Wireless Access

Hi All,

I am currently replicating my customer's environment as we have Posturing project with ClearPass, but when I start to lab with MM-MD setup with 8.6.0.23 (since AP-105 only supported until that version), I could not get the AP discovered from the MD. I use all virtual: MM and VMC. I consoled the AP and can discover the VMC with ADP already (since I put all MM, MD, and the AP under same subnet). It is just now I couldn't see the AP under the Configuration > Access Point section from the Managed Network section. I disabled the CPSec from the MM to make it simple. Strangely, if I login individually to the MD, the CPSec is still Enabled, but I don't think this makes the AP cannot be seen from the MM/MD. If this makes a difference, kindly let me know. 

I can tell you that my experience is only around AOS 6.x since I did quite a number of Wifi projects like 10 years back. But, now since I have a full Aruba wireless customer environment, I need to lab it but got stuck in this simple step. AOS 6.x was so simple I remember it strongly, just do like mentioned above, and the AP can be seen from the physical MC easily and I can provision it after that. I don't know what I am missing here with the MM-MD setup, kindly please guide me to the right direction. If there is a "pinned" thread, like all-in-one MM-MD setup, I would like to scour through it and refresh my knowledge on this MM-MD thing.

So, I have two issue now:

1) How do I get to see the AP-105 from the 8.6.0.23 MM-MD

2) and the root of all this is because we found that the RADIUS NAD-IP-Address at customer site is the MM, with the Src-IP-Address is the MD. Customer's have multiple MD Groups, for example in total 4 groups, in 3 groups we found that the Src-IP is the MD's individual IP, and the NAD-IP is the MD's VRRP, but then in one group we see that the NAD-IP is the MM with the Src-IP is the MD's individual IP. The 3 groups has 3 VRRP IP (not sure why since we are not the one configuring it at the first place), and the one group has only 1 VRRP IP; but I do not think this will make a difference in terms of the RADIUS attributes detail. Please advise if other otherwise.

Thank you..!

1) Note that AP and firmware version are both unsupported, but I think there is a known intermediate step required for some 6.x APs to go to 8.x, and if I'm correct that's 8.2. It may help to upgrade first to the latest 6.x, then to 8.6; or see if you can downgrade your controller to 8.2 and see if the upgrade to 8.2 works, then to 8.6. Connecting to the console of the AP, or check controller logs may provide additional information. 

2) You would need to set/override the NAS-IP per group or even controller. The VRRPs are needed for CoA to work in an AOS8 cluster. Check this article/post for more information.

Hi All,

I am currently replicating my customer's environment as we have Posturing project with ClearPass, but when I start to lab with MM-MD setup with 8.6.0.23 (since AP-105 only supported until that version), I could not get the AP discovered from the MD. I use all virtual: MM and VMC. I consoled the AP and can discover the VMC with ADP already (since I put all MM, MD, and the AP under same subnet). It is just now I couldn't see the AP under the Configuration > Access Point section from the Managed Network section. I disabled the CPSec from the MM to make it simple. Strangely, if I login individually to the MD, the CPSec is still Enabled, but I don't think this makes the AP cannot be seen from the MM/MD. If this makes a difference, kindly let me know. 

I can tell you that my experience is only around AOS 6.x since I did quite a number of Wifi projects like 10 years back. But, now since I have a full Aruba wireless customer environment, I need to lab it but got stuck in this simple step. AOS 6.x was so simple I remember it strongly, just do like mentioned above, and the AP can be seen from the physical MC easily and I can provision it after that. I don't know what I am missing here with the MM-MD setup, kindly please guide me to the right direction. If there is a "pinned" thread, like all-in-one MM-MD setup, I would like to scour through it and refresh my knowledge on this MM-MD thing.

So, I have two issue now:

1) How do I get to see the AP-105 from the 8.6.0.23 MM-MD

2) and the root of all this is because we found that the RADIUS NAD-IP-Address at customer site is the MM, with the Src-IP-Address is the MD. Customer's have multiple MD Groups, for example in total 4 groups, in 3 groups we found that the Src-IP is the MD's individual IP, and the NAD-IP is the MD's VRRP, but then in one group we see that the NAD-IP is the MM with the Src-IP is the MD's individual IP. The 3 groups has 3 VRRP IP (not sure why since we are not the one configuring it at the first place), and the one group has only 1 VRRP IP; but I do not think this will make a difference in terms of the RADIUS attributes detail. Please advise if other otherwise.

Thank you..!

Hi Herman,

Thanks much for your response.

I tried with 8.2.0.1 as below logs showing, but still from MM/MD I couldn't see the AP. For clarification, I navigated to the Configuration > Access Points at the MD. Note that I already disable the CPSec and also whitelisted the AP, still unable to see it.

Do I need AP and PEFNG licenses beforehand so that I am able to see the AP there?

Bootup logs from the AP:

APBoot 1.4.0.3 (build 37726)
Built: 2013-03-21 at 20:13:41

Model: AP-10x
CPU:   AR7161 revision: A2
Clock: 680 MHz, DDR clock: 340 MHz, Bus clock: 170 MHz
DRAM:  128 MB
POST1: passed
Copy:  done
Flash: 16 MB
PCI:   scanning bus 0 ...
       dev fn venID devID class  rev    MBAR0    MBAR1    MBAR2    MBAR3
       00  00  168c  0029 00002   01 10000000 00000000 00000000 00000000
       01  00  168c  0029 00002   01 10010000 00000000 00000000 00000000
Net:   eth0
Radio: ar922x#0, ar922x#1

Hit <Enter> to stop autoboot:  0
Checking image @ 0xbf100000
Invalid image format version: 0xffffffff
Checking image @ 0xbf800000
Invalid image format version: 0xffffffff
eth0 up: 1 Gb/s full duplex
ADP multicast 1
ADP broadcast 1
Controller address: 192.168.68.52
Using eth0 device
TFTP from server 192.168.68.52; our IP address is 192.168.68.105
Filename 'mips32.ari'.
Load address: 0x2000000
Loading: #################################################################
         ########################
done
Bytes transferred = 5812856 (58b278 hex)

Image is signed; verifying checksum... passed
Signer Cert OK
Policy Cert OK
RSA signature verified.
Automatic boot of image at addr 0x02000000 ...
ELF file is 32 bit
Loading .text @ 0x80e00000 (5743096 bytes)
Loading .data @ 0x8137a200 (32 bytes)
Clearing .bss @ 0x8137a220 (16 bytes)
## Starting application at 0x80e00000 ...
Uncompressing......................................................

Aruba Networks
ArubaOS Version 8.2.0.1 (build 62115 / label #62115)
Built by p4build@corfu on 2017-10-31 at 21:58:22 PDT (gcc version 4.
CPU Rev: aa
71x CPU
Flash variant: default
Cache parity protection disabled
Using 340.000 MHz high precision timer. cycles_per_jiffy=680000
Memory: 120576k/131072k available (1741k kernel code, 10372k reserve
 available.
detected lzma initramfs
initramfs: LZMA lc=3,lp=0,pb=2,dictSize=8388608,origSize=24606208
LZMA initramfs by Ming-Ching Tiew <mctiew@yahoo.com> ...........................................................................................................................................................................................................................
AR7100 GPIOC major 0
wdt: registered with refresh
Enabling Watchdog
Talisker RSSI LED initialization
Creating 1 MTD partitions on "ar7100-nor0":
0x00000000-0x01000000 : "flash"
i2c /dev entries driver
i2c-talisker: using default base 0x18040000
AD7416 driver probing for devices on AR7100 I2C
.<6>lo: Disabled Privacy Extensions
IPv6 over IPv4 tunneling driver

Starting Kernel SHA1 KAT ...Completed Kernel SHA1 KAT
Starting Kernel HMAC-SHA1 KAT ...Completed Kernel HMAC-SHA1 KAT
Starting Kernel DES KAT ...Completed Kernel DES KAT
Starting Kernel AES KAT ...Completed Kernel AES KAT

