Controllerless Networks

last person joined: 3 hours ago 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

IAP-105 Radius Authentication Problem

  • 1.  IAP-105 Radius Authentication Problem

    Posted Apr 12, 2012 11:41 AM

    I have seen a few other postings similar to this but none of the ideas presented have helped (not that there was ever a real solution or fix presented on those posts....just sayin').

     

    I have set up two IAP-105 APs (maybe adding more later if this can be fixed). Only one of the APs will authenticate to Radius (Win 2003 IAS) at a time and that AP has to also be the Master AP which hosts the virtual controller. If the working AP is taken down and the other AP takes over the VC role then it WILL also authenticate properly. However, when both APs are powered on at the same time only the master AP will authenticate. Our guest wireless works fine on both APs at all times. If I try to authenticate near the non-master AP "trying to authenticate" is all I will see (for as long as I remain in the vicinity). If I take that laptop and walk toward the VC hosting master AP the signal will be passed to that AP and the login will be authenticated and the connection completes.

     

    Please help...we have saved no $$$ with this purchase if we take into consideration the amount of lost time trying to get this "easier than toast"  (yeah right!) wifi solution working.

     

    So, allowing each AP to be the master on its own has not solved the problem as stated in several other posts. Any help will be greatly appreciated...

     

     



  • 2.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 12, 2012 11:43 AM

    Please Enable Radius Proxy.

     



  • 3.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 12, 2012 11:54 AM

    Radius Proxy IS and HAS been enabled throughout.



  • 4.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 12, 2012 12:04 PM

    I don't know if this is related but when using telnet with PuTTY to the VC most attempts to "dig around" or generally run commands generate this message: % Parse error

    then goes back to the APname#  prompt.



  • 5.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 12, 2012 12:08 PM

    Do you have the latest version of the firmware?

     

    What does the radius server say the source ip address of the messages are?

     

     



  • 6.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 12, 2012 12:21 PM


    6.1.2.3-2.0.0.4_32946.

     

    Successful or access denied authentication is logged in event viewer giving the NAS-IP-Address = the internal IP of the virtual contoller. The NAS-Identifier is the IP of the IAP-105 that is hosting the VC.  It appears that ONLY messages from the VC and its hosting AP are showing up in Event Viewer. When the other AP was hosting the VC it would generate messages to the Radius server which makes sense since it worked when it was the only AP on the network. Currently no new messages have been generated by the non-hosting AP since it lost the VC role.



  • 7.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 12, 2012 12:35 PM

    What is your remote access policy rule?  You should be seeing failures, as well as successes in the event viewer, under SYSTEM if this is IAS.  If not, you might want to open a case so that we can get to the bottom of this.



  • 8.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 12, 2012 12:41 PM

    The only messages in system/IAS are generated when the AP and the VC are on the same device. There are messages from both APs but they are only from the times when the particular AP was the VC. It's as though the non-hosting AP is not communicating with the VC.

     

    Should we consider rolling back to the previous firmware? Or reloading the current one?



  • 9.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 12, 2012 12:43 PM

    We have a case open with Aruba support but UNLESS I call them they are slow to respond. They called last night after we had closed. I might have to call them after I return from lunch.



  • 10.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 12, 2012 12:59 PM

    Okay, last question.  Do you have a static ip address configured as the "Virtual Controller address"?

     

     



  • 11.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 12, 2012 01:12 PM

    Yes we do and all the APs are staticly assigned also.



  • 12.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 12, 2012 01:15 PM

    BTW, just to be clear the VC has its own IP such as 172.12.3.2 and the APs are addressed such as 172.12.3.3, 172.12.3.4, etc. I have even tested this problem with a previous unopened AP....same results.

     



  • 13.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 12, 2012 01:17 PM

    ..and when you take the current VC offline, the newly elected VC can be reached via the VC address, correct?

     



  • 14.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 12, 2012 02:12 PM

    Yes. All device and the VC have static IPs.



  • 15.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 12, 2012 02:15 PM

    Sorry, disregard that last IP related post. Yes, when I take down either one of the two IAP-105 access points the other becomes the VC AND the RADIUS authentication works also. It is only when more than one AP is powered on that we see this problem. It also does not matter if we have two or three APs on (we own 5 which we want to deploy one day) only the AP hosting the VC will authenticate to the domain. Also, again, the guest wifi works no matter how many APs are on...as it should.



  • 16.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 12, 2012 03:38 PM

    It would also be help ful to get the output of "show tech-support".  You can do this by clicking the "Support" link on the upper right

    of the UI, select "AP Tech Support Dump" from the Command drop-down list, and clicking run.  Then click save results to display the result in a new browser window.  Finally, you can copy and paste the content of this into a new message in Airheads social, for us to debug.



