Controllerless Networks

Hi ALL

My Aruba IAP-325 assign role Deny ALL for network WPA2 Enterprise to Wifi Device (WISE 4060) after upgrade to ArubaInstant_Centaurus_8.6.0.13_81374 :
config:


00:4e:35:xx:xx:xx# show running-config
version 8.6.0.0-8.6.0
virtual-controller-country PL
virtual-controller-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name SetMeUp-xx:xx:xx
terminal-access
clock timezone none 00 00
rf-band all

allow-new-aps

allowed-ap 00:4e:35:xx:xx:xx



arm
wide-bands 5ghz
80mhz-support
min-tx-power 9
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning

rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40

rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off


syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

extended-ssid

user wise 98e9ce073736787f3b70131cf7d99aa2 radius

hash-mgmt-password
hash-mgmt-user admin password hash xxxxxxxxxxxxxxxxxxxx

wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule set
index 3
rule any any match any any any permit

wlan access-rule pro6
index 4
rule any any match any any any permit

wlan ssid-profile set
enable
index 1
type employee
essid set
wpa-passphrase xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
opmode wpa2-psk-aes
max-authentication-failures 0
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile pro6
enable
index 2
type employee
essid pro6
opmode wpa2-aes
max-authentication-failures 0
auth-server InternalServer
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

auth-survivability cache-time-out 24



wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https


blacklist-time 3600
auth-failure-blacklist-time 3600


ids
wireless-containment none


wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x


enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180


airgroup
disable

airgroupservice airplay
disable
description AirPlay

airgroupservice airprint
disable
description AirPrint

cluster-security
allow-low-assurance-devices


I did a lot of tests , test different variances, make factory reset.... and found out that only if IAP-325 has 6.5.3.2_60886 Firmware my WiFi device can connect to WP2 Enterprise using Internal server.
In my environment I have caoule IAP 225 and when I upgrade to 8.6.0.13_81374 all devices can connect without no issue.

Do I need to do some special setup to make it work on IAP 325 with 8.6.0.13_81374 ?

BR


------------------------------
Krystian Z
------------------------------

What is the certificate that you uploaded to your IAP to do RADIUS?

Can you check the output of the CLI command: 'show ap debug auth-trace-buf' just after you connected the device?

It may be that the 6.5.3.2 is using an old certificate that has been revoked and removed, and when you upgrade to 8.6 your clients will see another certificate. Forgetting the network and re-creating it on your Windows 10 client may also resolve the issue.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 28, 2021 10:33 AM
From: Krystian Z
Subject: Aruba IAP-325 assign role Deny All

Hi ALL

My Aruba IAP-325 assign role Deny ALL for network WPA2 Enterprise to Wifi Device (WISE 4060) after upgrade to ArubaInstant_Centaurus_8.6.0.13_81374 :

config:


00:4e:35:xx:xx:xx# show running-config
version 8.6.0.0-8.6.0
virtual-controller-country PL
virtual-controller-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name SetMeUp-xx:xx:xx
terminal-access
clock timezone none 00 00
rf-band all

allow-new-aps

allowed-ap 00:4e:35:xx:xx:xx



arm
wide-bands 5ghz
80mhz-support
min-tx-power 9
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning

rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40

rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off


syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

extended-ssid

user wise 98e9ce073736787f3b70131cf7d99aa2 radius

hash-mgmt-password
hash-mgmt-user admin password hash xxxxxxxxxxxxxxxxxxxx

wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule set
index 3
rule any any match any any any permit

wlan access-rule pro6
index 4
rule any any match any any any permit

wlan ssid-profile set
enable
index 1
type employee
essid set
wpa-passphrase xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
opmode wpa2-psk-aes
max-authentication-failures 0
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile pro6
enable
index 2
type employee
essid pro6
opmode wpa2-aes
max-authentication-failures 0
auth-server InternalServer
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

auth-survivability cache-time-out 24



wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https


blacklist-time 3600
auth-failure-blacklist-time 3600


ids
wireless-containment none


wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x


enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180


airgroup
disable

airgroupservice airplay
disable
description AirPlay

airgroupservice airprint
disable
description AirPrint

cluster-security
allow-low-assurance-devices


I did a lot of tests , test different variances, make factory reset.... and found out that only if IAP-325 has 6.5.3.2_60886 Firmware my WiFi device can connect to WP2 Enterprise using Internal server.
In my environment I have caoule IAP 225 and when I upgrade to 8.6.0.13_81374 all devices can connect without no issue.

