Wireless Access

Hi,

We've been having issues for a while now our new Aruba Wi-Fi system using the Aruba Cloud-Guest captive portal. I have a TAC ticket opened for almost two weeks now, and they cannot seem to give us an explanation on the issue. They keep on asking to recreate the issue, gather logs, which I have done and sent them, but still no answer on what is issue is or where to even start looking. We've recently moved from all Cisco and Meraki APs, and we've never had any of these issues, or at least they've helped us solve it in way less time.

I have an idea on what could it be based on what I'm seeing, but I do not fully understand how the Cloud-Guest authentication works. I need some insight on what could be causing these issues. 

Issues / Symptoms:

When users connect to the SSID, two things can either happen or happen at the same time:

1. First Issue - Users get "cannot connect to network". It will eventually connect after waiting for 2-5 minutes. They will get an IP from DHCP, then captive-portal shows up. *This relates to the "MAC Authentication" errors / timeouts we see on the Aruba Central Logs.
2. Second Issue - Users get the captive-portal prompt, to accept "terms and conditions", once they tick the checkbox and click "accept" button, they get a "Login Error". Again, it will eventually connect after waiting for 2-5 minutes. They are now connected to the internet. *This relates to the "Captive-Portal" errors / timeouts we see on the Aruba Central Logs.

Note: The above does not happen all the time, its very random. This is why its hard to recreate the issue. And we do not get a lot of complaints from users, because it will eventually connect. 

Here's some background of our environment:

2 x Aruba  9114 GWs Mobility Gateways - Auto-Clustered

Aruba AP-635s

SSID Configured as Tunnel-Mode to GW-Cluster

SSID Security is Captive-Portal using Aruba Cloud-Guest. MAC-Caching is Enabled.

See diagram:

• User device connects to the SSID.
• User is then tunneled to Guest-Internet VLAN(500) to the 9114 GW.
• User traffic will hit the FW, then out to the internet.

Additional observations:

• When we turn off MAC-Caching on the Cloud-Guest settings, issue #1 completely goes away. My assumption is when its off, the Aruba Gateways does not have to send MAC authentication requests to the Cloud-Servers.
• Changing the SSID Security to PSK, completely removes all issues. This issue is related to using captive-portal on Cloud-Guest 100%.

A bit more detail on what I'm seeing:

• When using Captive-Portal and Cloud-Guest, the Aruba Central configures the Gateways with two Authentication-Server Groups, AS1 and AS2, each tied to the URL below.
  • 
• Looking at the error logs on the GWs, when a user connects to the Wi-Fi and encounters one of the issues above, I see a log entry "authentication-server timeout servergroup=AS1". It will eventually connect. Once the user is connected, if you check "show user mac 00:00:00:00:00:00", it will then tell you that the user is authenticated on what server-group, either AS1 or AS2. All of the connected users are authenticated on AS2. Nothing is authenticated on AS1. 
• Running the command "show aaa authentication-server all" shows below (Note the Requests Column):
  • 

Now the questions and assumptions:

• I think the reason why the issue is intermittent and will connect eventually, is because of the two auth servers. If a user authenticating, either by MAC or by Web, it gets assigned to the first set of servers (AS1), it fails or times out. It will then get rolled over to the second set of servers(AS2), then it works.
• This can explain why all connected users are showing as authenticated on AS2.
• All the auth-server requests are all going to AS2, based on the requests count.

• Why is this happening? Both of the URLs are added to our FW Whitelist, as well as the individual IPs those URLs are assigned to (nslookup).
• We have TCP 2083,443 and just added UDP 1812,1813 allowed for above. We do not see any "denies" on our FW for any traffic coming from our GWs.
• Now its possible that I'm not understanding how the Aruba Cloud-Guest, RADIUS, MAC-Auth works, so it could be likely that I'm putting my focus on the wrong thing. Maybe the error logs about auth-server timeouts to AS1 is nothing to get worried about? I've asked TAC multiple times to explain to me what these errors mean, or how the Cloud-guest authentication works, but all they say is "add more debugging and captures and we will get back to you". 

Sorry for the lengthy post. I hope what I've described makes sense and someone can chime in on what the issue is, and where I can start looking. I can share some outputs from my APs and GWs if you need to have a look at what we have.

Thank you.

Vascar

If you are not satisfied with the support from TAC, or the progress on an existing case, please escalate. The TAC User Guide can help to get that done in the correct way.

As much as I would like, it's quite hard to find the solution based on the description you provided, and I'm confident it's something trivial that's being overlooked (and because it's trivial, it's not mentioned/checked).