Starting Kernel AESGCM KAT ...Completed Kernel AESGCM KAT

Domain Name: arubanetworks.com
No panic info available
Testing TPM... Passed
ag7100_mod: module license 'unspecified' taints kernel.
AG7100: Length per segment 512
AG7100: Max segments per packet 4
AG7100: Max tx descriptor count    400
AG7100: Max rx descriptor count    252
AG7100: fifo cfg 3 018001ff
AG7100CHH: Mac address for unit 0
AG7100CHH: 6c:f3:7f:cc:0f:93
AG7100: cfg1 0xf cfg2 0x7014
ATHRF1: Port 0, Neg Success
ATHRF1: unit 0 phy addr 0 ATHRF1: reg0 3100
AP xml model 39, num_radios 2 (jiffies 13447)
apType 39 hw_opmode 0
radio 0: band 1 ant 0 max_ssid 8
radio 1: band 0 ant 0 max_ssid 8
init_asap_mod: installation:0
firewall cpu: core-0
Starting watchdog process...
Got all network params from APboot env. Skippingag7100_ring_alloc Al
 DHCP
ag7100_ring_alloc Allocated 3024 at 0x86aa7000
AG7100: cfg1 0xf cfg2 0x7014
ATHRF1: Port 0, Neg Success
ATHRF1: unit 0 phy addr 0 ATHRF1: reg0 3100
AG7100: unit 0 phy is up...RGMii 1000Mbps full duplex
AG7100: pll reg 0x18050010: 0x110000  AG7100: cfg_1: 0x1ff0000
AG7100: cfg_2: 0x3ff
AG7100: cfg_3: 0x18001ff
AG7100: cfg_4: 0xffff
AG7100: cfg_5: 0xfffef
AG7100: done cfg2 0x7215 ifctl 0x0 miictrl 0x22
Writing 4
192.168.68.105 255.255.255.0 192.168.68.1
Running ADP...Done. Master is 192.168.68.52
ath_hal: 0.9.17.1 (AR5416, AR9380, REGOPS_FUNC, PRIVATE_DIAG, WRITE_
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, In
ath_rate_atheros: Aruba Networks Rate Control Algorithm
ath_dfs: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Rese
ath_spectrum: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Rese
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Ri
ath_pci: 0.9.4.5 (Atheros/multi-bss)
ath_attach: scn 80530280 sc 86340000 ah 80580000
wifi0: Base BSSID 6c:f3:7f:40:f9:38, 8 available BSSID(s)
bond0 address=6c:f3:7f:cc:0f:93
br0 address=6c:f3:7f:cc:0f:93
wifi0: AP type AP-105, radio 0, max_bssids 8
wifi0: Atheros 9280: mem=0x10010000, irq=49 hw_base=0xb0010000
ath_attach: scn 85e20280 sc 85e40000 ah 85e80000
wifi1: Base BSSID 6c:f3:7f:40:f9:30, 8 available BSSID(s)
bond0 address=6c:f3:7f:cc:0f:93
br0 address=6c:f3:7f:cc:0f:93
wifi1: AP type AP-105, radio 1, max_bssids 8
wifi1: Atheros 9280: mem=0x10000000, irq=48 hw_base=0xb0000000
ath_ahb: 0.9.4.5 (Atheros/multi-bss)

Starting FIPS KAT ... Completed FIPS KAT

AP rebooted Fri Dec 31 16:44:32 PST 1999; SAPD: Unable to contact swLO-TIMEOUT, 228 sec before: Last Ctrl msg: HELLO len=426 dest=192.16
keep watchdog process alive for talisker (nanny will restart it)...

        <<<<<       Welcome to the Access Point     >>>>>

~ #
~ #
~ #

1) Note that AP and firmware version are both unsupported, but I think there is a known intermediate step required for some 6.x APs to go to 8.x, and if I'm correct that's 8.2. It may help to upgrade first to the latest 6.x, then to 8.6; or see if you can downgrade your controller to 8.2 and see if the upgrade to 8.2 works, then to 8.6. Connecting to the console of the AP, or check controller logs may provide additional information. 

2) You would need to set/override the NAS-IP per group or even controller. The VRRPs are needed for CoA to work in an AOS8 cluster. Check this article/post for more information.

Hi All,

I am currently replicating my customer's environment as we have Posturing project with ClearPass, but when I start to lab with MM-MD setup with 8.6.0.23 (since AP-105 only supported until that version), I could not get the AP discovered from the MD. I use all virtual: MM and VMC. I consoled the AP and can discover the VMC with ADP already (since I put all MM, MD, and the AP under same subnet). It is just now I couldn't see the AP under the Configuration > Access Point section from the Managed Network section. I disabled the CPSec from the MM to make it simple. Strangely, if I login individually to the MD, the CPSec is still Enabled, but I don't think this makes the AP cannot be seen from the MM/MD. If this makes a difference, kindly let me know. 

I can tell you that my experience is only around AOS 6.x since I did quite a number of Wifi projects like 10 years back. But, now since I have a full Aruba wireless customer environment, I need to lab it but got stuck in this simple step. AOS 6.x was so simple I remember it strongly, just do like mentioned above, and the AP can be seen from the physical MC easily and I can provision it after that. I don't know what I am missing here with the MM-MD setup, kindly please guide me to the right direction. If there is a "pinned" thread, like all-in-one MM-MD setup, I would like to scour through it and refresh my knowledge on this MM-MD thing.

So, I have two issue now:

1) How do I get to see the AP-105 from the 8.6.0.23 MM-MD

2) and the root of all this is because we found that the RADIUS NAD-IP-Address at customer site is the MM, with the Src-IP-Address is the MD. Customer's have multiple MD Groups, for example in total 4 groups, in 3 groups we found that the Src-IP is the MD's individual IP, and the NAD-IP is the MD's VRRP, but then in one group we see that the NAD-IP is the MM with the Src-IP is the MD's individual IP. The 3 groups has 3 VRRP IP (not sure why since we are not the one configuring it at the first place), and the one group has only 1 VRRP IP; but I do not think this will make a difference in terms of the RADIUS attributes detail. Please advise if other otherwise.

Thank you..!

Hi matchabear

Yes you need AP License. PEF License is needed if you have configurations using Role Based Access, apart from the standard ones used in AOS.

Hi Herman,

Thanks much for your response.

I tried with 8.2.0.1 as below logs showing, but still from MM/MD I couldn't see the AP. For clarification, I navigated to the Configuration > Access Points at the MD. Note that I already disable the CPSec and also whitelisted the AP, still unable to see it.

Do I need AP and PEFNG licenses beforehand so that I am able to see the AP there?

Bootup logs from the AP:

APBoot 1.4.0.3 (build 37726)
Built: 2013-03-21 at 20:13:41

Model: AP-10x
CPU:   AR7161 revision: A2
Clock: 680 MHz, DDR clock: 340 MHz, Bus clock: 170 MHz
DRAM:  128 MB
POST1: passed
Copy:  done
Flash: 16 MB
PCI:   scanning bus 0 ...
       dev fn venID devID class  rev    MBAR0    MBAR1    MBAR2    MBAR3
       00  00  168c  0029 00002   01 10000000 00000000 00000000 00000000
       01  00  168c  0029 00002   01 10010000 00000000 00000000 00000000
Net:   eth0
Radio: ar922x#0, ar922x#1

Hit <Enter> to stop autoboot:  0
Checking image @ 0xbf100000
Invalid image format version: 0xffffffff
Checking image @ 0xbf800000
Invalid image format version: 0xffffffff
eth0 up: 1 Gb/s full duplex
ADP multicast 1
ADP broadcast 1
Controller address: 192.168.68.52
Using eth0 device
TFTP from server 192.168.68.52; our IP address is 192.168.68.105
Filename 'mips32.ari'.
Load address: 0x2000000
Loading: #################################################################
         ########################
done
Bytes transferred = 5812856 (58b278 hex)

Image is signed; verifying checksum... passed
Signer Cert OK
Policy Cert OK
RSA signature verified.
Automatic boot of image at addr 0x02000000 ...
ELF file is 32 bit
Loading .text @ 0x80e00000 (5743096 bytes)
Loading .data @ 0x8137a200 (32 bytes)
Clearing .bss @ 0x8137a220 (16 bytes)
## Starting application at 0x80e00000 ...
Uncompressing......................................................

Aruba Networks
ArubaOS Version 8.2.0.1 (build 62115 / label #62115)
Built by p4build@corfu on 2017-10-31 at 21:58:22 PDT (gcc version 4.
CPU Rev: aa
71x CPU
Flash variant: default
Cache parity protection disabled
Using 340.000 MHz high precision timer. cycles_per_jiffy=680000
Memory: 120576k/131072k available (1741k kernel code, 10372k reserve
 available.
detected lzma initramfs
initramfs: LZMA lc=3,lp=0,pb=2,dictSize=8388608,origSize=24606208
LZMA initramfs by Ming-Ching Tiew <mctiew@yahoo.com> ...........................................................................................................................................................................................................................
AR7100 GPIOC major 0
wdt: registered with refresh
Enabling Watchdog
Talisker RSSI LED initialization
Creating 1 MTD partitions on "ar7100-nor0":
0x00000000-0x01000000 : "flash"
i2c /dev entries driver
i2c-talisker: using default base 0x18040000
AD7416 driver probing for devices on AR7100 I2C
.<6>lo: Disabled Privacy Extensions
IPv6 over IPv4 tunneling driver

Starting Kernel SHA1 KAT ...Completed Kernel SHA1 KAT
Starting Kernel HMAC-SHA1 KAT ...Completed Kernel HMAC-SHA1 KAT
Starting Kernel DES KAT ...Completed Kernel DES KAT
Starting Kernel AES KAT ...Completed Kernel AES KAT

