I have a problem with the Aruba Central splash page. I have configured a simple splash page with username/password authentication. Last week was working OK, but yesterday and today customer is reporting login problems like this:
I have made some troubleshooting but I don't find the issue. AS1 is in CONNECTED state from the VC, and from other IAPs , but not from all of them, in those in in INIT state (is a cluster of 7 IAPs). I think because all the communication is through the VC, only this IAP should have the AS1 server in connected state.
Anyway, there are error authentication logs in every AP, though differents types.
When I log through an IAP with AS1 in CONNECTED state I have this:
AP_Gerente# show ap debug auth-trace-buf mac 4c:8d:79:ca:44:27
Auth Trace Buffer-----------------
Feb 26 15:48:44 mac-auth-req -> 4c:8d:79:ca:44:27 bc:9f:e4:b2:f5:f2/AS1_#guest#_ - - 4C:8D:79:CA:44:27Feb 26 15:48:44 mac-auth-fail <- 4c:8d:79:ca:44:27 bc:9f:e4:b2:f5:f2/AS1_#guest#_ - - failureFeb 26 15:48:44 station-up * 4c:8d:79:ca:44:27 bc:9f:e4:b2:f5:f2 - - open system
When I log through an IAP with AS1 in INIT state I have this:
AP_Central# show ap debug auth-trace-buf mac 4c:8d:79:ca:44:27
Feb 26 15:52:21 mac-auth-req -> 4c:8d:79:ca:44:27 f4:2e:7f:16:b9:52/AS2_#guest#_ - - 4C:8D:79:CA:44:27Feb 26 15:52:22 server out-of-service * 4c:8d:79:ca:44:27 f4:2e:7f:16:b9:52/AS2_#guest#_ - - server timeoutFeb 26 15:52:22 station-up * 4c:8d:79:ca:44:27 f4:2e:7f:16:b9:52 - - open systemFeb 26 15:54:18 mac-auth-req -> 4c:8d:79:ca:44:27 f4:2e:7f:16:b9:52/AS2_#guest#_ - - 4C:8D:79:CA:44:27Feb 26 15:54:19 server out-of-service * 4c:8d:79:ca:44:27 f4:2e:7f:16:b9:52/AS2_#guest#_ - - server timeoutFeb 26 15:54:19 station-up * 4c:8d:79:ca:44:27 f4:2e:7f:16:b9:52 - - open systemFeb 26 15:54:54 cp-pap-auth-request -> 4c:8d:79:ca:44:27 f4:2e:7f:16:b9:52/AS2_#guest#_ - - 24JLKNLFQguGGto3zwN/qw==.XlbbHQFeb 26 15:54:54 server out-of-service * 4c:8d:79:ca:44:27 f4:2e:7f:16:b9:52/AS2_#guest#_ - - server timeout
Some APs authenticate through AS1 and some through AS2, I don't know why.
Other weird thing is client is in MAC Auth Role when I check in the VC:
AP_Costos# show clients | in 4C:8D:79:CA:44:274C:8D:79:CA:44:27 192.168.190.117 4c:8d:79:ca:44:27 iPhone SPSA_Invitado_Aruba AP_Central 132+ AN MAC Auth fe80::1489:835e:24c3:65d7 22(good) 135(good)
But is the same as the SSID when I check in the AP is associated with:
AP_Gerente# show clients | in 4c:8d:79:ca:44:2724JLKNLFQguGGto3zwN/qw==.Xlbj8A 192.168.190.117 4c:8d:79:ca:44:27 iPhone SPSA_Invitado_Aruba AP_Gerente 100+ AN SPSA_Invitado_Aruba fe80::1489:835e:24c3:65d7 22(good) 150(good)
Ports TCP 443 and 2083 are open in firewall, and RADIUS proxy is enabled.
Any tip? Attached output logs. Please help.
After doing more research, I found the client can authenticate successfully with all the AP except one. With all the APs it can authenticate with, this APs have the AS1 server in CONNECTED state and AS2 server in Not In Use state, and the logs shows the user authenticate through AS1 server, like this:
AS2_#guest#_ 0.0.0.0 172.18.2.123 nae1-elb.cloudguest.central.arubanetworks.com RADIUS/TLS 443 172.18.2.123 0 Not In Use 2020-02-24 10:37:02.529432 Not ApplicableAS1_#guest#_ 184.108.40.206 172.18.2.123 nae1.cloudguest.central.arubanetworks.com RADIUS/TLS 2083 172.18.2.123 1 CONNECTED 2020-02-26 09:40:03.614143 Not Applicable
The AP the client cannot authenticate with has the AS1 and AS2 servers in INIT state, and the client authenticate through AS2. I don't know if this has something to do with, but sometimes when I issued some commands in this AP I got this message (and only in this AP):
AP_Central# show radius statusModule AP STM Low Priority is busy. Please try later.
And this AP has problems when connecting to Central:
AP_Central# show activate status
IAP MAC Address :f4:2e:7f:c9:6b:94IAP Serial Number :CNHQKD5GH0Cloud Activation Key :Activate Server :device.arubanetworks.comActivate Status :connection-failedProvision interval :10080 minutesAP_Central# show ap debug cloud-server
IAP mgmt mode :athena-mgmt logincloud config recved :TRUEstate diff :disableDevice Cert status :SUCCESSDevice info send :FALSEAruba Central server :app1.central.arubanetworks.comAruba Central server path :/wsAruba Central proxy server :NoneAruba Central Protocol :WSSAruba Central status :Authenticating
Cloud Debug Statistics-----------------------Key Value--- -----Connect establish success 17431(17431)Connect establish failed 2(2)Authentication failed 17430(17430)Connect retry times 17432(17432)
Cloud Last connect status-------------------------Last connect ID :17432Last connect time :2020-02-26 17:57:20Last connect trigger :retry auth
Cloud Last connect fail status-------------------------Last fail server :app1.central.arubanetworks.comLast fail time :2020-02-26 17:57:20Last fail reason :auth timeoutAP_Central#
Any idea? Attached logs.
just to make sure, does the AP, which is not working, has a valid device subscription in central? Does the AP also have a valid service subscription for Guest?
Thanks for your interest. I forgot to say, but yes, the device has a valid device subscription, and it is suscribed for Guest.
Doing more research and nothing. Open a TAC case. Attached the "show tech-support", in case anyone has an idea what can be happening...
If someone is interested, I reloaded the problematic AP by CLI but kept failing. Accidentally the customer site had a power outage and all the APs rebooted. After that reboot the problematic AP connected to Activate and Central and started working properly. It just needed a hard reboot
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.