You mention that there are no blocks on the firewall. Please also check that there is no additional security (like DPI, SSL inspection, DLP) applied on the traffic between your gateway/APs and Central.

Hi,

We've been having issues for a while now our new Aruba Wi-Fi system using the Aruba Cloud-Guest captive portal. I have a TAC ticket opened for almost two weeks now, and they cannot seem to give us an explanation on the issue. They keep on asking to recreate the issue, gather logs, which I have done and sent them, but still no answer on what is issue is or where to even start looking. We've recently moved from all Cisco and Meraki APs, and we've never had any of these issues, or at least they've helped us solve it in way less time.

I have an idea on what could it be based on what I'm seeing, but I do not fully understand how the Cloud-Guest authentication works. I need some insight on what could be causing these issues. 

Issues / Symptoms:

When users connect to the SSID, two things can either happen or happen at the same time:

1. First Issue - Users get "cannot connect to network". It will eventually connect after waiting for 2-5 minutes. They will get an IP from DHCP, then captive-portal shows up. *This relates to the "MAC Authentication" errors / timeouts we see on the Aruba Central Logs.
2. Second Issue - Users get the captive-portal prompt, to accept "terms and conditions", once they tick the checkbox and click "accept" button, they get a "Login Error". Again, it will eventually connect after waiting for 2-5 minutes. They are now connected to the internet. *This relates to the "Captive-Portal" errors / timeouts we see on the Aruba Central Logs.

Note: The above does not happen all the time, its very random. This is why its hard to recreate the issue. And we do not get a lot of complaints from users, because it will eventually connect. 

Here's some background of our environment:

2 x Aruba  9114 GWs Mobility Gateways - Auto-Clustered

Aruba AP-635s

SSID Configured as Tunnel-Mode to GW-Cluster

SSID Security is Captive-Portal using Aruba Cloud-Guest. MAC-Caching is Enabled.

See diagram:

• User device connects to the SSID.
• User is then tunneled to Guest-Internet VLAN(500) to the 9114 GW.
• User traffic will hit the FW, then out to the internet.

Additional observations:

• When we turn off MAC-Caching on the Cloud-Guest settings, issue #1 completely goes away. My assumption is when its off, the Aruba Gateways does not have to send MAC authentication requests to the Cloud-Servers.
• Changing the SSID Security to PSK, completely removes all issues. This issue is related to using captive-portal on Cloud-Guest 100%.

A bit more detail on what I'm seeing:

• When using Captive-Portal and Cloud-Guest, the Aruba Central configures the Gateways with two Authentication-Server Groups, AS1 and AS2, each tied to the URL below.
  • 
• Looking at the error logs on the GWs, when a user connects to the Wi-Fi and encounters one of the issues above, I see a log entry "authentication-server timeout servergroup=AS1". It will eventually connect. Once the user is connected, if you check "show user mac 00:00:00:00:00:00", it will then tell you that the user is authenticated on what server-group, either AS1 or AS2. All of the connected users are authenticated on AS2. Nothing is authenticated on AS1. 
• Running the command "show aaa authentication-server all" shows below (Note the Requests Column):
  • 

Now the questions and assumptions:

• I think the reason why the issue is intermittent and will connect eventually, is because of the two auth servers. If a user authenticating, either by MAC or by Web, it gets assigned to the first set of servers (AS1), it fails or times out. It will then get rolled over to the second set of servers(AS2), then it works.
• This can explain why all connected users are showing as authenticated on AS2.
• All the auth-server requests are all going to AS2, based on the requests count.

• Why is this happening? Both of the URLs are added to our FW Whitelist, as well as the individual IPs those URLs are assigned to (nslookup).
• We have TCP 2083,443 and just added UDP 1812,1813 allowed for above. We do not see any "denies" on our FW for any traffic coming from our GWs.
• Now its possible that I'm not understanding how the Aruba Cloud-Guest, RADIUS, MAC-Auth works, so it could be likely that I'm putting my focus on the wrong thing. Maybe the error logs about auth-server timeouts to AS1 is nothing to get worried about? I've asked TAC multiple times to explain to me what these errors mean, or how the Cloud-guest authentication works, but all they say is "add more debugging and captures and we will get back to you". 

Sorry for the lengthy post. I hope what I've described makes sense and someone can chime in on what the issue is, and where I can start looking. I can share some outputs from my APs and GWs if you need to have a look at what we have.

Thank you.