Starting Kernel AESGCM KAT ...Completed Kernel AESGCM KAT

Domain Name: arubanetworks.com
No panic info available
Testing TPM... Passed
ag7100_mod: module license 'unspecified' taints kernel.
AG7100: Length per segment 512
AG7100: Max segments per packet 4
AG7100: Max tx descriptor count    400
AG7100: Max rx descriptor count    252
AG7100: fifo cfg 3 018001ff
AG7100CHH: Mac address for unit 0
AG7100CHH: 6c:f3:7f:cc:0f:93
AG7100: cfg1 0xf cfg2 0x7014
ATHRF1: Port 0, Neg Success
ATHRF1: unit 0 phy addr 0 ATHRF1: reg0 3100
AP xml model 39, num_radios 2 (jiffies 13447)
apType 39 hw_opmode 0
radio 0: band 1 ant 0 max_ssid 8
radio 1: band 0 ant 0 max_ssid 8
init_asap_mod: installation:0
firewall cpu: core-0
Starting watchdog process...
Got all network params from APboot env. Skippingag7100_ring_alloc Al
 DHCP
ag7100_ring_alloc Allocated 3024 at 0x86aa7000
AG7100: cfg1 0xf cfg2 0x7014
ATHRF1: Port 0, Neg Success
ATHRF1: unit 0 phy addr 0 ATHRF1: reg0 3100
AG7100: unit 0 phy is up...RGMii 1000Mbps full duplex
AG7100: pll reg 0x18050010: 0x110000  AG7100: cfg_1: 0x1ff0000
AG7100: cfg_2: 0x3ff
AG7100: cfg_3: 0x18001ff
AG7100: cfg_4: 0xffff
AG7100: cfg_5: 0xfffef
AG7100: done cfg2 0x7215 ifctl 0x0 miictrl 0x22
Writing 4
192.168.68.105 255.255.255.0 192.168.68.1
Running ADP...Done. Master is 192.168.68.52
ath_hal: 0.9.17.1 (AR5416, AR9380, REGOPS_FUNC, PRIVATE_DIAG, WRITE_
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, In
ath_rate_atheros: Aruba Networks Rate Control Algorithm
ath_dfs: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Rese
ath_spectrum: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Rese
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Ri
ath_pci: 0.9.4.5 (Atheros/multi-bss)
ath_attach: scn 80530280 sc 86340000 ah 80580000
wifi0: Base BSSID 6c:f3:7f:40:f9:38, 8 available BSSID(s)
bond0 address=6c:f3:7f:cc:0f:93
br0 address=6c:f3:7f:cc:0f:93
wifi0: AP type AP-105, radio 0, max_bssids 8
wifi0: Atheros 9280: mem=0x10010000, irq=49 hw_base=0xb0010000
ath_attach: scn 85e20280 sc 85e40000 ah 85e80000
wifi1: Base BSSID 6c:f3:7f:40:f9:30, 8 available BSSID(s)
bond0 address=6c:f3:7f:cc:0f:93
br0 address=6c:f3:7f:cc:0f:93
wifi1: AP type AP-105, radio 1, max_bssids 8
wifi1: Atheros 9280: mem=0x10000000, irq=48 hw_base=0xb0000000
ath_ahb: 0.9.4.5 (Atheros/multi-bss)

Starting FIPS KAT ... Completed FIPS KAT

AP rebooted Fri Dec 31 16:44:32 PST 1999; SAPD: Unable to contact swLO-TIMEOUT, 228 sec before: Last Ctrl msg: HELLO len=426 dest=192.16
keep watchdog process alive for talisker (nanny will restart it)...

        <<<<<       Welcome to the Access Point     >>>>>

~ #
~ #
~ #

1) Note that AP and firmware version are both unsupported, but I think there is a known intermediate step required for some 6.x APs to go to 8.x, and if I'm correct that's 8.2. It may help to upgrade first to the latest 6.x, then to 8.6; or see if you can downgrade your controller to 8.2 and see if the upgrade to 8.2 works, then to 8.6. Connecting to the console of the AP, or check controller logs may provide additional information. 

2) You would need to set/override the NAS-IP per group or even controller. The VRRPs are needed for CoA to work in an AOS8 cluster. Check this article/post for more information.

Hi All,

I am currently replicating my customer's environment as we have Posturing project with ClearPass, but when I start to lab with MM-MD setup with 8.6.0.23 (since AP-105 only supported until that version), I could not get the AP discovered from the MD. I use all virtual: MM and VMC. I consoled the AP and can discover the VMC with ADP already (since I put all MM, MD, and the AP under same subnet). It is just now I couldn't see the AP under the Configuration > Access Point section from the Managed Network section. I disabled the CPSec from the MM to make it simple. Strangely, if I login individually to the MD, the CPSec is still Enabled, but I don't think this makes the AP cannot be seen from the MM/MD. If this makes a difference, kindly let me know. 

I can tell you that my experience is only around AOS 6.x since I did quite a number of Wifi projects like 10 years back. But, now since I have a full Aruba wireless customer environment, I need to lab it but got stuck in this simple step. AOS 6.x was so simple I remember it strongly, just do like mentioned above, and the AP can be seen from the physical MC easily and I can provision it after that. I don't know what I am missing here with the MM-MD setup, kindly please guide me to the right direction. If there is a "pinned" thread, like all-in-one MM-MD setup, I would like to scour through it and refresh my knowledge on this MM-MD thing.

So, I have two issue now:

1) How do I get to see the AP-105 from the 8.6.0.23 MM-MD

2) and the root of all this is because we found that the RADIUS NAD-IP-Address at customer site is the MM, with the Src-IP-Address is the MD. Customer's have multiple MD Groups, for example in total 4 groups, in 3 groups we found that the Src-IP is the MD's individual IP, and the NAD-IP is the MD's VRRP, but then in one group we see that the NAD-IP is the MM with the Src-IP is the MD's individual IP. The 3 groups has 3 VRRP IP (not sure why since we are not the one configuring it at the first place), and the one group has only 1 VRRP IP; but I do not think this will make a difference in terms of the RADIUS attributes detail. Please advise if other otherwise.

Thank you..!

Hi shpat,

I am matchabear but with different account, coz that account somehow "needs to be investigated", not sure why. Maybe because using a personal email to register. But anyway, here below is my licensing screenshot from MM. Is it proper and expected to see "0/1" from AP and PEF ? Coz, I still cannot detect the AP-105. I put all into one segment.

Hi matchabear

Yes you need AP License. PEF License is needed if you have configurations using Role Based Access, apart from the standard ones used in AOS.

Hi Herman,

Thanks much for your response.

I tried with 8.2.0.1 as below logs showing, but still from MM/MD I couldn't see the AP. For clarification, I navigated to the Configuration > Access Points at the MD. Note that I already disable the CPSec and also whitelisted the AP, still unable to see it.

Do I need AP and PEFNG licenses beforehand so that I am able to see the AP there?

Bootup logs from the AP:

APBoot 1.4.0.3 (build 37726)
Built: 2013-03-21 at 20:13:41

Model: AP-10x
CPU:   AR7161 revision: A2
Clock: 680 MHz, DDR clock: 340 MHz, Bus clock: 170 MHz
DRAM:  128 MB
POST1: passed
Copy:  done
Flash: 16 MB
PCI:   scanning bus 0 ...
       dev fn venID devID class  rev    MBAR0    MBAR1    MBAR2    MBAR3
       00  00  168c  0029 00002   01 10000000 00000000 00000000 00000000
       01  00  168c  0029 00002   01 10010000 00000000 00000000 00000000
Net:   eth0
Radio: ar922x#0, ar922x#1

Hit <Enter> to stop autoboot:  0
Checking image @ 0xbf100000
Invalid image format version: 0xffffffff
Checking image @ 0xbf800000
Invalid image format version: 0xffffffff
eth0 up: 1 Gb/s full duplex
ADP multicast 1
ADP broadcast 1
Controller address: 192.168.68.52
Using eth0 device
TFTP from server 192.168.68.52; our IP address is 192.168.68.105
Filename 'mips32.ari'.
Load address: 0x2000000
Loading: #################################################################
         ########################
done
Bytes transferred = 5812856 (58b278 hex)

Image is signed; verifying checksum... passed
Signer Cert OK
Policy Cert OK
RSA signature verified.
Automatic boot of image at addr 0x02000000 ...
ELF file is 32 bit
Loading .text @ 0x80e00000 (5743096 bytes)
Loading .data @ 0x8137a200 (32 bytes)
Clearing .bss @ 0x8137a220 (16 bytes)
## Starting application at 0x80e00000 ...
Uncompressing......................................................