Do I need to do some special setup to make it work on IAP 325 with 8.6.0.13_81374 ?

BR


------------------------------
Krystian Z
------------------------------

Hi
Thanks for your respond but I think that my issue is not related with certificate. I use default certificate(valid to 2031) generated by Aruba and internal radius server so I dan't have to upload any cert to Radius.
Result of executing the command " show ap debug auth-trace-buf " on IAP 325 with 8.6.0.13 :

Sep 30 09:20:45 station-up * 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy - - wpa2 aes
Sep 30 09:20:45 eap-id-req <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 1 5
Sep 30 09:20:45 eap-id-resp -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 1 9 wise
Sep 30 09:20:45 rad-req -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 104 201 192.168.100.10
Sep 30 09:20:45 rad-resp <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy/InternalServer 104 -
Sep 30 09:20:45 eap-req <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 2 6
Sep 30 09:20:45 eap-resp -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 2 66
Sep 30 09:20:45 rad-req -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy/InternalServer 105 276 192.168.100.10
Sep 30 09:20:46 rad-reject <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy/InternalServer 105 -
Sep 30 09:20:46 eap-failure <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 2 4 server rejected

Like I say in my previous post on IAP -225 with the same config and 8.6.0.13 there is no issue :

Sep 30 10:44:27 station-up * 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - - wpa2 aes
Sep 30 10:44:27 eap-id-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 1 5
Sep 30 10:44:27 eap-id-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 1 9 wise
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 31 200 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 31 64
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 2 6
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 2 98
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 32 307 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 32 1090
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 3 1024
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 3 6
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 33 215 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 33 114
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 4 56
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 4 336
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 34 547 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 34 123
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 5 65
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 5 6
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 35 215 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 35 101
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 6 43
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 6 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 36 252 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 36 117
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 7 59
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 7 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 37 252 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 37 117
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 8 59
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 8 91
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 38 300 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 38 149
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 9 91
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 9 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 39 252 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 39 117
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 10 59
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 10 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 40 252 192.168.100.5
Sep 30 10:44:27 rad-accept <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 40 166
Sep 30 10:44:27 eap-success <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 10 4
Sep 30 10:44:27 wpa2-key1 <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 117
Sep 30 10:44:27 wpa2-key2 -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 117
Sep 30 10:44:27 wpa2-key3 <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 151
Sep 30 10:44:27 wpa2-key4 -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 95

What else can I check  ?

BR

------------------------------
Krystian Z
------------------------------

Original Message:
Sent: Sep 29, 2021 11:13 AM
From: Herman Robers
Subject: Aruba IAP-325 assign role Deny All

What is the certificate that you uploaded to your IAP to do RADIUS?

Can you check the output of the CLI command: 'show ap debug auth-trace-buf' just after you connected the device?

It may be that the 6.5.3.2 is using an old certificate that has been revoked and removed, and when you upgrade to 8.6 your clients will see another certificate. Forgetting the network and re-creating it on your Windows 10 client may also resolve the issue.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 28, 2021 10:33 AM
From: Krystian Z
Subject: Aruba IAP-325 assign role Deny All

Hi ALL

My Aruba IAP-325 assign role Deny ALL for network WPA2 Enterprise to Wifi Device (WISE 4060) after upgrade to ArubaInstant_Centaurus_8.6.0.13_81374 :

config:


00:4e:35:xx:xx:xx# show running-config
version 8.6.0.0-8.6.0
virtual-controller-country PL
virtual-controller-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name SetMeUp-xx:xx:xx
terminal-access
clock timezone none 00 00
rf-band all

allow-new-aps

allowed-ap 00:4e:35:xx:xx:xx



arm
wide-bands 5ghz
80mhz-support
min-tx-power 9
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning

rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40

rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off


syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

extended-ssid

user wise 98e9ce073736787f3b70131cf7d99aa2 radius

hash-mgmt-password
hash-mgmt-user admin password hash xxxxxxxxxxxxxxxxxxxx

wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule set
index 3
rule any any match any any any permit

wlan access-rule pro6
index 4
rule any any match any any any permit

wlan ssid-profile set
enable
index 1
type employee
essid set
wpa-passphrase xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
opmode wpa2-psk-aes
max-authentication-failures 0
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile pro6
enable
index 2
type employee
essid pro6
opmode wpa2-aes
max-authentication-failures 0
auth-server InternalServer
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

auth-survivability cache-time-out 24



wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https


blacklist-time 3600
auth-failure-blacklist-time 3600


ids
wireless-containment none


wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x


enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180


airgroup
disable

airgroupservice airplay
disable
description AirPlay

airgroupservice airprint
disable
description AirPrint

cluster-security
allow-low-assurance-devices


I did a lot of tests , test different variances, make factory reset.... and found out that only if IAP-325 has 6.5.3.2_60886 Firmware my WiFi device can connect to WP2 Enterprise using Internal server.
In my environment I have caoule IAP 225 and when I upgrade to 8.6.0.13_81374 all devices can connect without no issue.

Do I need to do some special setup to make it work on IAP 325 with 8.6.0.13_81374 ?

BR


------------------------------
Krystian Z
------------------------------

Log messages show a reject by the server immediately after the first request. My first guess would be that the user is not available in the internal database.

There may be debug commands for the internal server, but would not know what these are. Aruba TAC probably can assist in further troubleshooting.

On the RADIUS certificate, there is no default certificate... APs (or VC) generate a self-signed certificate and if you have 2 VCs, these will have different certificates, and also you should not use a self-signed certificate for RADIUS, but that may be unrelated to why it doesn't work.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 30, 2021 05:20 AM
From: Krystian Z
Subject: Aruba IAP-325 assign role Deny All

Hi
Thanks for your respond but I think that my issue is not related with certificate. I use default certificate(valid to 2031) generated by Aruba and internal radius server so I dan't have to upload any cert to Radius.
Result of executing the command " show ap debug auth-trace-buf " on IAP 325 with 8.6.0.13 :

Sep 30 09:20:45 station-up * 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy - - wpa2 aes
Sep 30 09:20:45 eap-id-req <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 1 5
Sep 30 09:20:45 eap-id-resp -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 1 9 wise
Sep 30 09:20:45 rad-req -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 104 201 192.168.100.10
Sep 30 09:20:45 rad-resp <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy/InternalServer 104 -
Sep 30 09:20:45 eap-req <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 2 6
Sep 30 09:20:45 eap-resp -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 2 66
Sep 30 09:20:45 rad-req -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy/InternalServer 105 276 192.168.100.10
Sep 30 09:20:46 rad-reject <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy/InternalServer 105 -
Sep 30 09:20:46 eap-failure <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 2 4 server rejected

Like I say in my previous post on IAP -225 with the same config and 8.6.0.13 there is no issue :