Vascar

Hi,

We've been having issues for a while now our new Aruba Wi-Fi system using the Aruba Cloud-Guest captive portal. I have a TAC ticket opened for almost two weeks now, and they cannot seem to give us an explanation on the issue. They keep on asking to recreate the issue, gather logs, which I have done and sent them, but still no answer on what is issue is or where to even start looking. We've recently moved from all Cisco and Meraki APs, and we've never had any of these issues, or at least they've helped us solve it in way less time.

I have an idea on what could it be based on what I'm seeing, but I do not fully understand how the Cloud-Guest authentication works. I need some insight on what could be causing these issues. 

Issues / Symptoms:

When users connect to the SSID, two things can either happen or happen at the same time:

1. First Issue - Users get "cannot connect to network". It will eventually connect after waiting for 2-5 minutes. They will get an IP from DHCP, then captive-portal shows up. *This relates to the "MAC Authentication" errors / timeouts we see on the Aruba Central Logs.
2. Second Issue - Users get the captive-portal prompt, to accept "terms and conditions", once they tick the checkbox and click "accept" button, they get a "Login Error". Again, it will eventually connect after waiting for 2-5 minutes. They are now connected to the internet. *This relates to the "Captive-Portal" errors / timeouts we see on the Aruba Central Logs.

Note: The above does not happen all the time, its very random. This is why its hard to recreate the issue. And we do not get a lot of complaints from users, because it will eventually connect. 

Here's some background of our environment:

2 x Aruba  9114 GWs Mobility Gateways - Auto-Clustered

Aruba AP-635s

SSID Configured as Tunnel-Mode to GW-Cluster

SSID Security is Captive-Portal using Aruba Cloud-Guest. MAC-Caching is Enabled.

See diagram:

• User device connects to the SSID.
• User is then tunneled to Guest-Internet VLAN(500) to the 9114 GW.
• User traffic will hit the FW, then out to the internet.

Additional observations:

• When we turn off MAC-Caching on the Cloud-Guest settings, issue #1 completely goes away. My assumption is when its off, the Aruba Gateways does not have to send MAC authentication requests to the Cloud-Servers.
• Changing the SSID Security to PSK, completely removes all issues. This issue is related to using captive-portal on Cloud-Guest 100%.

A bit more detail on what I'm seeing:

• When using Captive-Portal and Cloud-Guest, the Aruba Central configures the Gateways with two Authentication-Server Groups, AS1 and AS2, each tied to the URL below.
  • 
• Looking at the error logs on the GWs, when a user connects to the Wi-Fi and encounters one of the issues above, I see a log entry "authentication-server timeout servergroup=AS1". It will eventually connect. Once the user is connected, if you check "show user mac 00:00:00:00:00:00", it will then tell you that the user is authenticated on what server-group, either AS1 or AS2. All of the connected users are authenticated on AS2. Nothing is authenticated on AS1. 
• Running the command "show aaa authentication-server all" shows below (Note the Requests Column):
  • 

Now the questions and assumptions:

• I think the reason why the issue is intermittent and will connect eventually, is because of the two auth servers. If a user authenticating, either by MAC or by Web, it gets assigned to the first set of servers (AS1), it fails or times out. It will then get rolled over to the second set of servers(AS2), then it works.
• This can explain why all connected users are showing as authenticated on AS2.
• All the auth-server requests are all going to AS2, based on the requests count.

• Why is this happening? Both of the URLs are added to our FW Whitelist, as well as the individual IPs those URLs are assigned to (nslookup).
• We have TCP 2083,443 and just added UDP 1812,1813 allowed for above. We do not see any "denies" on our FW for any traffic coming from our GWs.
• Now its possible that I'm not understanding how the Aruba Cloud-Guest, RADIUS, MAC-Auth works, so it could be likely that I'm putting my focus on the wrong thing. Maybe the error logs about auth-server timeouts to AS1 is nothing to get worried about? I've asked TAC multiple times to explain to me what these errors mean, or how the Cloud-guest authentication works, but all they say is "add more debugging and captures and we will get back to you". 

Sorry for the lengthy post. I hope what I've described makes sense and someone can chime in on what the issue is, and where I can start looking. I can share some outputs from my APs and GWs if you need to have a look at what we have.

Thank you.

Vascar

Both of the Cloud Guest auth servers should be connecting with RadSec, either over port 2083 or 443.  Since your output is showing native RADIUS on UDP 1812/1813, that is incorrect.  As to why that is happening, no idea, but point that out to your TAC engineer and go from there.

