS Proxy and add both access points directly into the ClearPass devices i got things worked.
Not very suitable solution for larger production environments offcourse. Maybe i run into this known issue but i have to further investigate it.




------------------------------
Marcel Koedijk | MVP Guru 2021 | ACMP | ACCP | ACDA | Ekahau ECSE | Not an HPE Employee | Opionions are my own
------------------------------

Original Message:
Sent: May 15, 2021 06:28 PM
From: marcel koedijk
Subject: Aruba Central Instant EAP-PEAP RADIUS EAP Timeout

Hi Guys iam driving crazy to find a issue i normally don't have any issues with. I try to configure a very easy straightforward WPA2-Enterprise (EAP-PEAP) in an Aruba instant cluster managed by central. For some reason WPA2-Enterprise turns every time in an EAP time out issue in the ClearPass event logs. I configured this many times without issues and now iam struggling for about 8 hours (grrr).

Error Code 9002 RADIUS

Client did not complete EAP transaction

I re-install anything out of frustrating. Re-install a new instant group in Aruba Central and re-install ClearPass to be sure. It's not a client side issue. Didn't had any issues with the ClearPass configuration before. I guess i do something wrong in the Aruba Central part because since i move to a new central account when the issue appear.

ArubaOS Instant 8.6.0.9
ClearPass 6.9.5
IAP-325
AP-505

Find my config below.. Hope somebody have a clue...

Zaltbommel-AP02# show run
version 8.6.0.0-8.6.0
virtual-controller-country NL
virtual-controller-key *********
name Zaltbommel-VC
virtual-controller-ip 172.16.200.240
virtual-controller-vlan 200 255.255.255.0 172.16.200.254
virtual-controller-dnsip 172.16.200.1
terminal-access
ntp-server 0.nl.pool.ntp.org
clock timezone Amsterdam 01 00
clock summer-time CEST recurring last sunday march 00:00 last sunday october 03:00
rf-band all
dynamic-radius-proxy
dynamic-tacacs-proxy
report-rssi-to-central unassociated-and-associated-clients

allow-new-aps

allowed-ap d0:15:a6:c3:cd:8e
allowed-ap f0:5c:19:ca:49:22

arm
wide-bands 5ghz
80mhz-support
a-channels 100,104,108,112,100+,108+,100E
min-tx-power 15
max-tx-power 15
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning

rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40

rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off

syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

extended-ssid

hash-mgmt-password
hash-mgmt-user admin password hash *******

wlan access-rule HomeLAB-IOT
utf8
index 0
rule any any match any any any permit

wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule HomeLAB-Corp
utf8
index 3
rule any any match any any any permit

wlan ssid-profile HomeLAB-IOT
enable
index 0
type employee
essid HomeLAB-IOT
utf8
wpa-passphrase **********
opmode wpa2-psk-aes
max-authentication-failures 0
vlan 201
auth-server InternalServer
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter none
g-min-tx-rate 24
a-min-tx-rate 24
blacklist
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile HomeLAB-Corp
enable
index 1
type employee
essid HomeLAB-Corp
utf8
opmode wpa2-aes
max-authentication-failures 0
vlan 201
auth-server ClearPass
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
g-min-tx-rate 24
a-min-tx-rate 24
blacklist
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

auth-survivability cache-time-out 24

wlan auth-server ClearPass
ip 172.16.200.2
port 1812
acctport 1813
key *************
nas-ip 172.16.200.240

wlan captive-portal
background-color 16777215
banner-color 15329769
decoded-texts banner/terms/policy
banner-text "Welcome to Guest Network"
terms-of-use "This network is not secure and use it at your own risk."
use-policy "Please read and accept terms and conditions and then login."

wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https

blacklist-time 3600
auth-failure-blacklist-time 3600

ids
wireless-containment none

wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
no shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x

enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180

airgroup
disable

airgroupservice airplay
disable
description AirPlay

airgroupservice airprint
disable
description AirPrint

clarity
inline-sta-stats
inline-auth-stats
inline-dhcp-stats
inline-dns-stats

cluster-security
allow-low-assurance-devices

Zaltbommel-AP02#




------------------------------
Marcel Koedijk | MVP Guru 2021 | ACMP | ACCP | ACDA | Ekahau ECSE | Not an HPE Employee | Opionions are my own
------------------------------

Update...

Finally i figure it out... As always the solution was quite simple. I probably made the same mistake a long time ago.
The solution was that some fields must be empty when configure the Virtual Controller IP on the same native vlans as the IAP's.