Sep 30 10:44:27 station-up * 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - - wpa2 aes
Sep 30 10:44:27 eap-id-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 1 5
Sep 30 10:44:27 eap-id-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 1 9 wise
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 31 200 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 31 64
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 2 6
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 2 98
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 32 307 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 32 1090
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 3 1024
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 3 6
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 33 215 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 33 114
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 4 56
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 4 336
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 34 547 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 34 123
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 5 65
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 5 6
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 35 215 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 35 101
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 6 43
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 6 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 36 252 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 36 117
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 7 59
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 7 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 37 252 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 37 117
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 8 59
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 8 91
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 38 300 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 38 149
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 9 91
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 9 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 39 252 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 39 117
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 10 59
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 10 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 40 252 192.168.100.5
Sep 30 10:44:27 rad-accept <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 40 166
Sep 30 10:44:27 eap-success <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 10 4
Sep 30 10:44:27 wpa2-key1 <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 117
Sep 30 10:44:27 wpa2-key2 -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 117
Sep 30 10:44:27 wpa2-key3 <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 151
Sep 30 10:44:27 wpa2-key4 -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 95

What else can I check  ?

BR

------------------------------
Krystian Z

Original Message:
Sent: Sep 29, 2021 11:13 AM
From: Herman Robers
Subject: Aruba IAP-325 assign role Deny All

What is the certificate that you uploaded to your IAP to do RADIUS?

Can you check the output of the CLI command: 'show ap debug auth-trace-buf' just after you connected the device?

It may be that the 6.5.3.2 is using an old certificate that has been revoked and removed, and when you upgrade to 8.6 your clients will see another certificate. Forgetting the network and re-creating it on your Windows 10 client may also resolve the issue.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 28, 2021 10:33 AM
From: Krystian Z
Subject: Aruba IAP-325 assign role Deny All

Hi ALL

My Aruba IAP-325 assign role Deny ALL for network WPA2 Enterprise to Wifi Device (WISE 4060) after upgrade to ArubaInstant_Centaurus_8.6.0.13_81374 :

config:


00:4e:35:xx:xx:xx# show running-config
version 8.6.0.0-8.6.0
virtual-controller-country PL
virtual-controller-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name SetMeUp-xx:xx:xx
terminal-access
clock timezone none 00 00
rf-band all

allow-new-aps

allowed-ap 00:4e:35:xx:xx:xx



arm
wide-bands 5ghz
80mhz-support
min-tx-power 9
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning

rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40

rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off


syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

extended-ssid

user wise 98e9ce073736787f3b70131cf7d99aa2 radius

hash-mgmt-password
hash-mgmt-user admin password hash xxxxxxxxxxxxxxxxxxxx

wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule set
index 3
rule any any match any any any permit

wlan access-rule pro6
index 4
rule any any match any any any permit

wlan ssid-profile set
enable
index 1
type employee
essid set
wpa-passphrase xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
opmode wpa2-psk-aes
max-authentication-failures 0
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile pro6
enable
index 2
type employee
essid pro6
opmode wpa2-aes
max-authentication-failures 0
auth-server InternalServer
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

auth-survivability cache-time-out 24



wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https


blacklist-time 3600
auth-failure-blacklist-time 3600


ids
wireless-containment none


wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x


enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180


airgroup
disable

airgroupservice airplay
disable
description AirPlay

airgroupservice airprint
disable
description AirPrint

cluster-security
allow-low-assurance-devices


I did a lot of tests , test different variances, make factory reset.... and found out that only if IAP-325 has 6.5.3.2_60886 Firmware my WiFi device can connect to WP2 Enterprise using Internal server.
In my environment I have caoule IAP 225 and when I upgrade to 8.6.0.13_81374 all devices can connect without no issue.

Do I need to do some special setup to make it work on IAP 325 with 8.6.0.13_81374 ?

BR


------------------------------
Krystian Z
------------------------------

I have one VC , even create cluster with IAP225 and IAP325 and my device (WISE 4060 ) can connect only to IAP 225, so there is no problem with Internal user or password. Any more advice?

BR

------------------------------
Krystian Z
------------------------------

Original Message:
Sent: Sep 30, 2021 05:36 AM
From: Herman Robers
Subject: Aruba IAP-325 assign role Deny All

Log messages show a reject by the server immediately after the first request. My first guess would be that the user is not available in the internal database.

There may be debug commands for the internal server, but would not know what these are. Aruba TAC probably can assist in further troubleshooting.