Aruba Networks
ArubaOS Version 8.2.0.1 (build 62115 / label #62115)
Built by p4build@corfu on 2017-10-31 at 21:58:22 PDT (gcc version 4.
CPU Rev: aa
71x CPU
Flash variant: default
Cache parity protection disabled
Using 340.000 MHz high precision timer. cycles_per_jiffy=680000
Memory: 120576k/131072k available (1741k kernel code, 10372k reserve
 available.
detected lzma initramfs
initramfs: LZMA lc=3,lp=0,pb=2,dictSize=8388608,origSize=24606208
LZMA initramfs by Ming-Ching Tiew <mctiew@yahoo.com> ...........................................................................................................................................................................................................................
AR7100 GPIOC major 0
wdt: registered with refresh
Enabling Watchdog
Talisker RSSI LED initialization
Creating 1 MTD partitions on "ar7100-nor0":
0x00000000-0x01000000 : "flash"
i2c /dev entries driver
i2c-talisker: using default base 0x18040000
AD7416 driver probing for devices on AR7100 I2C
.<6>lo: Disabled Privacy Extensions
IPv6 over IPv4 tunneling driver

Starting Kernel SHA1 KAT ...Completed Kernel SHA1 KAT
Starting Kernel HMAC-SHA1 KAT ...Completed Kernel HMAC-SHA1 KAT
Starting Kernel DES KAT ...Completed Kernel DES KAT
Starting Kernel AES KAT ...Completed Kernel AES KAT

Starting Kernel AESGCM KAT ...Completed Kernel AESGCM KAT

Domain Name: arubanetworks.com
No panic info available
Testing TPM... Passed
ag7100_mod: module license 'unspecified' taints kernel.
AG7100: Length per segment 512
AG7100: Max segments per packet 4
AG7100: Max tx descriptor count    400
AG7100: Max rx descriptor count    252
AG7100: fifo cfg 3 018001ff
AG7100CHH: Mac address for unit 0
AG7100CHH: 6c:f3:7f:cc:0f:93
AG7100: cfg1 0xf cfg2 0x7014
ATHRF1: Port 0, Neg Success
ATHRF1: unit 0 phy addr 0 ATHRF1: reg0 3100
AP xml model 39, num_radios 2 (jiffies 13447)
apType 39 hw_opmode 0
radio 0: band 1 ant 0 max_ssid 8
radio 1: band 0 ant 0 max_ssid 8
init_asap_mod: installation:0
firewall cpu: core-0
Starting watchdog process...
Got all network params from APboot env. Skippingag7100_ring_alloc Al
 DHCP
ag7100_ring_alloc Allocated 3024 at 0x86aa7000
AG7100: cfg1 0xf cfg2 0x7014
ATHRF1: Port 0, Neg Success
ATHRF1: unit 0 phy addr 0 ATHRF1: reg0 3100
AG7100: unit 0 phy is up...RGMii 1000Mbps full duplex
AG7100: pll reg 0x18050010: 0x110000  AG7100: cfg_1: 0x1ff0000
AG7100: cfg_2: 0x3ff
AG7100: cfg_3: 0x18001ff
AG7100: cfg_4: 0xffff
AG7100: cfg_5: 0xfffef
AG7100: done cfg2 0x7215 ifctl 0x0 miictrl 0x22
Writing 4
192.168.68.105 255.255.255.0 192.168.68.1
Running ADP...Done. Master is 192.168.68.52
ath_hal: 0.9.17.1 (AR5416, AR9380, REGOPS_FUNC, PRIVATE_DIAG, WRITE_
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, In
ath_rate_atheros: Aruba Networks Rate Control Algorithm
ath_dfs: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Rese
ath_spectrum: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Rese
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Ri
ath_pci: 0.9.4.5 (Atheros/multi-bss)
ath_attach: scn 80530280 sc 86340000 ah 80580000
wifi0: Base BSSID 6c:f3:7f:40:f9:38, 8 available BSSID(s)
bond0 address=6c:f3:7f:cc:0f:93
br0 address=6c:f3:7f:cc:0f:93
wifi0: AP type AP-105, radio 0, max_bssids 8
wifi0: Atheros 9280: mem=0x10010000, irq=49 hw_base=0xb0010000
ath_attach: scn 85e20280 sc 85e40000 ah 85e80000
wifi1: Base BSSID 6c:f3:7f:40:f9:30, 8 available BSSID(s)
bond0 address=6c:f3:7f:cc:0f:93
br0 address=6c:f3:7f:cc:0f:93
wifi1: AP type AP-105, radio 1, max_bssids 8
wifi1: Atheros 9280: mem=0x10000000, irq=48 hw_base=0xb0000000
ath_ahb: 0.9.4.5 (Atheros/multi-bss)

Starting FIPS KAT ... Completed FIPS KAT

AP rebooted Fri Dec 31 16:44:32 PST 1999; SAPD: Unable to contact swLO-TIMEOUT, 228 sec before: Last Ctrl msg: HELLO len=426 dest=192.16
keep watchdog process alive for talisker (nanny will restart it)...

        <<<<<       Welcome to the Access Point     >>>>>

~ #
~ #
~ #

1) Note that AP and firmware version are both unsupported, but I think there is a known intermediate step required for some 6.x APs to go to 8.x, and if I'm correct that's 8.2. It may help to upgrade first to the latest 6.x, then to 8.6; or see if you can downgrade your controller to 8.2 and see if the upgrade to 8.2 works, then to 8.6. Connecting to the console of the AP, or check controller logs may provide additional information. 

2) You would need to set/override the NAS-IP per group or even controller. The VRRPs are needed for CoA to work in an AOS8 cluster. Check this article/post for more information.

Hi All,

I am currently replicating my customer's environment as we have Posturing project with ClearPass, but when I start to lab with MM-MD setup with 8.6.0.23 (since AP-105 only supported until that version), I could not get the AP discovered from the MD. I use all virtual: MM and VMC. I consoled the AP and can discover the VMC with ADP already (since I put all MM, MD, and the AP under same subnet). It is just now I couldn't see the AP under the Configuration > Access Point section from the Managed Network section. I disabled the CPSec from the MM to make it simple. Strangely, if I login individually to the MD, the CPSec is still Enabled, but I don't think this makes the AP cannot be seen from the MM/MD. If this makes a difference, kindly let me know. 

I can tell you that my experience is only around AOS 6.x since I did quite a number of Wifi projects like 10 years back. But, now since I have a full Aruba wireless customer environment, I need to lab it but got stuck in this simple step. AOS 6.x was so simple I remember it strongly, just do like mentioned above, and the AP can be seen from the physical MC easily and I can provision it after that. I don't know what I am missing here with the MM-MD setup, kindly please guide me to the right direction. If there is a "pinned" thread, like all-in-one MM-MD setup, I would like to scour through it and refresh my knowledge on this MM-MD thing.

So, I have two issue now:

1) How do I get to see the AP-105 from the 8.6.0.23 MM-MD

2) and the root of all this is because we found that the RADIUS NAD-IP-Address at customer site is the MM, with the Src-IP-Address is the MD. Customer's have multiple MD Groups, for example in total 4 groups, in 3 groups we found that the Src-IP is the MD's individual IP, and the NAD-IP is the MD's VRRP, but then in one group we see that the NAD-IP is the MM with the Src-IP is the MD's individual IP. The 3 groups has 3 VRRP IP (not sure why since we are not the one configuring it at the first place), and the one group has only 1 VRRP IP; but I do not think this will make a difference in terms of the RADIUS attributes detail. Please advise if other otherwise.

Thank you..!

Is the AP-105 still showing the same sequence on the console ? This indicates the AP cannot reach the MD:

192.168.68.105 255.255.255.0 192.168.68.1
Running ADP...Done. Master is 192.168.68.52

AP rebooted Fri Dec 31 16:44:32 PST 1999; SAPD: Unable to contact swLO-TIMEOUT, 228 sec before: Last Ctrl msg: HELLO len=426 dest=192.16

This looks like the AP is receiving the ADP packet from the MD and trying to connect.

The best information is going to be from the AP console as Herman wrote, but there should be evidence in the MD/MC if the AP can reach.

If CPSEC is enabled, check the allowlists: (allowlists are always established at the MC, and copied down to the MD)

Note:

Hereafter , MC refers to the Mobility Conductor, MD to the Managed Device.

# Here, we should see an entry for the AP-105 on both MC and MD going from approved to certified indicating the CPSEC certificate exchange is complete.

show allowlist cpsec 

does the MD have a correct connection to the MC ?

Does the MD show any signs of the AP trying to connect ?

MC and MD:

show ap database long

show control-plane-security 

MC and MD:
show log all | inc <AP MAC>

# check the actual traffic from AP to MD:

show datapath session table 192.168.68.105 

You might use the apboot  prompt on the AP to statically configure the MD ip address as a test, but it seems the problem is further long in the process.

setenv master 192.168.68.52

setenv serverip 192.168.68.52

setenv

dhcp

boot

Hi shpat,

I am matchabear but with different account, coz that account somehow "needs to be investigated", not sure why. Maybe because using a personal email to register. But anyway, here below is my licensing screenshot from MM. Is it proper and expected to see "0/1" from AP and PEF ? Coz, I still cannot detect the AP-105. I put all into one segment.

