Hi Guys iam driving crazy to find a issue i normally don't have any issues with. I try to configure a very easy straightforward WPA2-Enterprise (EAP-PEAP) in an Aruba instant cluster managed by central. For some reason WPA2-Enterprise turns every time in an EAP time out issue in the ClearPass event logs. I configured this many times without issues and now iam struggling for about 8 hours (grrr).
Error Code 9002 RADIUS |
Client did not complete EAP transaction |
I re-install anything out of frustrating. Re-install a new instant group in Aruba Central and re-install ClearPass to be sure. It's not a client side issue. Didn't had any issues with the ClearPass configuration before. I guess i do something wrong in the Aruba Central part because since i move to a new central account when the issue appear.
ArubaOS Instant 8.6.0.9
ClearPass 6.9.5
IAP-325
AP-505
Find my config below.. Hope somebody have a clue...
Zaltbommel-AP02# show run
version 8.6.0.0-8.6.0
virtual-controller-country NL
virtual-controller-key *********
name Zaltbommel-VC
virtual-controller-ip 172.16.200.240
virtual-controller-vlan 200 255.255.255.0 172.16.200.254
virtual-controller-dnsip 172.16.200.1
terminal-access
ntp-server 0.nl.pool.ntp.org
clock timezone Amsterdam 01 00
clock summer-time CEST recurring last sunday march 00:00 last sunday october 03:00
rf-band all
dynamic-radius-proxy
dynamic-tacacs-proxy
report-rssi-to-central unassociated-and-associated-clients
allow-new-aps
allowed-ap d0:15:a6:c3:cd:8e
allowed-ap f0:5c:19:ca:49:22
arm
wide-bands 5ghz
80mhz-support
a-channels 100,104,108,112,100+,108+,100E
min-tx-power 15
max-tx-power 15
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning
rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40
rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off
syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless
extended-ssid
hash-mgmt-password
hash-mgmt-user admin password hash *******
wlan access-rule HomeLAB-IOT
utf8
index 0
rule any any match any any any permit
wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit
wlan access-rule wired-SetMeUp
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit
wlan access-rule HomeLAB-Corp
utf8
index 3
rule any any match any any any permit
wlan ssid-profile HomeLAB-IOT
enable
index 0
type employee
essid HomeLAB-IOT
utf8
wpa-passphrase **********
opmode wpa2-psk-aes
max-authentication-failures 0
vlan 201
auth-server InternalServer
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter none
g-min-tx-rate 24
a-min-tx-rate 24
blacklist
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
wlan ssid-profile HomeLAB-Corpenableindex 1type employeeessid HomeLAB-Corputf8opmode wpa2-aesmax-authentication-failures 0vlan 201auth-server ClearPassrf-band allcaptive-portal disabledtim-period 1broadcast-filter arpg-min-tx-rate 24a-min-tx-rate 24blacklistdmo-channel-utilization-threshold 90local-probe-req-thresh 0max-clients-threshold 64auth-survivability cache-time-out 24wlan auth-server ClearPassip 172.16.200.2port 1812acctport 1813key *************nas-ip 172.16.200.240wlan captive-portal
background-color 16777215
banner-color 15329769
decoded-texts banner/terms/policy
banner-text "Welcome to Guest Network"
terms-of-use "This network is not secure and use it at your own risk."
use-policy "Please read and accept terms and conditions and then login."
wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https
blacklist-time 3600
auth-failure-blacklist-time 3600
ids
wireless-containment none
wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x
wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
no shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x
enet0-port-profile default_wired_port_profile
uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180
airgroup
disable
airgroupservice airplay
disable
description AirPlay
airgroupservice airprint
disable
description AirPrint
clarity
inline-sta-stats
inline-auth-stats
inline-dhcp-stats
inline-dns-stats
cluster-security
allow-low-assurance-devices
Zaltbommel-AP02#
------------------------------
Marcel Koedijk | MVP Guru 2021 | ACMP | ACCP | ACDA | Ekahau ECSE | Not an HPE Employee | Opionions are my own
------------------------------