Wireless Access

last person joined: 7 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Ensuring End-User Adoption on Secure Wireless Networks (802.1x, Posture Check, BYOD, etc)

  • 1.  Ensuring End-User Adoption on Secure Wireless Networks (802.1x, Posture Check, BYOD, etc)

    Posted Dec 10, 2019 10:50 AM

    Hello Everyone

     

    I'm relative new (for not say novice) when implemented corporate wireless networks, I have implemented some projects using mobility controllers, instant controllers, ariwave, central, clearpass, etc. In all of these implementation we have tested the wireless "workflow" in a lab envorioment with different equipments.

     

    But we always have the same problem:  when the final service is deployment the end-user start to have a lot of "issue", for example:

     

    - if I change my  (Active directory) i cannot connect to the wireless network  

    - why my equipment is always in quarentine when trying to run a peer-to-peer applicantion

    - why i'm not able to use my personal tablet?

     

    these are some of the "issues" reported from the clients, that sadly generate a lot of noise on the support department and then on us (the solution provider)

     

    does anyone knows how to ensure a more "transparent" way to deploy this kind of changes of network and security controls?

     

    o maybe is just me having this issue. :(

     

     

     



  • 2.  RE: Ensuring End-User Adoption on Secure Wireless Networks (802.1x, Posture Check, BYOD, etc)

    Posted Dec 11, 2019 01:05 AM

    Hello,

     

    I understand all your problems seems to be a client authentication or authorzation realated issue:

    - if I change my  (Active directory) i cannot connect to the wireless network  

    - why my equipment is always in quarentine when trying to run a peer-to-peer applicantion

    - why i'm not able to use my personal tablet?

     

    The following commands on the Controller on which the client is terminating (Instant Virtual Controller might have similar commands) will come in handy whenever you are having and issue with client related issue:

    - #show user-table <user-ip> --> if you have multiple controllers, check on each controller to find the user or which is controlling the user location APs

    - #show station-table <mac-address>

    If nothing above worked or not enough to provide the information:

    - #show aaa state station <mac address of the client in trouble> --> Check the "aaa-profile name" on the output

    - #show aaa-profile <aaa-profile name> --> Check the roles mapped to the profile

    - #show rights <role-name> --> Check the policy of the role if the application/port you are attempt to running/connect to is allowed

     

    - When you changed the AD, may I know have you chaned the RADIUS configurations on the Controller/ Clearpass?

    - While running P2P application, are you already authenticated on the network

    - When you say you are not able to use, does that mean you are not able to conect to the Wi-Fi or you are connected to the network but the traffic is not passing?

     

    For all the above scenes, if you have clearpass NAC server, please check the logs of the Access Tracker

    - If the policy is not letting the user to do the activities that you mentioned, we might have authorization issue, which could be your case.

    And, now you have the commands to narrow down the issue.

    If you have enough logs, you can share in the community or you can reach TAC for help.

     

    Happy Troubleshooting!!