Hi matchabear

Yes you need AP License. PEF License is needed if you have configurations using Role Based Access, apart from the standard ones used in AOS.

Hi Herman,

Thanks much for your response.

I tried with 8.2.0.1 as below logs showing, but still from MM/MD I couldn't see the AP. For clarification, I navigated to the Configuration > Access Points at the MD. Note that I already disable the CPSec and also whitelisted the AP, still unable to see it.

Do I need AP and PEFNG licenses beforehand so that I am able to see the AP there?

Bootup logs from the AP:

APBoot 1.4.0.3 (build 37726)
Built: 2013-03-21 at 20:13:41

Model: AP-10x
CPU:   AR7161 revision: A2
Clock: 680 MHz, DDR clock: 340 MHz, Bus clock: 170 MHz
DRAM:  128 MB
POST1: passed
Copy:  done
Flash: 16 MB
PCI:   scanning bus 0 ...
       dev fn venID devID class  rev    MBAR0    MBAR1    MBAR2    MBAR3
       00  00  168c  0029 00002   01 10000000 00000000 00000000 00000000
       01  00  168c  0029 00002   01 10010000 00000000 00000000 00000000
Net:   eth0
Radio: ar922x#0, ar922x#1

Hit <Enter> to stop autoboot:  0
Checking image @ 0xbf100000
Invalid image format version: 0xffffffff
Checking image @ 0xbf800000
Invalid image format version: 0xffffffff
eth0 up: 1 Gb/s full duplex
ADP multicast 1
ADP broadcast 1
Controller address: 192.168.68.52
Using eth0 device
TFTP from server 192.168.68.52; our IP address is 192.168.68.105
Filename 'mips32.ari'.
Load address: 0x2000000
Loading: #################################################################
         ########################
done
Bytes transferred = 5812856 (58b278 hex)

Image is signed; verifying checksum... passed
Signer Cert OK
Policy Cert OK
RSA signature verified.
Automatic boot of image at addr 0x02000000 ...
ELF file is 32 bit
Loading .text @ 0x80e00000 (5743096 bytes)
Loading .data @ 0x8137a200 (32 bytes)
Clearing .bss @ 0x8137a220 (16 bytes)
## Starting application at 0x80e00000 ...
Uncompressing......................................................

Aruba Networks
ArubaOS Version 8.2.0.1 (build 62115 / label #62115)
Built by p4build@corfu on 2017-10-31 at 21:58:22 PDT (gcc version 4.
CPU Rev: aa
71x CPU
Flash variant: default
Cache parity protection disabled
Using 340.000 MHz high precision timer. cycles_per_jiffy=680000
Memory: 120576k/131072k available (1741k kernel code, 10372k reserve
 available.
detected lzma initramfs
initramfs: LZMA lc=3,lp=0,pb=2,dictSize=8388608,origSize=24606208
LZMA initramfs by Ming-Ching Tiew <mctiew@yahoo.com> ...........................................................................................................................................................................................................................
AR7100 GPIOC major 0
wdt: registered with refresh
Enabling Watchdog
Talisker RSSI LED initialization
Creating 1 MTD partitions on "ar7100-nor0":
0x00000000-0x01000000 : "flash"
i2c /dev entries driver
i2c-talisker: using default base 0x18040000
AD7416 driver probing for devices on AR7100 I2C
.<6>lo: Disabled Privacy Extensions
IPv6 over IPv4 tunneling driver

Starting Kernel SHA1 KAT ...Completed Kernel SHA1 KAT
Starting Kernel HMAC-SHA1 KAT ...Completed Kernel HMAC-SHA1 KAT
Starting Kernel DES KAT ...Completed Kernel DES KAT
Starting Kernel AES KAT ...Completed Kernel AES KAT

Starting Kernel AESGCM KAT ...Completed Kernel AESGCM KAT

Domain Name: arubanetworks.com
No panic info available
Testing TPM... Passed
ag7100_mod: module license 'unspecified' taints kernel.
AG7100: Length per segment 512
AG7100: Max segments per packet 4
AG7100: Max tx descriptor count    400
AG7100: Max rx descriptor count    252
AG7100: fifo cfg 3 018001ff
AG7100CHH: Mac address for unit 0
AG7100CHH: 6c:f3:7f:cc:0f:93
AG7100: cfg1 0xf cfg2 0x7014
ATHRF1: Port 0, Neg Success
ATHRF1: unit 0 phy addr 0 ATHRF1: reg0 3100
AP xml model 39, num_radios 2 (jiffies 13447)
apType 39 hw_opmode 0
radio 0: band 1 ant 0 max_ssid 8
radio 1: band 0 ant 0 max_ssid 8
init_asap_mod: installation:0
firewall cpu: core-0
Starting watchdog process...
Got all network params from APboot env. Skippingag7100_ring_alloc Al
 DHCP
ag7100_ring_alloc Allocated 3024 at 0x86aa7000
AG7100: cfg1 0xf cfg2 0x7014
ATHRF1: Port 0, Neg Success
ATHRF1: unit 0 phy addr 0 ATHRF1: reg0 3100
AG7100: unit 0 phy is up...RGMii 1000Mbps full duplex
AG7100: pll reg 0x18050010: 0x110000  AG7100: cfg_1: 0x1ff0000
AG7100: cfg_2: 0x3ff
AG7100: cfg_3: 0x18001ff
AG7100: cfg_4: 0xffff
AG7100: cfg_5: 0xfffef
AG7100: done cfg2 0x7215 ifctl 0x0 miictrl 0x22
Writing 4
192.168.68.105 255.255.255.0 192.168.68.1
Running ADP...Done. Master is 192.168.68.52
ath_hal: 0.9.17.1 (AR5416, AR9380, REGOPS_FUNC, PRIVATE_DIAG, WRITE_
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, In
ath_rate_atheros: Aruba Networks Rate Control Algorithm
ath_dfs: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Rese
ath_spectrum: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Rese
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Ri
ath_pci: 0.9.4.5 (Atheros/multi-bss)
ath_attach: scn 80530280 sc 86340000 ah 80580000
wifi0: Base BSSID 6c:f3:7f:40:f9:38, 8 available BSSID(s)
bond0 address=6c:f3:7f:cc:0f:93
br0 address=6c:f3:7f:cc:0f:93
wifi0: AP type AP-105, radio 0, max_bssids 8
wifi0: Atheros 9280: mem=0x10010000, irq=49 hw_base=0xb0010000
ath_attach: scn 85e20280 sc 85e40000 ah 85e80000
wifi1: Base BSSID 6c:f3:7f:40:f9:30, 8 available BSSID(s)
bond0 address=6c:f3:7f:cc:0f:93
br0 address=6c:f3:7f:cc:0f:93
wifi1: AP type AP-105, radio 1, max_bssids 8
wifi1: Atheros 9280: mem=0x10000000, irq=48 hw_base=0xb0000000
ath_ahb: 0.9.4.5 (Atheros/multi-bss)

Starting FIPS KAT ... Completed FIPS KAT

AP rebooted Fri Dec 31 16:44:32 PST 1999; SAPD: Unable to contact swLO-TIMEOUT, 228 sec before: Last Ctrl msg: HELLO len=426 dest=192.16
keep watchdog process alive for talisker (nanny will restart it)...

        <<<<<       Welcome to the Access Point     >>>>>

~ #
~ #
~ #

1) Note that AP and firmware version are both unsupported, but I think there is a known intermediate step required for some 6.x APs to go to 8.x, and if I'm correct that's 8.2. It may help to upgrade first to the latest 6.x, then to 8.6; or see if you can downgrade your controller to 8.2 and see if the upgrade to 8.2 works, then to 8.6. Connecting to the console of the AP, or check controller logs may provide additional information. 

2) You would need to set/override the NAS-IP per group or even controller. The VRRPs are needed for CoA to work in an AOS8 cluster. Check this article/post for more information.

Hi All,

I am currently replicating my customer's environment as we have Posturing project with ClearPass, but when I start to lab with MM-MD setup with 8.6.0.23 (since AP-105 only supported until that version), I could not get the AP discovered from the MD. I use all virtual: MM and VMC. I consoled the AP and can discover the VMC with ADP already (since I put all MM, MD, and the AP under same subnet). It is just now I couldn't see the AP under the Configuration > Access Point section from the Managed Network section. I disabled the CPSec from the MM to make it simple. Strangely, if I login individually to the MD, the CPSec is still Enabled, but I don't think this makes the AP cannot be seen from the MM/MD. If this makes a difference, kindly let me know. 

I can tell you that my experience is only around AOS 6.x since I did quite a number of Wifi projects like 10 years back. But, now since I have a full Aruba wireless customer environment, I need to lab it but got stuck in this simple step. AOS 6.x was so simple I remember it strongly, just do like mentioned above, and the AP can be seen from the physical MC easily and I can provision it after that. I don't know what I am missing here with the MM-MD setup, kindly please guide me to the right direction. If there is a "pinned" thread, like all-in-one MM-MD setup, I would like to scour through it and refresh my knowledge on this MM-MD thing.