Hi,

We've been having issues for a while now our new Aruba Wi-Fi system using the Aruba Cloud-Guest captive portal. I have a TAC ticket opened for almost two weeks now, and they cannot seem to give us an explanation on the issue. They keep on asking to recreate the issue, gather logs, which I have done and sent them, but still no answer on what is issue is or where to even start looking. We've recently moved from all Cisco and Meraki APs, and we've never had any of these issues, or at least they've helped us solve it in way less time.

I have an idea on what could it be based on what I'm seeing, but I do not fully understand how the Cloud-Guest authentication works. I need some insight on what could be causing these issues. 

Issues / Symptoms:

When users connect to the SSID, two things can either happen or happen at the same time:

1. First Issue - Users get "cannot connect to network". It will eventually connect after waiting for 2-5 minutes. They will get an IP from DHCP, then captive-portal shows up. *This relates to the "MAC Authentication" errors / timeouts we see on the Aruba Central Logs.
2. Second Issue - Users get the captive-portal prompt, to accept "terms and conditions", once they tick the checkbox and click "accept" button, they get a "Login Error". Again, it will eventually connect after waiting for 2-5 minutes. They are now connected to the internet. *This relates to the "Captive-Portal" errors / timeouts we see on the Aruba Central Logs.

Note: The above does not happen all the time, its very random. This is why its hard to recreate the issue. And we do not get a lot of complaints from users, because it will eventually connect. 

Here's some background of our environment:

2 x Aruba  9114 GWs Mobility Gateways - Auto-Clustered

Aruba AP-635s

SSID Configured as Tunnel-Mode to GW-Cluster

SSID Security is Captive-Portal using Aruba Cloud-Guest. MAC-Caching is Enabled.

See diagram:

• User device connects to the SSID.
• User is then tunneled to Guest-Internet VLAN(500) to the 9114 GW.
• User traffic will hit the FW, then out to the internet.

Additional observations:

• When we turn off MAC-Caching on the Cloud-Guest settings, issue #1 completely goes away. My assumption is when its off, the Aruba Gateways does not have to send MAC authentication requests to the Cloud-Servers.
• Changing the SSID Security to PSK, completely removes all issues. This issue is related to using captive-portal on Cloud-Guest 100%.

A bit more detail on what I'm seeing:

• When using Captive-Portal and Cloud-Guest, the Aruba Central configures the Gateways with two Authentication-Server Groups, AS1 and AS2, each tied to the URL below.
  • 
• Looking at the error logs on the GWs, when a user connects to the Wi-Fi and encounters one of the issues above, I see a log entry "authentication-server timeout servergroup=AS1". It will eventually connect. Once the user is connected, if you check "show user mac 00:00:00:00:00:00", it will then tell you that the user is authenticated on what server-group, either AS1 or AS2. All of the connected users are authenticated on AS2. Nothing is authenticated on AS1. 
• Running the command "show aaa authentication-server all" shows below (Note the Requests Column):
  • 

Now the questions and assumptions:

• I think the reason why the issue is intermittent and will connect eventually, is because of the two auth servers. If a user authenticating, either by MAC or by Web, it gets assigned to the first set of servers (AS1), it fails or times out. It will then get rolled over to the second set of servers(AS2), then it works.
• This can explain why all connected users are showing as authenticated on AS2.
• All the auth-server requests are all going to AS2, based on the requests count.

• Why is this happening? Both of the URLs are added to our FW Whitelist, as well as the individual IPs those URLs are assigned to (nslookup).
• We have TCP 2083,443 and just added UDP 1812,1813 allowed for above. We do not see any "denies" on our FW for any traffic coming from our GWs.
• Now its possible that I'm not understanding how the Aruba Cloud-Guest, RADIUS, MAC-Auth works, so it could be likely that I'm putting my focus on the wrong thing. Maybe the error logs about auth-server timeouts to AS1 is nothing to get worried about? I've asked TAC multiple times to explain to me what these errors mean, or how the Cloud-guest authentication works, but all they say is "add more debugging and captures and we will get back to you". 

Sorry for the lengthy post. I hope what I've described makes sense and someone can chime in on what the issue is, and where I can start looking. I can share some outputs from my APs and GWs if you need to have a look at what we have.

Thank you.

Vascar

This was something that I mentioned to TAC, because I remember when I was looking at the FW logs before the issue started, I saw a lot of requests from the GWs to the cloud-servers on port 2083. The FW logs after the issue started, I'm now seeing requests to from the same GW to cloud-servers, on 1812 and 1813, none on 2083, which I found odd.