------------------------------
Marcel Koedijk | MVP Guru 2021 | ACMP | ACCP | ACDA | Ekahau ECSE | Not an HPE Employee | Opionions are my own
------------------------------

Original Message:
Sent: May 15, 2021 08:01 PM
From: marcel koedijk
Subject: Aruba Central Instant EAP-PEAP RADIUS EAP Timeout

Update...

By removing the NAS IP Address, disable the Dynamic RADIUS Proxy and add both access points directly into the ClearPass devices i got things worked.
Not very suitable solution for larger production environments offcourse. Maybe i run into this known issue but i have to further investigate it.




------------------------------
Marcel Koedijk | MVP Guru 2021 | ACMP | ACCP | ACDA | Ekahau ECSE | Not an HPE Employee | Opionions are my own

Original Message:
Sent: May 15, 2021 06:28 PM
From: marcel koedijk
Subject: Aruba Central Instant EAP-PEAP RADIUS EAP Timeout

Hi Guys iam driving crazy to find a issue i normally don't have any issues with. I try to configure a very easy straightforward WPA2-Enterprise (EAP-PEAP) in an Aruba instant cluster managed by central. For some reason WPA2-Enterprise turns every time in an EAP time out issue in the ClearPass event logs. I configured this many times without issues and now iam struggling for about 8 hours (grrr).

Error Code 9002 RADIUS

Client did not complete EAP transaction

I re-install anything out of frustrating. Re-install a new instant group in Aruba Central and re-install ClearPass to be sure. It's not a client side issue. Didn't had any issues with the ClearPass configuration before. I guess i do something wrong in the Aruba Central part because since i move to a new central account when the issue appear.

ArubaOS Instant 8.6.0.9
ClearPass 6.9.5
IAP-325
AP-505

Find my config below.. Hope somebody have a clue...

Zaltbommel-AP02# show run
version 8.6.0.0-8.6.0
virtual-controller-country NL
virtual-controller-key *********
name Zaltbommel-VC
virtual-controller-ip 172.16.200.240
virtual-controller-vlan 200 255.255.255.0 172.16.200.254
virtual-controller-dnsip 172.16.200.1
terminal-access
ntp-server 0.nl.pool.ntp.org
clock timezone Amsterdam 01 00
clock summer-time CEST recurring last sunday march 00:00 last sunday october 03:00
rf-band all
dynamic-radius-proxy
dynamic-tacacs-proxy
report-rssi-to-central unassociated-and-associated-clients

allow-new-aps

allowed-ap d0:15:a6:c3:cd:8e
allowed-ap f0:5c:19:ca:49:22

arm
wide-bands 5ghz
80mhz-support
a-channels 100,104,108,112,100+,108+,100E
min-tx-power 15
max-tx-power 15
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning

rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40

rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off

syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

extended-ssid

hash-mgmt-password
hash-mgmt-user admin password hash *******

wlan access-rule HomeLAB-IOT
utf8
index 0
rule any any match any any any permit

wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule HomeLAB-Corp
utf8
index 3
rule any any match any any any permit

wlan ssid-profile HomeLAB-IOT
enable
index 0
type employee
essid HomeLAB-IOT
utf8
wpa-passphrase **********
opmode wpa2-psk-aes
max-authentication-failures 0
vlan 201
auth-server InternalServer
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter none
g-min-tx-rate 24
a-min-tx-rate 24
blacklist
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile HomeLAB-Corp
enable
index 1
type employee
essid HomeLAB-Corp
utf8
opmode wpa2-aes
max-authentication-failures 0
vlan 201
auth-server ClearPass
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
g-min-tx-rate 24
a-min-tx-rate 24
blacklist
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

auth-survivability cache-time-out 24

wlan auth-server ClearPass
ip 172.16.200.2
port 1812
acctport 1813
key *************
nas-ip 172.16.200.240

wlan captive-portal
background-color 16777215
banner-color 15329769
decoded-texts banner/terms/policy
banner-text "Welcome to Guest Network"
terms-of-use "This network is not secure and use it at your own risk."
use-policy "Please read and accept terms and conditions and then login."

wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https

blacklist-time 3600
auth-failure-blacklist-time 3600

ids
wireless-containment none

wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
no shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x

enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180

airgroup
disable

airgroupservice airplay
disable
description AirPlay

airgroupservice airprint
disable
description AirPrint

clarity
inline-sta-stats
inline-auth-stats
inline-dhcp-stats
inline-dns-stats

cluster-security
allow-low-assurance-devices

Zaltbommel-AP02#




------------------------------
Marcel Koedijk | MVP Guru 2021 | ACMP | ACCP | ACDA | Ekahau ECSE | Not an HPE Employee | Opionions are my own
------------------------------