So, I have two issue now:

1) How do I get to see the AP-105 from the 8.6.0.23 MM-MD

2) and the root of all this is because we found that the RADIUS NAD-IP-Address at customer site is the MM, with the Src-IP-Address is the MD. Customer's have multiple MD Groups, for example in total 4 groups, in 3 groups we found that the Src-IP is the MD's individual IP, and the NAD-IP is the MD's VRRP, but then in one group we see that the NAD-IP is the MM with the Src-IP is the MD's individual IP. The 3 groups has 3 VRRP IP (not sure why since we are not the one configuring it at the first place), and the one group has only 1 VRRP IP; but I do not think this will make a difference in terms of the RADIUS attributes detail. Please advise if other otherwise.

Thank you..!

Is the AP-105 still showing the same sequence on the console ? This indicates the AP cannot reach the MD:

192.168.68.105 255.255.255.0 192.168.68.1
Running ADP...Done. Master is 192.168.68.52

AP rebooted Fri Dec 31 16:44:32 PST 1999; SAPD: Unable to contact swLO-TIMEOUT, 228 sec before: Last Ctrl msg: HELLO len=426 dest=192.16

This looks like the AP is receiving the ADP packet from the MD and trying to connect.

The best information is going to be from the AP console as Herman wrote, but there should be evidence in the MD/MC if the AP can reach.

If CPSEC is enabled, check the allowlists: (allowlists are always established at the MC, and copied down to the MD)

Note:

Hereafter , MC refers to the Mobility Conductor, MD to the Managed Device.

# Here, we should see an entry for the AP-105 on both MC and MD going from approved to certified indicating the CPSEC certificate exchange is complete.

show allowlist cpsec 

does the MD have a correct connection to the MC ?

Does the MD show any signs of the AP trying to connect ?

MC and MD:

show ap database long

show control-plane-security 

MC and MD:
show log all | inc <AP MAC>

# check the actual traffic from AP to MD:

show datapath session table 192.168.68.105 

You might use the apboot  prompt on the AP to statically configure the MD ip address as a test, but it seems the problem is further long in the process.

setenv master 192.168.68.52

setenv serverip 192.168.68.52

setenv

dhcp

boot

Hi shpat,

I am matchabear but with different account, coz that account somehow "needs to be investigated", not sure why. Maybe because using a personal email to register. But anyway, here below is my licensing screenshot from MM. Is it proper and expected to see "0/1" from AP and PEF ? Coz, I still cannot detect the AP-105. I put all into one segment.

Hi matchabear

Yes you need AP License. PEF License is needed if you have configurations using Role Based Access, apart from the standard ones used in AOS.

Hi Herman,

Thanks much for your response.

I tried with 8.2.0.1 as below logs showing, but still from MM/MD I couldn't see the AP. For clarification, I navigated to the Configuration > Access Points at the MD. Note that I already disable the CPSec and also whitelisted the AP, still unable to see it.

Do I need AP and PEFNG licenses beforehand so that I am able to see the AP there?

Bootup logs from the AP:

APBoot 1.4.0.3 (build 37726)
Built: 2013-03-21 at 20:13:41

Model: AP-10x
CPU:   AR7161 revision: A2
Clock: 680 MHz, DDR clock: 340 MHz, Bus clock: 170 MHz
DRAM:  128 MB
POST1: passed
Copy:  done
Flash: 16 MB
PCI:   scanning bus 0 ...
       dev fn venID devID class  rev    MBAR0    MBAR1    MBAR2    MBAR3
       00  00  168c  0029 00002   01 10000000 00000000 00000000 00000000
       01  00  168c  0029 00002   01 10010000 00000000 00000000 00000000
Net:   eth0
Radio: ar922x#0, ar922x#1

Hit <Enter> to stop autoboot:  0
Checking image @ 0xbf100000
Invalid image format version: 0xffffffff
Checking image @ 0xbf800000
Invalid image format version: 0xffffffff
eth0 up: 1 Gb/s full duplex
ADP multicast 1
ADP broadcast 1
Controller address: 192.168.68.52
Using eth0 device
TFTP from server 192.168.68.52; our IP address is 192.168.68.105
Filename 'mips32.ari'.
Load address: 0x2000000
Loading: #################################################################
         ########################
done
Bytes transferred = 5812856 (58b278 hex)

Image is signed; verifying checksum... passed
Signer Cert OK
Policy Cert OK
RSA signature verified.
Automatic boot of image at addr 0x02000000 ...
ELF file is 32 bit
Loading .text @ 0x80e00000 (5743096 bytes)
Loading .data @ 0x8137a200 (32 bytes)
Clearing .bss @ 0x8137a220 (16 bytes)
## Starting application at 0x80e00000 ...
Uncompressing......................................................

Aruba Networks
ArubaOS Version 8.2.0.1 (build 62115 / label #62115)
Built by p4build@corfu on 2017-10-31 at 21:58:22 PDT (gcc version 4.
CPU Rev: aa
71x CPU
Flash variant: default
Cache parity protection disabled
Using 340.000 MHz high precision timer. cycles_per_jiffy=680000
Memory: 120576k/131072k available (1741k kernel code, 10372k reserve
 available.
detected lzma initramfs
initramfs: LZMA lc=3,lp=0,pb=2,dictSize=8388608,origSize=24606208
LZMA initramfs by Ming-Ching Tiew <mctiew@yahoo.com> ...........................................................................................................................................................................................................................
AR7100 GPIOC major 0
wdt: registered with refresh
Enabling Watchdog
Talisker RSSI LED initialization
Creating 1 MTD partitions on "ar7100-nor0":
0x00000000-0x01000000 : "flash"
i2c /dev entries driver
i2c-talisker: using default base 0x18040000
AD7416 driver probing for devices on AR7100 I2C
.<6>lo: Disabled Privacy Extensions
IPv6 over IPv4 tunneling driver

Starting Kernel SHA1 KAT ...Completed Kernel SHA1 KAT
Starting Kernel HMAC-SHA1 KAT ...Completed Kernel HMAC-SHA1 KAT
Starting Kernel DES KAT ...Completed Kernel DES KAT
Starting Kernel AES KAT ...Completed Kernel AES KAT

Starting Kernel AESGCM KAT ...Completed Kernel AESGCM KAT

Domain Name: arubanetworks.com
No panic info available
Testing TPM... Passed
ag7100_mod: module license 'unspecified' taints kernel.
AG7100: Length per segment 512
AG7100: Max segments per packet 4
AG7100: Max tx descriptor count    400
AG7100: Max rx descriptor count    252
AG7100: fifo cfg 3 018001ff
AG7100CHH: Mac address for unit 0
AG7100CHH: 6c:f3:7f:cc:0f:93
AG7100: cfg1 0xf cfg2 0x7014
ATHRF1: Port 0, Neg Success
ATHRF1: unit 0 phy addr 0 ATHRF1: reg0 3100
AP xml model 39, num_radios 2 (jiffies 13447)
apType 39 hw_opmode 0
radio 0: band 1 ant 0 max_ssid 8
radio 1: band 0 ant 0 max_ssid 8
init_asap_mod: installation:0
firewall cpu: core-0
Starting watchdog process...
Got all network params from APboot env. Skippingag7100_ring_alloc Al
 DHCP
ag7100_ring_alloc Allocated 3024 at 0x86aa7000
AG7100: cfg1 0xf cfg2 0x7014
ATHRF1: Port 0, Neg Success
ATHRF1: unit 0 phy addr 0 ATHRF1: reg0 3100
AG7100: unit 0 phy is up...RGMii 1000Mbps full duplex
AG7100: pll reg 0x18050010: 0x110000  AG7100: cfg_1: 0x1ff0000
AG7100: cfg_2: 0x3ff
AG7100: cfg_3: 0x18001ff
AG7100: cfg_4: 0xffff
AG7100: cfg_5: 0xfffef
AG7100: done cfg2 0x7215 ifctl 0x0 miictrl 0x22
Writing 4
192.168.68.105 255.255.255.0 192.168.68.1
Running ADP...Done. Master is 192.168.68.52
ath_hal: 0.9.17.1 (AR5416, AR9380, REGOPS_FUNC, PRIVATE_DIAG, WRITE_
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, In
ath_rate_atheros: Aruba Networks Rate Control Algorithm
ath_dfs: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Rese
ath_spectrum: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Rese
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Ri
ath_pci: 0.9.4.5 (Atheros/multi-bss)
ath_attach: scn 80530280 sc 86340000 ah 80580000
wifi0: Base BSSID 6c:f3:7f:40:f9:38, 8 available BSSID(s)
bond0 address=6c:f3:7f:cc:0f:93
br0 address=6c:f3:7f:cc:0f:93
wifi0: AP type AP-105, radio 0, max_bssids 8
wifi0: Atheros 9280: mem=0x10010000, irq=49 hw_base=0xb0010000
ath_attach: scn 85e20280 sc 85e40000 ah 85e80000
wifi1: Base BSSID 6c:f3:7f:40:f9:30, 8 available BSSID(s)
bond0 address=6c:f3:7f:cc:0f:93
br0 address=6c:f3:7f:cc:0f:93
wifi1: AP type AP-105, radio 1, max_bssids 8
wifi1: Atheros 9280: mem=0x10000000, irq=48 hw_base=0xb0000000
ath_ahb: 0.9.4.5 (Atheros/multi-bss)

Starting FIPS KAT ... Completed FIPS KAT

AP rebooted Fri Dec 31 16:44:32 PST 1999; SAPD: Unable to contact swLO-TIMEOUT, 228 sec before: Last Ctrl msg: HELLO len=426 dest=192.16
keep watchdog process alive for talisker (nanny will restart it)...