There was no change that happened on our side, that could have caused the GWs to stop reauthenticating on 2083, and now attempt on 1812, 1813. Based on this, I feel like this this setting below:

The radius cloud-auth 1 settings does say "RADSEC" disabled. 

I remember seeing TAC looked at this setting specifically but didn't say anything about it, so I figured that is just the way it is supposed to be configured.

Both of the Cloud Guest auth servers should be connecting with RadSec, either over port 2083 or 443.  Since your output is showing native RADIUS on UDP 1812/1813, that is incorrect.  As to why that is happening, no idea, but point that out to your TAC engineer and go from there.

Hi,

We've been having issues for a while now our new Aruba Wi-Fi system using the Aruba Cloud-Guest captive portal. I have a TAC ticket opened for almost two weeks now, and they cannot seem to give us an explanation on the issue. They keep on asking to recreate the issue, gather logs, which I have done and sent them, but still no answer on what is issue is or where to even start looking. We've recently moved from all Cisco and Meraki APs, and we've never had any of these issues, or at least they've helped us solve it in way less time.

I have an idea on what could it be based on what I'm seeing, but I do not fully understand how the Cloud-Guest authentication works. I need some insight on what could be causing these issues. 

Issues / Symptoms:

When users connect to the SSID, two things can either happen or happen at the same time:

1. First Issue - Users get "cannot connect to network". It will eventually connect after waiting for 2-5 minutes. They will get an IP from DHCP, then captive-portal shows up. *This relates to the "MAC Authentication" errors / timeouts we see on the Aruba Central Logs.
2. Second Issue - Users get the captive-portal prompt, to accept "terms and conditions", once they tick the checkbox and click "accept" button, they get a "Login Error". Again, it will eventually connect after waiting for 2-5 minutes. They are now connected to the internet. *This relates to the "Captive-Portal" errors / timeouts we see on the Aruba Central Logs.

Note: The above does not happen all the time, its very random. This is why its hard to recreate the issue. And we do not get a lot of complaints from users, because it will eventually connect. 

Here's some background of our environment:

2 x Aruba  9114 GWs Mobility Gateways - Auto-Clustered

Aruba AP-635s

SSID Configured as Tunnel-Mode to GW-Cluster

SSID Security is Captive-Portal using Aruba Cloud-Guest. MAC-Caching is Enabled.

See diagram:

• User device connects to the SSID.
• User is then tunneled to Guest-Internet VLAN(500) to the 9114 GW.
• User traffic will hit the FW, then out to the internet.

Additional observations:

• When we turn off MAC-Caching on the Cloud-Guest settings, issue #1 completely goes away. My assumption is when its off, the Aruba Gateways does not have to send MAC authentication requests to the Cloud-Servers.
• Changing the SSID Security to PSK, completely removes all issues. This issue is related to using captive-portal on Cloud-Guest 100%.

A bit more detail on what I'm seeing:

• When using Captive-Portal and Cloud-Guest, the Aruba Central configures the Gateways with two Authentication-Server Groups, AS1 and AS2, each tied to the URL below.
  • 
• Looking at the error logs on the GWs, when a user connects to the Wi-Fi and encounters one of the issues above, I see a log entry "authentication-server timeout servergroup=AS1". It will eventually connect. Once the user is connected, if you check "show user mac 00:00:00:00:00:00", it will then tell you that the user is authenticated on what server-group, either AS1 or AS2. All of the connected users are authenticated on AS2. Nothing is authenticated on AS1. 
• Running the command "show aaa authentication-server all" shows below (Note the Requests Column):
  • 

Now the questions and assumptions:

• I think the reason why the issue is intermittent and will connect eventually, is because of the two auth servers. If a user authenticating, either by MAC or by Web, it gets assigned to the first set of servers (AS1), it fails or times out. It will then get rolled over to the second set of servers(AS2), then it works.
• This can explain why all connected users are showing as authenticated on AS2.
• All the auth-server requests are all going to AS2, based on the requests count.

• Why is this happening? Both of the URLs are added to our FW Whitelist, as well as the individual IPs those URLs are assigned to (nslookup).
• We have TCP 2083,443 and just added UDP 1812,1813 allowed for above. We do not see any "denies" on our FW for any traffic coming from our GWs.
• Now its possible that I'm not understanding how the Aruba Cloud-Guest, RADIUS, MAC-Auth works, so it could be likely that I'm putting my focus on the wrong thing. Maybe the error logs about auth-server timeouts to AS1 is nothing to get worried about? I've asked TAC multiple times to explain to me what these errors mean, or how the Cloud-guest authentication works, but all they say is "add more debugging and captures and we will get back to you". 

