Hi
Thanks for your respond but I think that my issue is not related with certificate. I use default certificate(valid to 2031) generated by Aruba and internal radius server so I dan't have to upload any cert to Radius.
Result of executing the command " show ap debug auth-trace-buf " on IAP 325 with 8.6.0.13 :
Sep 30 09:20:45 station-up * 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy - - wpa2 aes
Sep 30 09:20:45 eap-id-req <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 1 5
Sep 30 09:20:45 eap-id-resp -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 1 9 wise
Sep 30 09:20:45 rad-req -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 104 201 192.168.100.10
Sep 30 09:20:45 rad-resp <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy/InternalServer 104 -
Sep 30 09:20:45 eap-req <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 2 6
Sep 30 09:20:45 eap-resp -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 2 66
Sep 30 09:20:45 rad-req -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy/InternalServer 105 276 192.168.100.10
Sep 30 09:20:46 rad-reject <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy/InternalServer 105 -
Sep 30 09:20:46 eap-failure <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 2 4 server rejected
Like I say in my previous post on IAP -225 with the same config and 8.6.0.13 there is no issue :
Sep 30 10:44:27 station-up * 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - - wpa2 aes
Sep 30 10:44:27 eap-id-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 1 5
Sep 30 10:44:27 eap-id-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 1 9 wise
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 31 200 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 31 64
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 2 6
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 2 98
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 32 307 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 32 1090
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 3 1024
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 3 6
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 33 215 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 33 114
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 4 56
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 4 336
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 34 547 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 34 123
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 5 65
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 5 6
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 35 215 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 35 101
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 6 43
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 6 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 36 252 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 36 117
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 7 59
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 7 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 37 252 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 37 117
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 8 59
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 8 91
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 38 300 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 38 149
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 9 91
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 9 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 39 252 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 39 117
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 10 59
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 10 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 40 252 192.168.100.5
Sep 30 10:44:27 rad-accept <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 40 166
Sep 30 10:44:27 eap-success <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 10 4
Sep 30 10:44:27 wpa2-key1 <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 117
Sep 30 10:44:27 wpa2-key2 -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 117
Sep 30 10:44:27 wpa2-key3 <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 151
Sep 30 10:44:27 wpa2-key4 -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 95
What else can I check ?
BR
------------------------------
Krystian Z
------------------------------
Original Message:
Sent: Sep 29, 2021 11:13 AM
From: Herman Robers
Subject: Aruba IAP-325 assign role Deny All
What is the certificate that you uploaded to your IAP to do RADIUS?
Can you check the output of the CLI command: 'show ap debug auth-trace-buf' just after you connected the device?
It may be that the 6.5.3.2 is using an old certificate that has been revoked and removed, and when you upgrade to 8.6 your clients will see another certificate. Forgetting the network and re-creating it on your Windows 10 client may also resolve the issue.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 28, 2021 10:33 AM
From: Krystian Z
Subject: Aruba IAP-325 assign role Deny All
Hi ALL
My Aruba IAP-325 assign role Deny ALL for network WPA2 Enterprise to Wifi Device (WISE 4060) after upgrade to ArubaInstant_Centaurus_8.6.0.13_81374 :
config:
00:4e:35:xx:xx:xx# show running-config
version 8.6.0.0-8.6.0
virtual-controller-country PL
virtual-controller-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name SetMeUp-xx:xx:xx
terminal-access
clock timezone none 00 00
rf-band all
allow-new-aps
allowed-ap 00:4e:35:xx:xx:xx
arm
wide-bands 5ghz
80mhz-support
min-tx-power 9
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning
rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40
rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off
syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless
extended-ssid
user wise 98e9ce073736787f3b70131cf7d99aa2 radius
hash-mgmt-password
hash-mgmt-user admin password hash xxxxxxxxxxxxxxxxxxxx
wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit
wlan access-rule wired-SetMeUp
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit
wlan access-rule set
index 3
rule any any match any any any permit
wlan access-rule pro6
index 4
rule any any match any any any permit
wlan ssid-profile set
enable
index 1
type employee
essid set
wpa-passphrase xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
opmode wpa2-psk-aes
max-authentication-failures 0
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
wlan ssid-profile pro6
enable
index 2
type employee
essid pro6
opmode wpa2-aes
max-authentication-failures 0
auth-server InternalServer
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
auth-survivability cache-time-out 24
wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https
blacklist-time 3600
auth-failure-blacklist-time 3600
ids
wireless-containment none
wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x
wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x
enet0-port-profile default_wired_port_profile
uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180
airgroup
disable
airgroupservice airplay
disable
description AirPlay
airgroupservice airprint
disable
description AirPrint
cluster-security
allow-low-assurance-devices
I did a lot of tests , test different variances, make factory reset.... and found out that only if IAP-325 has 6.5.3.2_60886 Firmware my WiFi device can connect to WP2 Enterprise using Internal server.
In my environment I have caoule IAP 225 and when I upgrade to 8.6.0.13_81374 all devices can connect without no issue.
Do I need to do some special setup to make it work on IAP 325 with 8.6.0.13_81374 ?
BR
------------------------------
Krystian Z
------------------------------