Controllerless Networks

last person joined: 5 hours ago 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

Aruba IAP-325 assign role Deny All

This thread has been viewed 25 times
  • 1.  Aruba IAP-325 assign role Deny All

    Posted 22 days ago
    Hi ALL

    My Aruba IAP-325 assign role Deny ALL for network WPA2 Enterprise to Wifi Device (WISE 4060) after upgrade to ArubaInstant_Centaurus_8.6.0.13_81374 :
    config:


    00:4e:35:xx:xx:xx# show running-config
    version 8.6.0.0-8.6.0
    virtual-controller-country PL
    virtual-controller-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    name SetMeUp-xx:xx:xx
    terminal-access
    clock timezone none 00 00
    rf-band all

    allow-new-aps

    allowed-ap 00:4e:35:xx:xx:xx



    arm
    wide-bands 5ghz
    80mhz-support
    min-tx-power 9
    max-tx-power 127
    band-steering-mode prefer-5ghz
    air-time-fairness-mode default-access
    channel-quality-aware-arm-disable
    client-aware
    scanning

    rf dot11g-radio-profile
    max-distance 0
    max-tx-power 9
    min-tx-power 6
    disable-arm-wids-functions off
    free-channel-index 40

    rf dot11a-radio-profile
    max-distance 0
    max-tx-power 18
    min-tx-power 12
    disable-arm-wids-functions off


    syslog-level warn ap-debug
    syslog-level warn network
    syslog-level warn security
    syslog-level warn system
    syslog-level warn user
    syslog-level warn user-debug
    syslog-level warn wireless

    extended-ssid

    user wise 98e9ce073736787f3b70131cf7d99aa2 radius

    hash-mgmt-password
    hash-mgmt-user admin password hash xxxxxxxxxxxxxxxxxxxx

    wlan access-rule default_wired_port_profile
    index 1
    rule any any match any any any permit

    wlan access-rule wired-SetMeUp
    index 2
    rule masterip 0.0.0.0 match tcp 80 80 permit
    rule masterip 0.0.0.0 match tcp 4343 4343 permit
    rule any any match udp 67 68 permit
    rule any any match udp 53 53 permit

    wlan access-rule set
    index 3
    rule any any match any any any permit

    wlan access-rule pro6
    index 4
    rule any any match any any any permit

    wlan ssid-profile set
    enable
    index 1
    type employee
    essid set
    wpa-passphrase xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    opmode wpa2-psk-aes
    max-authentication-failures 0
    rf-band all
    captive-portal disable
    dtim-period 1
    broadcast-filter arp
    dmo-channel-utilization-threshold 90
    local-probe-req-thresh 0
    max-clients-threshold 64

    wlan ssid-profile pro6
    enable
    index 2
    type employee
    essid pro6
    opmode wpa2-aes
    max-authentication-failures 0
    auth-server InternalServer
    rf-band all
    captive-portal disable
    dtim-period 1
    broadcast-filter arp
    dmo-channel-utilization-threshold 90
    local-probe-req-thresh 0
    max-clients-threshold 64

    auth-survivability cache-time-out 24



    wlan external-captive-portal
    server localhost
    port 80
    url "/"
    auth-text "Authenticated"
    auto-whitelist-disable
    https


    blacklist-time 3600
    auth-failure-blacklist-time 3600


    ids
    wireless-containment none


    wired-port-profile wired-SetMeUp
    switchport-mode access
    allowed-vlan all
    native-vlan guest
    no shutdown
    access-rule-name wired-SetMeUp
    speed auto
    duplex auto
    no poe
    type guest
    captive-portal disable
    no dot1x

    wired-port-profile default_wired_port_profile
    switchport-mode trunk
    allowed-vlan all
    native-vlan 1
    shutdown
    access-rule-name default_wired_port_profile
    speed auto
    duplex full
    no poe
    type employee
    captive-portal disable
    no dot1x


    enet0-port-profile default_wired_port_profile

    uplink
    preemption
    enforce none
    failover-internet-pkt-lost-cnt 10
    failover-internet-pkt-send-freq 30
    failover-vpn-timeout 180


    airgroup
    disable

    airgroupservice airplay
    disable
    description AirPlay

    airgroupservice airprint
    disable
    description AirPrint

    cluster-security
    allow-low-assurance-devices


    I did a lot of tests , test different variances, make factory reset.... and found out that only if IAP-325 has 6.5.3.2_60886 Firmware my WiFi device can connect to WP2 Enterprise using Internal server.
    In my environment I have caoule IAP 225 and when I upgrade to 8.6.0.13_81374 all devices can connect without no issue.