Sorry for the lengthy post. I hope what I've described makes sense and someone can chime in on what the issue is, and where I can start looking. I can share some outputs from my APs and GWs if you need to have a look at what we have.

Thank you.

Vascar

If you would please, bring this directly to the attention of the TAC engineer and escalate if necessary.

This was something that I mentioned to TAC, because I remember when I was looking at the FW logs before the issue started, I saw a lot of requests from the GWs to the cloud-servers on port 2083. The FW logs after the issue started, I'm now seeing requests to from the same GW to cloud-servers, on 1812 and 1813, none on 2083, which I found odd.

There was no change that happened on our side, that could have caused the GWs to stop reauthenticating on 2083, and now attempt on 1812, 1813. Based on this, I feel like this this setting below:

The radius cloud-auth 1 settings does say "RADSEC" disabled. 

I remember seeing TAC looked at this setting specifically but didn't say anything about it, so I figured that is just the way it is supposed to be configured.

Both of the Cloud Guest auth servers should be connecting with RadSec, either over port 2083 or 443.  Since your output is showing native RADIUS on UDP 1812/1813, that is incorrect.  As to why that is happening, no idea, but point that out to your TAC engineer and go from there.

Hi,

We've been having issues for a while now our new Aruba Wi-Fi system using the Aruba Cloud-Guest captive portal. I have a TAC ticket opened for almost two weeks now, and they cannot seem to give us an explanation on the issue. They keep on asking to recreate the issue, gather logs, which I have done and sent them, but still no answer on what is issue is or where to even start looking. We've recently moved from all Cisco and Meraki APs, and we've never had any of these issues, or at least they've helped us solve it in way less time.

I have an idea on what could it be based on what I'm seeing, but I do not fully understand how the Cloud-Guest authentication works. I need some insight on what could be causing these issues. 

Issues / Symptoms:

When users connect to the SSID, two things can either happen or happen at the same time:

1. First Issue - Users get "cannot connect to network". It will eventually connect after waiting for 2-5 minutes. They will get an IP from DHCP, then captive-portal shows up. *This relates to the "MAC Authentication" errors / timeouts we see on the Aruba Central Logs.
2. Second Issue - Users get the captive-portal prompt, to accept "terms and conditions", once they tick the checkbox and click "accept" button, they get a "Login Error". Again, it will eventually connect after waiting for 2-5 minutes. They are now connected to the internet. *This relates to the "Captive-Portal" errors / timeouts we see on the Aruba Central Logs.

Note: The above does not happen all the time, its very random. This is why its hard to recreate the issue. And we do not get a lot of complaints from users, because it will eventually connect. 

Here's some background of our environment:

2 x Aruba  9114 GWs Mobility Gateways - Auto-Clustered

Aruba AP-635s

SSID Configured as Tunnel-Mode to GW-Cluster

SSID Security is Captive-Portal using Aruba Cloud-Guest. MAC-Caching is Enabled.

See diagram:

• User device connects to the SSID.
• User is then tunneled to Guest-Internet VLAN(500) to the 9114 GW.
• User traffic will hit the FW, then out to the internet.

Additional observations:

• When we turn off MAC-Caching on the Cloud-Guest settings, issue #1 completely goes away. My assumption is when its off, the Aruba Gateways does not have to send MAC authentication requests to the Cloud-Servers.
• Changing the SSID Security to PSK, completely removes all issues. This issue is related to using captive-portal on Cloud-Guest 100%.

A bit more detail on what I'm seeing:

• When using Captive-Portal and Cloud-Guest, the Aruba Central configures the Gateways with two Authentication-Server Groups, AS1 and AS2, each tied to the URL below.
  • 
• Looking at the error logs on the GWs, when a user connects to the Wi-Fi and encounters one of the issues above, I see a log entry "authentication-server timeout servergroup=AS1". It will eventually connect. Once the user is connected, if you check "show user mac 00:00:00:00:00:00", it will then tell you that the user is authenticated on what server-group, either AS1 or AS2. All of the connected users are authenticated on AS2. Nothing is authenticated on AS1. 
• Running the command "show aaa authentication-server all" shows below (Note the Requests Column):
  • 

Now the questions and assumptions:

• I think the reason why the issue is intermittent and will connect eventually, is because of the two auth servers. If a user authenticating, either by MAC or by Web, it gets assigned to the first set of servers (AS1), it fails or times out. It will then get rolled over to the second set of servers(AS2), then it works.
• This can explain why all connected users are showing as authenticated on AS2.
• All the auth-server requests are all going to AS2, based on the requests count.