  • 17.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 13, 2012 11:20 AM
      |   view attached

    I am uploading the dump file. See attached. Thanks.

    Attachment(s)

    docx
    AP tech support dump.docx   44 KB 1 version


  • 18.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 13, 2012 05:04 PM

    Is this the access point WITH the problem?  Please upload the tech support WITH the auth problem...  This one seems to be working.

     



  • 19.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 13, 2012 07:30 PM

    I'm coming to this conversation late, but I don't see this point yet:

     

    In RADIUS server setup, be sure to put the "NAS IP Address" as the VC IP address, and

    In Advanced tab enable "Dynamic RADIUS Proxy"

     

    I'd had similar issues until I set those both.



  • 20.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 13, 2012 07:41 PM

    msabin,

     

    The Author of this thread says that he has already done both of those things, so we have to take a closer look.

     



  • 21.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 13, 2012 07:46 PM

    OK, I hadn't seen them both set in the show-tech, but it's hard for the layman to read.



  • 22.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 13, 2012 07:48 PM

    Both are set:

     

    virtual-controller-ip 172.16.9.2

    dyanmic radius-proxy

     

    We need to see the tech support from the AP with the problems.  This one seems to be getting responses from the Radius Server from the "auth-tracebuf" output.

     

     

     



  • 23.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 18, 2012 01:06 PM
      |   view attached

    The more I read the more it seems that the problem is the cert creation process. In the hodgepodge of documentation we had to try several approaches..let me back up. We have a Windows pki infrastructure set up and working. We initially tried to create and upload certs to the instant (self signed) and created in Linux Centos per docs found at Aruba support. The self signed CAcert uploaded fine but the instantservercert had a format error or RSA decode error (I cannot remember now). I contacted support and eventually they sent a doc on exporting the server cert that is created in windows on our cert server. We did that and the upload worked. Immediately we were able to authenticate and we thought all was well. It was several days before we realized that we could only authenticate from the AP that hosts the virtual controller. 

     

    Could the problem be that the two certs are really from different authorities? Would we, can we, export the rootCA cert from our CA  windows server and then export the web server cert according to the attached instructions, upload them on the IAP-105 and maybe solve this issue. Again we think our basic set up is working since computers and users who are placed into the appropriate GPO's can boot up (after they get the policy) to the wireless, authenticate, and receive appropriate mappings, etc. as long as they are near the virtual controller hosting AP.  So autoenrollment is working.  I am new to certificates so forgive me if i am missing something that will one day seem obvious (after I figure this out!).

     

     



  • 24.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 18, 2012 01:10 PM

    Hi,

     

    Please drop me an email and I will send over a doc that may help.

     

    I don't want to add to your misery in the cert creation process  - but I hope it may explain certain things about the certificate itself.

     

    Thanks,

    Shashi

     

    ssastry@arubanetworks.com



  • 25.  RE: IAP-105 Radius Authentication Problem

    Posted Apr 18, 2012 03:31 PM

    BTW..the dump from an AP that is NOT hosting the virtual contoller is attached..



  • 26.  RE: IAP-105 Radius Authentication Problem

    Posted Jul 12, 2012 10:59 AM

    I know this has been stagnant for a while, but I have a similar issue but my internal CA at the customer is 2003 not 2008. Got the CA cert installed no problem, but creating the Server cert for the IAP 105s I am getting the RSA decode error. Any guide on doing it on 2003 CA?



  • 27.  RE: IAP-105 Radius Authentication Problem

    Posted Jul 12, 2012 11:13 AM

    Are you doing EAP-PEAP or EAP-TLS

    Where are you applying the certificate?



  • 28.  RE: IAP-105 Radius Authentication Problem

    Posted Jul 12, 2012 11:25 AM

    PEAP, trying to upload the server cert under the maintence>certificates tab.



  • 29.  RE: IAP-105 Radius Authentication Problem

    Posted Jul 12, 2012 11:26 AM

    why not just put a certificate on the radius server instead?

     



  • 30.  RE: IAP-105 Radius Authentication Problem

    Posted Jul 12, 2012 11:30 AM

    also trying to get rid of the cert error message for the default securelogin.arubanetworks.com cert.



  • 31.  RE: IAP-105 Radius Authentication Problem

    Posted Jul 12, 2012 12:47 PM

    @wmorris wrote:

    PEAP, trying to upload the server cert under the maintence>certificates tab.



    What format of cert are you using to upload....?



  • 32.  RE: IAP-105 Radius Authentication Problem

    Posted Jul 12, 2012 01:12 PM

    just created a web server certificate on a server 2003 CA. RSA2048 uploads as PEM.