        <<<<<       Welcome to the Access Point     >>>>>

~ #
~ #
~ #

1) Note that AP and firmware version are both unsupported, but I think there is a known intermediate step required for some 6.x APs to go to 8.x, and if I'm correct that's 8.2. It may help to upgrade first to the latest 6.x, then to 8.6; or see if you can downgrade your controller to 8.2 and see if the upgrade to 8.2 works, then to 8.6. Connecting to the console of the AP, or check controller logs may provide additional information. 

2) You would need to set/override the NAS-IP per group or even controller. The VRRPs are needed for CoA to work in an AOS8 cluster. Check this article/post for more information.

Hi All,

I am currently replicating my customer's environment as we have Posturing project with ClearPass, but when I start to lab with MM-MD setup with 8.6.0.23 (since AP-105 only supported until that version), I could not get the AP discovered from the MD. I use all virtual: MM and VMC. I consoled the AP and can discover the VMC with ADP already (since I put all MM, MD, and the AP under same subnet). It is just now I couldn't see the AP under the Configuration > Access Point section from the Managed Network section. I disabled the CPSec from the MM to make it simple. Strangely, if I login individually to the MD, the CPSec is still Enabled, but I don't think this makes the AP cannot be seen from the MM/MD. If this makes a difference, kindly let me know. 

I can tell you that my experience is only around AOS 6.x since I did quite a number of Wifi projects like 10 years back. But, now since I have a full Aruba wireless customer environment, I need to lab it but got stuck in this simple step. AOS 6.x was so simple I remember it strongly, just do like mentioned above, and the AP can be seen from the physical MC easily and I can provision it after that. I don't know what I am missing here with the MM-MD setup, kindly please guide me to the right direction. If there is a "pinned" thread, like all-in-one MM-MD setup, I would like to scour through it and refresh my knowledge on this MM-MD thing.

So, I have two issue now:

1) How do I get to see the AP-105 from the 8.6.0.23 MM-MD

2) and the root of all this is because we found that the RADIUS NAD-IP-Address at customer site is the MM, with the Src-IP-Address is the MD. Customer's have multiple MD Groups, for example in total 4 groups, in 3 groups we found that the Src-IP is the MD's individual IP, and the NAD-IP is the MD's VRRP, but then in one group we see that the NAD-IP is the MM with the Src-IP is the MD's individual IP. The 3 groups has 3 VRRP IP (not sure why since we are not the one configuring it at the first place), and the one group has only 1 VRRP IP; but I do not think this will make a difference in terms of the RADIUS attributes detail. Please advise if other otherwise.

Thank you..!

Hi sadams and all,

Perhaps better to see my reply in pdf, as attached.

Is the AP-105 still showing the same sequence on the console ? This indicates the AP cannot reach the MD:

192.168.68.105 255.255.255.0 192.168.68.1
Running ADP...Done. Master is 192.168.68.52

AP rebooted Fri Dec 31 16:44:32 PST 1999; SAPD: Unable to contact swLO-TIMEOUT, 228 sec before: Last Ctrl msg: HELLO len=426 dest=192.16

This looks like the AP is receiving the ADP packet from the MD and trying to connect.

The best information is going to be from the AP console as Herman wrote, but there should be evidence in the MD/MC if the AP can reach.

If CPSEC is enabled, check the allowlists: (allowlists are always established at the MC, and copied down to the MD)

Note:

Hereafter , MC refers to the Mobility Conductor, MD to the Managed Device.

# Here, we should see an entry for the AP-105 on both MC and MD going from approved to certified indicating the CPSEC certificate exchange is complete.

show allowlist cpsec 

does the MD have a correct connection to the MC ?

Does the MD show any signs of the AP trying to connect ?

MC and MD:

show ap database long

show control-plane-security 

MC and MD:
show log all | inc <AP MAC>

# check the actual traffic from AP to MD:

show datapath session table 192.168.68.105 

You might use the apboot  prompt on the AP to statically configure the MD ip address as a test, but it seems the problem is further long in the process.

setenv master 192.168.68.52

setenv serverip 192.168.68.52

setenv

dhcp

boot

Hi shpat,

I am matchabear but with different account, coz that account somehow "needs to be investigated", not sure why. Maybe because using a personal email to register. But anyway, here below is my licensing screenshot from MM. Is it proper and expected to see "0/1" from AP and PEF ? Coz, I still cannot detect the AP-105. I put all into one segment.

Hi matchabear

Yes you need AP License. PEF License is needed if you have configurations using Role Based Access, apart from the standard ones used in AOS.

Hi Herman,

Thanks much for your response.

I tried with 8.2.0.1 as below logs showing, but still from MM/MD I couldn't see the AP. For clarification, I navigated to the Configuration > Access Points at the MD. Note that I already disable the CPSec and also whitelisted the AP, still unable to see it.

Do I need AP and PEFNG licenses beforehand so that I am able to see the AP there?

Bootup logs from the AP:

APBoot 1.4.0.3 (build 37726)
Built: 2013-03-21 at 20:13:41

Model: AP-10x
CPU:   AR7161 revision: A2
Clock: 680 MHz, DDR clock: 340 MHz, Bus clock: 170 MHz
DRAM:  128 MB
POST1: passed
Copy:  done
Flash: 16 MB
PCI:   scanning bus 0 ...
       dev fn venID devID class  rev    MBAR0    MBAR1    MBAR2    MBAR3
       00  00  168c  0029 00002   01 10000000 00000000 00000000 00000000
       01  00  168c  0029 00002   01 10010000 00000000 00000000 00000000
Net:   eth0
Radio: ar922x#0, ar922x#1

Hit <Enter> to stop autoboot:  0
Checking image @ 0xbf100000
Invalid image format version: 0xffffffff
Checking image @ 0xbf800000
Invalid image format version: 0xffffffff
eth0 up: 1 Gb/s full duplex
ADP multicast 1
ADP broadcast 1
Controller address: 192.168.68.52
Using eth0 device
TFTP from server 192.168.68.52; our IP address is 192.168.68.105
Filename 'mips32.ari'.
Load address: 0x2000000
Loading: #################################################################
         ########################
done
Bytes transferred = 5812856 (58b278 hex)

Image is signed; verifying checksum... passed
Signer Cert OK
Policy Cert OK
RSA signature verified.
Automatic boot of image at addr 0x02000000 ...
ELF file is 32 bit
Loading .text @ 0x80e00000 (5743096 bytes)
Loading .data @ 0x8137a200 (32 bytes)
Clearing .bss @ 0x8137a220 (16 bytes)
## Starting application at 0x80e00000 ...
Uncompressing......................................................

Aruba Networks
ArubaOS Version 8.2.0.1 (build 62115 / label #62115)
Built by p4build@corfu on 2017-10-31 at 21:58:22 PDT (gcc version 4.
CPU Rev: aa
71x CPU
Flash variant: default
Cache parity protection disabled
Using 340.000 MHz high precision timer. cycles_per_jiffy=680000
Memory: 120576k/131072k available (1741k kernel code, 10372k reserve
 available.
detected lzma initramfs
initramfs: LZMA lc=3,lp=0,pb=2,dictSize=8388608,origSize=24606208
LZMA initramfs by Ming-Ching Tiew <mctiew@yahoo.com> ...........................................................................................................................................................................................................................
AR7100 GPIOC major 0
wdt: registered with refresh
Enabling Watchdog
Talisker RSSI LED initialization
Creating 1 MTD partitions on "ar7100-nor0":
0x00000000-0x01000000 : "flash"
i2c /dev entries driver
i2c-talisker: using default base 0x18040000
AD7416 driver probing for devices on AR7100 I2C
.<6>lo: Disabled Privacy Extensions
IPv6 over IPv4 tunneling driver

Starting Kernel SHA1 KAT ...Completed Kernel SHA1 KAT
Starting Kernel HMAC-SHA1 KAT ...Completed Kernel HMAC-SHA1 KAT
Starting Kernel DES KAT ...Completed Kernel DES KAT
Starting Kernel AES KAT ...Completed Kernel AES KAT