• Why is this happening? Both of the URLs are added to our FW Whitelist, as well as the individual IPs those URLs are assigned to (nslookup).
• We have TCP 2083,443 and just added UDP 1812,1813 allowed for above. We do not see any "denies" on our FW for any traffic coming from our GWs.
• Now its possible that I'm not understanding how the Aruba Cloud-Guest, RADIUS, MAC-Auth works, so it could be likely that I'm putting my focus on the wrong thing. Maybe the error logs about auth-server timeouts to AS1 is nothing to get worried about? I've asked TAC multiple times to explain to me what these errors mean, or how the Cloud-guest authentication works, but all they say is "add more debugging and captures and we will get back to you". 

Sorry for the lengthy post. I hope what I've described makes sense and someone can chime in on what the issue is, and where I can start looking. I can share some outputs from my APs and GWs if you need to have a look at what we have.

Thank you.

Vascar

This is how it looks like for me:

(cic-mg01-9114) #show aaa authentication-server allAuth Server Table-----------------Name                    Type    FQDN                                           IP addr        AuthPort      AcctPort      Status   Requests----                    ----    ----                                           -------        --------      --------      ------   --------Internal                Local   n/a                                            52.36.146.215  n/a           n/a           Enabled  0AS1_#cloud_auth#_       Radius  naw1.cloudguest.central.arubanetworks.com      54.185.82.247  2083(radsec)  2083(radsec)  Enabled  170AS2_#cloud_auth#_       Radius  naw1-elb.cloudguest.central.arubanetworks.com  44.234.219.72  443(radsec)   443(radsec)   Enabled  0cppm.lab.hpearuba.net   Radius  cppm.lab.hpearuba.net                          10.12.99.40    1812          1813          Enabled  11151cppm2.lab.hpearuba.net  Radius  cppm2.lab.hpearuba.net                         10.12.99.42    1812          1813          Enabled  0cppm-tacacs             Tacacs  n/a                                            10.12.99.40    49            n/a           Enabled  0cppm1-tacacs            Tacacs  n/a                                            10.12.99.41    49            n/a           Enabled  3cppm2-tacacs            Tacacs  n/a                                            10.12.99.42    49            n/a           Enabled  0(cic-mg01-9114) #show aaa authentication-server radius AS1_#cloud_auth#_RADIUS Server "AS1_#cloud_auth#_"---------------------------------Parameter                                                         Value---------                                                         -----Enable IPv6                                                       DisabledHost                                                              naw1.cloudguest.central.arubanetworks.comKey                                                               ********CPPM credentials                                                  N/AAuth Port                                                         1812Acct Port                                                         1813RadSec Port                                                       2083Retransmits                                                       3Timeout                                                           20 secNAS ID                                                            63404eb5-d488-49b4-a1c3-9f0beafbc4f5NAS IP                                                            N/ANAS IPv6                                                          N/ASource Interface                                                  N/AUse MD5                                                           DisabledUse IP address for calling station ID                             DisabledMode                                                              EnabledLowercase MAC addresses                                           DisabledMAC address delimiter                                             noneService-type of FRAMED-USER                                       DisabledRadSec                                                            EnabledRadSec Trusted CA Name                                            N/ARadSec Server Cert Name                                           N/ARadSec Client Cert                                                N/Acalled-station-id                                                 macaddr colon disableAccess-Request Modifier                                           N/AAccounting-Request Modifier                                       N/AMessage-Authenticator required in Access-Accept/Reject/Challenge  NoRadsec EST Cert Profile                                           N/A

RadSec is/should be enabled.

If you would please, bring this directly to the attention of the TAC engineer and escalate if necessary.

This was something that I mentioned to TAC, because I remember when I was looking at the FW logs before the issue started, I saw a lot of requests from the GWs to the cloud-servers on port 2083. The FW logs after the issue started, I'm now seeing requests to from the same GW to cloud-servers, on 1812 and 1813, none on 2083, which I found odd.

There was no change that happened on our side, that could have caused the GWs to stop reauthenticating on 2083, and now attempt on 1812, 1813. Based on this, I feel like this this setting below:

The radius cloud-auth 1 settings does say "RADSEC" disabled. 

I remember seeing TAC looked at this setting specifically but didn't say anything about it, so I figured that is just the way it is supposed to be configured.