    Do I need to do some special setup to make it work on IAP 325 with 8.6.0.13_81374 ?

    BR


    ------------------------------
    Krystian Z
    ------------------------------


  • 2.  RE: Aruba IAP-325 assign role Deny All

    Posted 21 days ago
    What is the certificate that you uploaded to your IAP to do RADIUS?

    Can you check the output of the CLI command: 'show ap debug auth-trace-buf' just after you connected the device?

    It may be that the 6.5.3.2 is using an old certificate that has been revoked and removed, and when you upgrade to 8.6 your clients will see another certificate. Forgetting the network and re-creating it on your Windows 10 client may also resolve the issue.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Aruba IAP-325 assign role Deny All

    Posted 20 days ago
    Hi
    Thanks for your respond but I think that my issue is not related with certificate. I use default certificate(valid to 2031) generated by Aruba and internal radius server so I dan't have to upload any cert to Radius.
    Result of executing the command " show ap debug auth-trace-buf " on IAP 325 with 8.6.0.13 :

    Sep 30 09:20:45 station-up * 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy - - wpa2 aes
    Sep 30 09:20:45 eap-id-req <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 1 5
    Sep 30 09:20:45 eap-id-resp -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 1 9 wise
    Sep 30 09:20:45 rad-req -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 104 201 192.168.100.10
    Sep 30 09:20:45 rad-resp <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy/InternalServer 104 -
    Sep 30 09:20:45 eap-req <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 2 6
    Sep 30 09:20:45 eap-resp -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 2 66
    Sep 30 09:20:45 rad-req -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy/InternalServer 105 276 192.168.100.10
    Sep 30 09:20:46 rad-reject <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy/InternalServer 105 -
    Sep 30 09:20:46 eap-failure <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 2 4 server rejected

    Like I say in my previous post on IAP -225 with the same config and 8.6.0.13 there is no issue :

    Sep 30 10:44:27 station-up * 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - - wpa2 aes
    Sep 30 10:44:27 eap-id-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 1 5
    Sep 30 10:44:27 eap-id-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 1 9 wise
    Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 31 200 192.168.100.5
    Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 31 64
    Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 2 6
    Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 2 98
    Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 32 307 192.168.100.5
    Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 32 1090
    Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 3 1024
    Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 3 6
    Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 33 215 192.168.100.5
    Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 33 114
    Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 4 56
    Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 4 336
    Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 34 547 192.168.100.5
    Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 34 123
    Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 5 65
    Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 5 6
    Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 35 215 192.168.100.5
    Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 35 101
    Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 6 43
    Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 6 43
    Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 36 252 192.168.100.5
    Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 36 117
    Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 7 59
    Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 7 43
    Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 37 252 192.168.100.5
    Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 37 117
    Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 8 59
    Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 8 91
    Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 38 300 192.168.100.5
    Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 38 149
    Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 9 91
    Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 9 43
    Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 39 252 192.168.100.5
    Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 39 117
    Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 10 59
    Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 10 43
    Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 40 252 192.168.100.5
    Sep 30 10:44:27 rad-accept <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 40 166
    Sep 30 10:44:27 eap-success <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 10 4
    Sep 30 10:44:27 wpa2-key1 <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 117
    Sep 30 10:44:27 wpa2-key2 -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 117
    Sep 30 10:44:27 wpa2-key3 <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 151
    Sep 30 10:44:27 wpa2-key4 -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 95

    What else can I check  ?

    BR

    ------------------------------
    Krystian Z
    ------------------------------



  • 4.  RE: Aruba IAP-325 assign role Deny All

    Posted 20 days ago
    Log messages show a reject by the server immediately after the first request. My first guess would be that the user is not available in the internal database.

    There may be debug commands for the internal server, but would not know what these are. Aruba TAC probably can assist in further troubleshooting.

    On the RADIUS certificate, there is no default certificate... APs (or VC) generate a self-signed certificate and if you have 2 VCs, these will have different certificates, and also you should not use a self-signed certificate for RADIUS, but that may be unrelated to why it doesn't work.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Aruba IAP-325 assign role Deny All

    Posted 20 days ago
    I have one VC , even create cluster with IAP225 and IAP325 and my device (WISE 4060 ) can connect only to IAP 225, so there is no problem with Internal user or password. Any more advice?

    BR

    ------------------------------
    Krystian Z
    ------------------------------



  • 6.  RE: Aruba IAP-325 assign role Deny All

    Posted 20 days ago
    In that case, same VC, works on IAP225, doesn't work on IAP325 in the same cluster, this may be a bug. For that, you will need to work with Aruba TAC Support.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------