I missed your point 'uplink-vlan set'. You now created a kind of mess... NAT will always go out on the untagged (I assumed the management, but it may be the untagged). It is deprecated to set your management vlan, just put your management vlan untagged to all your APs and that is the vlan where your management will happen, and where the NAT is happening for outgoing traffic in the magic vlan.
By putting vlan 3333 untagged on your APs, you basically just put an untagged VLAN which solved your issue, but the VLAN id is irrelevant.
Recommended deployment (see also the
Aruba Instant VRD):
- Management network untagged to all of your APs. This is also the VLAN where guest traffic in 'AP Assigned' networks will go out (NAT-ted).
- Client VLANs tagged to all of your APs. In order to separate your wireless clients from wired clients.
Management VLAN should only be used when there is no possibility to have the management VLAN untagged, and it will give more complex operations when you need to add/replace APs as they need to be configured with the vlan id before you can add them. With the recommendation, just add the APs and all will work automatically.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: Feb 23, 2021 08:00 AM
From: Ingo Roschmann
Subject: IAP wireless NATing only on master AP
The problem is resolved.
In case of a wireless configuration with IP and VLAN automagically assigned, communication between slave AP and master AP takes place on the magic VLAN 3333, *not* on the AP's management VLAN. Resolution of our problem was to configuring the switch ports of the APs with an untagged VLAN 3333 (making this tagged did not work!).
We did not test this but maybe all you have to do is to have *any* VLAN untagged on all the AP's switch ports and to make sure this VLAN is being transported through all interconnecting switches, or even simpler: this VLAN being the default VLAN. That being said, maybe you won't have any trouble if all your switches have the default VLAN untagged on all the ports as if they were out of the box. This was not the case on our switches.
------------------------------
Ingo Roschmann
Original Message:
Sent: Feb 17, 2021 05:11 AM
From: Ingo Roschmann
Subject: IAP wireless NATing only on master AP
When connection to either master or slave AP, RADIUS authentication takes place and is successful.
dynamic proxy setting is RADIUS b.t.w.
Something in the communication between the two APs seems not ok; network or firewall should not be an issue, both APs are on the same LAN segment, same VLAN, no firewall in between.
At the moment I am in contact with Aruba support, they are analyzing some logs we have recorded this morning. I hope they can work it out.
Edit:
Unfortunately no idea from Aruba support so far, they cannot replicate the behaviour in their lab and are suspecting something being wrong on the wired network.
I just double checked and both, master AP and slave AP are stitting on the same switch, in the same management VLAN (and can ping each other). So I have no idea what to look for on the wired network.
Any hints appreciated...
------------------------------
Ingo Roschmann
Original Message:
Sent: Feb 17, 2021 02:32 AM
From: Michael Clarke (Aruba)
Subject: IAP wireless NATing only on master AP
When connecting to the secondary IAP, what does the radius server see? It sounds like you need to enable dynamic radius proxy, which is in the system settings.
------------------------------
Michael Clarke (Aruba)
Original Message:
Sent: Feb 12, 2021 07:00 AM
From: Ingo Roschmann
Subject: IAP wireless NATing only on master AP
Hello all,
maybe I am completely wrong.
I have set up an Aruba 303 IAP, uplink is on management VLAN, 'uplink-vlan' is set, and I have one WLAN profile as follows:
- primary usage = employee
- client ip assignment = virtual controller managed
- client vlan assignment = default
- security = enterprise, RADIUS server configured
- no access limitations
This works fine until the second AP comes into play:
A client accessing the WLAN via the master AP is fine, everything works, RADIUS auth, company network access, internet acces, everything ok.
But a client accessing the same WLAN via the slave AP is still getting an IP address and triggers a RADIUS auth, but then it's over. Network access from that client ends at the AP it is connected to; it cannot even ping the master ip. It can ping the local gateway from the magic network 172.31.98.xxx, it can also ping the local management ip of the AP but not the management ip of the master AP and nothing else.
I have switched master/slave roles of the APs to confirm this being the problem.
What am I doing wrong? I'd be happy to provide more information as needed.
Thanks in advance
Ingo
------------------------------
Ingo Roschmann
------------------------------