I would like to configure Clearpass Guest portal authentification for my guest.
For this, i create a simply a guest open ssid on my 3600 controleur (v 6.4), to be sure, I even created by the wizard. (VAP with AAA, SSID open, VLAN ID , Tunnel etc ...), and for your information It is not the first time i do this....
On my network, I create a VLAN guest, this VLAN works, i have test on access port with a wired client, (my controler give me a IP adddress, and i can ping my gateway).
But when i try to connect with my client (you can imagine that i tried with some many differents clients), i'm associate and directly de-associate, i have no time for get a IP adresse.
The worst is, if i use the same VAP but with an "aaa profil" configure with a 802.1x authentication , it's works well.
I have configure a user-debug on the MAC adress of my client android, and i can see this :
Dec 22 19:02:53 :501105: <NOTI> |AP TEST-SHINOBI@172.23.17.33 stm| Deauth from sta: 38:aa:3c:58:1e:8a: AP 172.23.17.33-d8:c7:c8:2e:02:70-TEST-SHINOBI Reason Class 2 frames from non authenticated STA.
What is significate of this : Reason Class 2 frames from non authenticated STA ?
In attach file you can see all the log regarding the user-debug
thanks for your help !
- What is the exact version of ArubaOS?
- What access points are you using?
the version of AOS is 188.8.131.52 and AP's : AP-105
If you have an HT SSID profile attached to that SSID profile, please make sure that "legacy stations" is checked.
Sorry, i've made a mistake with the "accept solution" bouton.
I confirm, the legacy station is check in my HT SSID Profil.
We found the problem, when we inspected the IDS Log we saw this line :
Dec 23 16:11:23 :106006: <NOTI> |AP TEST@172.23.17.33 sapd| |ids-ap| AM: Wireless containment: Sending type Deauth from AP d8:c7:c8:2e:xx:xx to STA c8:bc:c8:ed:xx:xx channel 1
It's a specific IDS parameter who block the client association on the Open SSID.
We had check all the IDS parametrer (it's hard job !) and the winner is : "Protecting Against Misconfigured APs" -> cmd : ids unauthorized-device-profile protect-misconfigured-ap
This parameters is enable in default IDS profil, we don't know the defintion of this feature, we find only this in the user guide :
Do you have more information about it ? Is it dangerous to disable this feature ? and why in our, configuration it's problem ?
Yes it's works now, but my customer don't accept this answer, he want to get more accuracy about this feature ...
Ok thanks for your help cjoseph.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.