Both of the Cloud Guest auth servers should be connecting with RadSec, either over port 2083 or 443.  Since your output is showing native RADIUS on UDP 1812/1813, that is incorrect.  As to why that is happening, no idea, but point that out to your TAC engineer and go from there.

Hi,

We've been having issues for a while now our new Aruba Wi-Fi system using the Aruba Cloud-Guest captive portal. I have a TAC ticket opened for almost two weeks now, and they cannot seem to give us an explanation on the issue. They keep on asking to recreate the issue, gather logs, which I have done and sent them, but still no answer on what is issue is or where to even start looking. We've recently moved from all Cisco and Meraki APs, and we've never had any of these issues, or at least they've helped us solve it in way less time.

I have an idea on what could it be based on what I'm seeing, but I do not fully understand how the Cloud-Guest authentication works. I need some insight on what could be causing these issues. 

Issues / Symptoms:

When users connect to the SSID, two things can either happen or happen at the same time:

1. First Issue - Users get "cannot connect to network". It will eventually connect after waiting for 2-5 minutes. They will get an IP from DHCP, then captive-portal shows up. *This relates to the "MAC Authentication" errors / timeouts we see on the Aruba Central Logs.
2. Second Issue - Users get the captive-portal prompt, to accept "terms and conditions", once they tick the checkbox and click "accept" button, they get a "Login Error". Again, it will eventually connect after waiting for 2-5 minutes. They are now connected to the internet. *This relates to the "Captive-Portal" errors / timeouts we see on the Aruba Central Logs.

Note: The above does not happen all the time, its very random. This is why its hard to recreate the issue. And we do not get a lot of complaints from users, because it will eventually connect. 

Here's some background of our environment:

2 x Aruba  9114 GWs Mobility Gateways - Auto-Clustered

Aruba AP-635s

SSID Configured as Tunnel-Mode to GW-Cluster

SSID Security is Captive-Portal using Aruba Cloud-Guest. MAC-Caching is Enabled.

See diagram:

• User device connects to the SSID.
• User is then tunneled to Guest-Internet VLAN(500) to the 9114 GW.
• User traffic will hit the FW, then out to the internet.

Additional observations:

• When we turn off MAC-Caching on the Cloud-Guest settings, issue #1 completely goes away. My assumption is when its off, the Aruba Gateways does not have to send MAC authentication requests to the Cloud-Servers.
• Changing the SSID Security to PSK, completely removes all issues. This issue is related to using captive-portal on Cloud-Guest 100%.

A bit more detail on what I'm seeing:

• When using Captive-Portal and Cloud-Guest, the Aruba Central configures the Gateways with two Authentication-Server Groups, AS1 and AS2, each tied to the URL below.
  • 
• Looking at the error logs on the GWs, when a user connects to the Wi-Fi and encounters one of the issues above, I see a log entry "authentication-server timeout servergroup=AS1". It will eventually connect. Once the user is connected, if you check "show user mac 00:00:00:00:00:00", it will then tell you that the user is authenticated on what server-group, either AS1 or AS2. All of the connected users are authenticated on AS2. Nothing is authenticated on AS1. 
• Running the command "show aaa authentication-server all" shows below (Note the Requests Column):
  • 

Now the questions and assumptions:

• I think the reason why the issue is intermittent and will connect eventually, is because of the two auth servers. If a user authenticating, either by MAC or by Web, it gets assigned to the first set of servers (AS1), it fails or times out. It will then get rolled over to the second set of servers(AS2), then it works.
• This can explain why all connected users are showing as authenticated on AS2.
• All the auth-server requests are all going to AS2, based on the requests count.

• Why is this happening? Both of the URLs are added to our FW Whitelist, as well as the individual IPs those URLs are assigned to (nslookup).
• We have TCP 2083,443 and just added UDP 1812,1813 allowed for above. We do not see any "denies" on our FW for any traffic coming from our GWs.
• Now its possible that I'm not understanding how the Aruba Cloud-Guest, RADIUS, MAC-Auth works, so it could be likely that I'm putting my focus on the wrong thing. Maybe the error logs about auth-server timeouts to AS1 is nothing to get worried about? I've asked TAC multiple times to explain to me what these errors mean, or how the Cloud-guest authentication works, but all they say is "add more debugging and captures and we will get back to you". 

Sorry for the lengthy post. I hope what I've described makes sense and someone can chime in on what the issue is, and where I can start looking. I can share some outputs from my APs and GWs if you need to have a look at what we have.

Thank you.

Vascar