On the RADIUS certificate, there is no default certificate... APs (or VC) generate a self-signed certificate and if you have 2 VCs, these will have different certificates, and also you should not use a self-signed certificate for RADIUS, but that may be unrelated to why it doesn't work.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 30, 2021 05:20 AM
From: Krystian Z
Subject: Aruba IAP-325 assign role Deny All

Hi
Thanks for your respond but I think that my issue is not related with certificate. I use default certificate(valid to 2031) generated by Aruba and internal radius server so I dan't have to upload any cert to Radius.
Result of executing the command " show ap debug auth-trace-buf " on IAP 325 with 8.6.0.13 :

Sep 30 09:20:45 station-up * 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy - - wpa2 aes
Sep 30 09:20:45 eap-id-req <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 1 5
Sep 30 09:20:45 eap-id-resp -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 1 9 wise
Sep 30 09:20:45 rad-req -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 104 201 192.168.100.10
Sep 30 09:20:45 rad-resp <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy/InternalServer 104 -
Sep 30 09:20:45 eap-req <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 2 6
Sep 30 09:20:45 eap-resp -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 2 66
Sep 30 09:20:45 rad-req -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy/InternalServer 105 276 192.168.100.10
Sep 30 09:20:46 rad-reject <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy/InternalServer 105 -
Sep 30 09:20:46 eap-failure <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 2 4 server rejected

Like I say in my previous post on IAP -225 with the same config and 8.6.0.13 there is no issue :

Sep 30 10:44:27 station-up * 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - - wpa2 aes
Sep 30 10:44:27 eap-id-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 1 5
Sep 30 10:44:27 eap-id-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 1 9 wise
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 31 200 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 31 64
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 2 6
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 2 98
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 32 307 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 32 1090
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 3 1024
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 3 6
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 33 215 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 33 114
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 4 56
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 4 336
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 34 547 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 34 123
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 5 65
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 5 6
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 35 215 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 35 101
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 6 43
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 6 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 36 252 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 36 117
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 7 59
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 7 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 37 252 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 37 117
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 8 59
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 8 91
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 38 300 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 38 149
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 9 91
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 9 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 39 252 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 39 117
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 10 59
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 10 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 40 252 192.168.100.5
Sep 30 10:44:27 rad-accept <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 40 166
Sep 30 10:44:27 eap-success <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 10 4
Sep 30 10:44:27 wpa2-key1 <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 117
Sep 30 10:44:27 wpa2-key2 -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 117
Sep 30 10:44:27 wpa2-key3 <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 151
Sep 30 10:44:27 wpa2-key4 -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 95

What else can I check  ?

BR

------------------------------
Krystian Z

Original Message:
Sent: Sep 29, 2021 11:13 AM
From: Herman Robers
Subject: Aruba IAP-325 assign role Deny All

What is the certificate that you uploaded to your IAP to do RADIUS?

Can you check the output of the CLI command: 'show ap debug auth-trace-buf' just after you connected the device?

It may be that the 6.5.3.2 is using an old certificate that has been revoked and removed, and when you upgrade to 8.6 your clients will see another certificate. Forgetting the network and re-creating it on your Windows 10 client may also resolve the issue.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 28, 2021 10:33 AM
From: Krystian Z
Subject: Aruba IAP-325 assign role Deny All

Hi ALL

My Aruba IAP-325 assign role Deny ALL for network WPA2 Enterprise to Wifi Device (WISE 4060) after upgrade to ArubaInstant_Centaurus_8.6.0.13_81374 :

config:


