Wireless Access

last person joined: 24 minutes ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

No associate problem on my open guest SSID

Jump to Best Answer
  • 1.  No associate problem on my open guest SSID

    Posted Dec 23, 2014 03:39 AM
      |   view attached

    Hello

     

    I would like to configure Clearpass Guest portal authentification for my guest.

     

    For this, i create a simply a guest open ssid on my 3600 controleur (v 6.4),  to be sure, I even created by the wizard. (VAP with AAA, SSID open, VLAN ID , Tunnel etc ...), and for your information It is not the first time i do this....

    On my network, I create a VLAN guest, this VLAN works, i have test on access port with a wired client, (my controler give me a IP adddress, and i can ping my gateway).

     

    But when i try to connect with my client (you can imagine that i tried with some many differents clients), i'm associate and directly de-associate, i have no time for get a IP adresse.

    The worst is, if i use the same VAP but with an "aaa profil" configure with a 802.1x authentication , it's works well.

     

    I have configure a user-debug on the  MAC adress of my client android, and i can see this : 

    Dec 22 19:02:53 :501105:  <NOTI> |AP TEST-SHINOBI@172.23.17.33 stm|  Deauth from sta: 38:aa:3c:58:1e:8a: AP 172.23.17.33-d8:c7:c8:2e:02:70-TEST-SHINOBI Reason Class 2 frames from non authenticated STA.

     

    What is significate of this : Reason Class 2 frames from non authenticated STA ?

     

    In attach file you can see all the log regarding the user-debug

     

    thanks for your help !

     

     

     

     

     


    #3600

    Attachment(s)



  • 2.  RE: No associate problem on my open guest SSID

    Posted Dec 23, 2014 06:20 AM

    Yann Dorval,

     

    - What is the exact version of ArubaOS?

    - What access points are you using?

     



  • 3.  RE: No associate problem on my open guest SSID
    Best Answer

    Posted Dec 23, 2014 06:32 AM

    Hi,

     

    the version of AOS is 6.4.2.2 and AP's : AP-105

     

    regards

     

    Yann 

     



  • 4.  RE: No associate problem on my open guest SSID

    Posted Dec 23, 2014 07:16 AM

    Yann Dorval,

     

    If you have an HT SSID profile attached to that SSID profile, please make sure that "legacy stations" is checked.

     

     

     



  • 5.  RE: No associate problem on my open guest SSID

    Posted Dec 24, 2014 03:23 AM

    Cjoseph,

     

    Sorry, i've made a mistake with the "accept solution" bouton.

     

    I confirm, the legacy station is check in my HT SSID Profil.

     

    Regards

     

    Yann



  • 6.  RE: No associate problem on my open guest SSID

    Posted Dec 24, 2014 03:26 AM
    Are you using encryption on that SSID?
    What is the parameter that you changed?


  • 7.  RE: No associate problem on my open guest SSID
    Best Answer

    Posted Jan 20, 2015 04:51 AM

    Hi,

     

    We found the problem, when we inspected the IDS Log we saw this line : 

     

    Dec 23 16:11:23 :106006:  <NOTI> |AP TEST@172.23.17.33 sapd| |ids-ap| AM: Wireless containment: Sending type Deauth from AP d8:c7:c8:2e:xx:xx to STA c8:bc:c8:ed:xx:xx channel 1

     

    It's a specific IDS parameter who block the client association on the Open SSID.

     

    We had check all the IDS parametrer (it's hard job !) and the winner is : "Protecting Against Misconfigured APs" ->  cmd : ids unauthorized-device-profile protect-misconfigured-ap

     

    This parameters is enable in default IDS profil, we don't know the defintion of this feature, we find only this in the user guide : 

    Protect.jpg

     

    Do you have more information about it ? Is it dangerous to disable this feature ? and why in our, configuration it's problem ?

     

    Regards

     

    Yann 

     

     



  • 8.  RE: No associate problem on my open guest SSID

    Posted Jan 20, 2015 05:07 AM
    Disable the IDS for now.


  • 9.  RE: No associate problem on my open guest SSID

    Posted Jan 20, 2015 05:10 AM

    Yes it's works now, but my customer don't accept this answer, he want to get more accuracy about this feature ...



  • 10.  RE: No associate problem on my open guest SSID
    Best Answer

    Posted Jan 20, 2015 05:13 AM
    The feature can be configured to accidentally kick off valid clients if misconfigured. TAC should be able to explain the configuration and why the clients is kicked off from the logs.


  • 11.  RE: No associate problem on my open guest SSID

    Posted Jan 20, 2015 05:21 AM

    Ok thanks for your help cjoseph.