00:4e:35:xx:xx:xx# show running-config
version 8.6.0.0-8.6.0
virtual-controller-country PL
virtual-controller-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name SetMeUp-xx:xx:xx
terminal-access
clock timezone none 00 00
rf-band all

allow-new-aps

allowed-ap 00:4e:35:xx:xx:xx



arm
wide-bands 5ghz
80mhz-support
min-tx-power 9
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning

rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40

rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off


syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

extended-ssid

user wise 98e9ce073736787f3b70131cf7d99aa2 radius

hash-mgmt-password
hash-mgmt-user admin password hash xxxxxxxxxxxxxxxxxxxx

wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule set
index 3
rule any any match any any any permit

wlan access-rule pro6
index 4
rule any any match any any any permit

wlan ssid-profile set
enable
index 1
type employee
essid set
wpa-passphrase xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
opmode wpa2-psk-aes
max-authentication-failures 0
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile pro6
enable
index 2
type employee
essid pro6
opmode wpa2-aes
max-authentication-failures 0
auth-server InternalServer
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

auth-survivability cache-time-out 24



wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https


blacklist-time 3600
auth-failure-blacklist-time 3600


ids
wireless-containment none


wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x


enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180


airgroup
disable

airgroupservice airplay
disable
description AirPlay

airgroupservice airprint
disable
description AirPrint

cluster-security
allow-low-assurance-devices


I did a lot of tests , test different variances, make factory reset.... and found out that only if IAP-325 has 6.5.3.2_60886 Firmware my WiFi device can connect to WP2 Enterprise using Internal server.
In my environment I have caoule IAP 225 and when I upgrade to 8.6.0.13_81374 all devices can connect without no issue.

Do I need to do some special setup to make it work on IAP 325 with 8.6.0.13_81374 ?

BR


------------------------------
Krystian Z
------------------------------

In that case, same VC, works on IAP225, doesn't work on IAP325 in the same cluster, this may be a bug. For that, you will need to work with Aruba TAC Support.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 30, 2021 06:15 AM
From: Krystian Z
Subject: Aruba IAP-325 assign role Deny All

I have one VC , even create cluster with IAP225 and IAP325 and my device (WISE 4060 ) can connect only to IAP 225, so there is no problem with Internal user or password. Any more advice?

BR

------------------------------
Krystian Z

Original Message:
Sent: Sep 30, 2021 05:36 AM
From: Herman Robers
Subject: Aruba IAP-325 assign role Deny All

Log messages show a reject by the server immediately after the first request. My first guess would be that the user is not available in the internal database.

There may be debug commands for the internal server, but would not know what these are. Aruba TAC probably can assist in further troubleshooting.

On the RADIUS certificate, there is no default certificate... APs (or VC) generate a self-signed certificate and if you have 2 VCs, these will have different certificates, and also you should not use a self-signed certificate for RADIUS, but that may be unrelated to why it doesn't work.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 30, 2021 05:20 AM
From: Krystian Z
Subject: Aruba IAP-325 assign role Deny All

Hi
Thanks for your respond but I think that my issue is not related with certificate. I use default certificate(valid to 2031) generated by Aruba and internal radius server so I dan't have to upload any cert to Radius.
Result of executing the command " show ap debug auth-trace-buf " on IAP 325 with 8.6.0.13 :

Sep 30 09:20:45 station-up * 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy - - wpa2 aes
Sep 30 09:20:45 eap-id-req <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 1 5
Sep 30 09:20:45 eap-id-resp -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 1 9 wise
Sep 30 09:20:45 rad-req -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 104 201 192.168.100.10
Sep 30 09:20:45 rad-resp <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy/InternalServer 104 -
Sep 30 09:20:45 eap-req <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 2 6
Sep 30 09:20:45 eap-resp -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 2 66
Sep 30 09:20:45 rad-req -> 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy/InternalServer 105 276 192.168.100.10
Sep 30 09:20:46 rad-reject <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy/InternalServer 105 -
Sep 30 09:20:46 eap-failure <- 74:fe:48:xx:xx:xx 34:fc:b9:yy:yy:yy 2 4 server rejected

Like I say in my previous post on IAP -225 with the same config and 8.6.0.13 there is no issue :

Sep 30 10:44:27 station-up * 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - - wpa2 aes
Sep 30 10:44:27 eap-id-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 1 5
Sep 30 10:44:27 eap-id-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 1 9 wise
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 31 200 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 31 64
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 2 6
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 2 98
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 32 307 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 32 1090
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 3 1024
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 3 6
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 33 215 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 33 114
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 4 56
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 4 336
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 34 547 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 34 123
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 5 65
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 5 6
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 35 215 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 35 101
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 6 43
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 6 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 36 252 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 36 117
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 7 59
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 7 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 37 252 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 37 117
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 8 59
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 8 91
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 38 300 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 38 149
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 9 91
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 9 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 39 252 192.168.100.5
Sep 30 10:44:27 rad-resp <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 39 117
Sep 30 10:44:27 eap-req <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 10 59
Sep 30 10:44:27 eap-resp -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 10 43
Sep 30 10:44:27 rad-req -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 40 252 192.168.100.5
Sep 30 10:44:27 rad-accept <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy/InternalServer 40 166
Sep 30 10:44:27 eap-success <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy 10 4
Sep 30 10:44:27 wpa2-key1 <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 117
Sep 30 10:44:27 wpa2-key2 -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 117
Sep 30 10:44:27 wpa2-key3 <- 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 151
Sep 30 10:44:27 wpa2-key4 -> 74:fe:48:xx:xx:xx b4:5d:50:yy:yy:yy - 95

What else can I check  ?

BR

------------------------------
Krystian Z

Original Message:
Sent: Sep 29, 2021 11:13 AM
From: Herman Robers
Subject: Aruba IAP-325 assign role Deny All

What is the certificate that you uploaded to your IAP to do RADIUS?

Can you check the output of the CLI command: 'show ap debug auth-trace-buf' just after you connected the device?

It may be that the 6.5.3.2 is using an old certificate that has been revoked and removed, and when you upgrade to 8.6 your clients will see another certificate. Forgetting the network and re-creating it on your Windows 10 client may also resolve the issue.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 28, 2021 10:33 AM
From: Krystian Z
Subject: Aruba IAP-325 assign role Deny All

Hi ALL

My Aruba IAP-325 assign role Deny ALL for network WPA2 Enterprise to Wifi Device (WISE 4060) after upgrade to ArubaInstant_Centaurus_8.6.0.13_81374 :

config:


00:4e:35:xx:xx:xx# show running-config
version 8.6.0.0-8.6.0
virtual-controller-country PL
virtual-controller-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name SetMeUp-xx:xx:xx
terminal-access
clock timezone none 00 00
rf-band all

allow-new-aps

allowed-ap 00:4e:35:xx:xx:xx



arm
wide-bands 5ghz
80mhz-support
min-tx-power 9
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning

rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40

rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off


syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

extended-ssid

user wise 98e9ce073736787f3b70131cf7d99aa2 radius

hash-mgmt-password
hash-mgmt-user admin password hash xxxxxxxxxxxxxxxxxxxx

wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule set
index 3
rule any any match any any any permit

wlan access-rule pro6
index 4
rule any any match any any any permit

wlan ssid-profile set
enable
index 1
type employee
essid set
wpa-passphrase xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
opmode wpa2-psk-aes
max-authentication-failures 0
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile pro6
enable
index 2
type employee
essid pro6
opmode wpa2-aes
max-authentication-failures 0
auth-server InternalServer
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

auth-survivability cache-time-out 24



wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https


blacklist-time 3600
auth-failure-blacklist-time 3600


ids
wireless-containment none


wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x


enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180


airgroup
disable

airgroupservice airplay
disable
description AirPlay

airgroupservice airprint
disable
description AirPrint

cluster-security
allow-low-assurance-devices


I did a lot of tests , test different variances, make factory reset.... and found out that only if IAP-325 has 6.5.3.2_60886 Firmware my WiFi device can connect to WP2 Enterprise using Internal server.
In my environment I have caoule IAP 225 and when I upgrade to 8.6.0.13_81374 all devices can connect without no issue.

Do I need to do some special setup to make it work on IAP 325 with 8.6.0.13_81374 ?

BR


------------------------------
Krystian Z
------------------------------