Starting Kernel AESGCM KAT ...Completed Kernel AESGCM KAT

Domain Name: arubanetworks.com
No panic info available
Testing TPM... Passed
ag7100_mod: module license 'unspecified' taints kernel.
AG7100: Length per segment 512
AG7100: Max segments per packet 4
AG7100: Max tx descriptor count    400
AG7100: Max rx descriptor count    252
AG7100: fifo cfg 3 018001ff
AG7100CHH: Mac address for unit 0
AG7100CHH: 6c:f3:7f:cc:0f:93
AG7100: cfg1 0xf cfg2 0x7014
ATHRF1: Port 0, Neg Success
ATHRF1: unit 0 phy addr 0 ATHRF1: reg0 3100
AP xml model 39, num_radios 2 (jiffies 13447)
apType 39 hw_opmode 0
radio 0: band 1 ant 0 max_ssid 8
radio 1: band 0 ant 0 max_ssid 8
init_asap_mod: installation:0
firewall cpu: core-0
Starting watchdog process...
Got all network params from APboot env. Skippingag7100_ring_alloc Al
 DHCP
ag7100_ring_alloc Allocated 3024 at 0x86aa7000
AG7100: cfg1 0xf cfg2 0x7014
ATHRF1: Port 0, Neg Success
ATHRF1: unit 0 phy addr 0 ATHRF1: reg0 3100
AG7100: unit 0 phy is up...RGMii 1000Mbps full duplex
AG7100: pll reg 0x18050010: 0x110000  AG7100: cfg_1: 0x1ff0000
AG7100: cfg_2: 0x3ff
AG7100: cfg_3: 0x18001ff
AG7100: cfg_4: 0xffff
AG7100: cfg_5: 0xfffef
AG7100: done cfg2 0x7215 ifctl 0x0 miictrl 0x22
Writing 4
192.168.68.105 255.255.255.0 192.168.68.1
Running ADP...Done. Master is 192.168.68.52
ath_hal: 0.9.17.1 (AR5416, AR9380, REGOPS_FUNC, PRIVATE_DIAG, WRITE_
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, In
ath_rate_atheros: Aruba Networks Rate Control Algorithm
ath_dfs: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Rese
ath_spectrum: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Rese
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Ri
ath_pci: 0.9.4.5 (Atheros/multi-bss)
ath_attach: scn 80530280 sc 86340000 ah 80580000
wifi0: Base BSSID 6c:f3:7f:40:f9:38, 8 available BSSID(s)
bond0 address=6c:f3:7f:cc:0f:93
br0 address=6c:f3:7f:cc:0f:93
wifi0: AP type AP-105, radio 0, max_bssids 8
wifi0: Atheros 9280: mem=0x10010000, irq=49 hw_base=0xb0010000
ath_attach: scn 85e20280 sc 85e40000 ah 85e80000
wifi1: Base BSSID 6c:f3:7f:40:f9:30, 8 available BSSID(s)
bond0 address=6c:f3:7f:cc:0f:93
br0 address=6c:f3:7f:cc:0f:93
wifi1: AP type AP-105, radio 1, max_bssids 8
wifi1: Atheros 9280: mem=0x10000000, irq=48 hw_base=0xb0000000
ath_ahb: 0.9.4.5 (Atheros/multi-bss)

Starting FIPS KAT ... Completed FIPS KAT

AP rebooted Fri Dec 31 16:44:32 PST 1999; SAPD: Unable to contact swLO-TIMEOUT, 228 sec before: Last Ctrl msg: HELLO len=426 dest=192.16
keep watchdog process alive for talisker (nanny will restart it)...

        <<<<<       Welcome to the Access Point     >>>>>

~ #
~ #
~ #

1) Note that AP and firmware version are both unsupported, but I think there is a known intermediate step required for some 6.x APs to go to 8.x, and if I'm correct that's 8.2. It may help to upgrade first to the latest 6.x, then to 8.6; or see if you can downgrade your controller to 8.2 and see if the upgrade to 8.2 works, then to 8.6. Connecting to the console of the AP, or check controller logs may provide additional information. 

2) You would need to set/override the NAS-IP per group or even controller. The VRRPs are needed for CoA to work in an AOS8 cluster. Check this article/post for more information.

Hi All,

I am currently replicating my customer's environment as we have Posturing project with ClearPass, but when I start to lab with MM-MD setup with 8.6.0.23 (since AP-105 only supported until that version), I could not get the AP discovered from the MD. I use all virtual: MM and VMC. I consoled the AP and can discover the VMC with ADP already (since I put all MM, MD, and the AP under same subnet). It is just now I couldn't see the AP under the Configuration > Access Point section from the Managed Network section. I disabled the CPSec from the MM to make it simple. Strangely, if I login individually to the MD, the CPSec is still Enabled, but I don't think this makes the AP cannot be seen from the MM/MD. If this makes a difference, kindly let me know. 

I can tell you that my experience is only around AOS 6.x since I did quite a number of Wifi projects like 10 years back. But, now since I have a full Aruba wireless customer environment, I need to lab it but got stuck in this simple step. AOS 6.x was so simple I remember it strongly, just do like mentioned above, and the AP can be seen from the physical MC easily and I can provision it after that. I don't know what I am missing here with the MM-MD setup, kindly please guide me to the right direction. If there is a "pinned" thread, like all-in-one MM-MD setup, I would like to scour through it and refresh my knowledge on this MM-MD thing.

So, I have two issue now:

1) How do I get to see the AP-105 from the 8.6.0.23 MM-MD

2) and the root of all this is because we found that the RADIUS NAD-IP-Address at customer site is the MM, with the Src-IP-Address is the MD. Customer's have multiple MD Groups, for example in total 4 groups, in 3 groups we found that the Src-IP is the MD's individual IP, and the NAD-IP is the MD's VRRP, but then in one group we see that the NAD-IP is the MM with the Src-IP is the MD's individual IP. The 3 groups has 3 VRRP IP (not sure why since we are not the one configuring it at the first place), and the one group has only 1 VRRP IP; but I do not think this will make a difference in terms of the RADIUS attributes detail. Please advise if other otherwise.

Thank you..!

Hi All,

I am currently replicating my customer's environment as we have Posturing project with ClearPass, but when I start to lab with MM-MD setup with 8.6.0.23 (since AP-105 only supported until that version), I could not get the AP discovered from the MD. I use all virtual: MM and VMC. I consoled the AP and can discover the VMC with ADP already (since I put all MM, MD, and the AP under same subnet). It is just now I couldn't see the AP under the Configuration > Access Point section from the Managed Network section. I disabled the CPSec from the MM to make it simple. Strangely, if I login individually to the MD, the CPSec is still Enabled, but I don't think this makes the AP cannot be seen from the MM/MD. If this makes a difference, kindly let me know. 

I can tell you that my experience is only around AOS 6.x since I did quite a number of Wifi projects like 10 years back. But, now since I have a full Aruba wireless customer environment, I need to lab it but got stuck in this simple step. AOS 6.x was so simple I remember it strongly, just do like mentioned above, and the AP can be seen from the physical MC easily and I can provision it after that. I don't know what I am missing here with the MM-MD setup, kindly please guide me to the right direction. If there is a "pinned" thread, like all-in-one MM-MD setup, I would like to scour through it and refresh my knowledge on this MM-MD thing.

So, I have two issue now:

1) How do I get to see the AP-105 from the 8.6.0.23 MM-MD

2) and the root of all this is because we found that the RADIUS NAD-IP-Address at customer site is the MM, with the Src-IP-Address is the MD. Customer's have multiple MD Groups, for example in total 4 groups, in 3 groups we found that the Src-IP is the MD's individual IP, and the NAD-IP is the MD's VRRP, but then in one group we see that the NAD-IP is the MM with the Src-IP is the MD's individual IP. The 3 groups has 3 VRRP IP (not sure why since we are not the one configuring it at the first place), and the one group has only 1 VRRP IP; but I do not think this will make a difference in terms of the RADIUS attributes detail. Please advise if other otherwise.

Thank you..!

Start with the basics...

How are the AP's connected to the environment?  What switch?

Since you indicate Virtual Controller, what is the virtual host software?

Not having a DHCP server can be problematic...

Hi All,

I am currently replicating my customer's environment as we have Posturing project with ClearPass, but when I start to lab with MM-MD setup with 8.6.0.23 (since AP-105 only supported until that version), I could not get the AP discovered from the MD. I use all virtual: MM and VMC. I consoled the AP and can discover the VMC with ADP already (since I put all MM, MD, and the AP under same subnet). It is just now I couldn't see the AP under the Configuration > Access Point section from the Managed Network section. I disabled the CPSec from the MM to make it simple. Strangely, if I login individually to the MD, the CPSec is still Enabled, but I don't think this makes the AP cannot be seen from the MM/MD. If this makes a difference, kindly let me know. 

I can tell you that my experience is only around AOS 6.x since I did quite a number of Wifi projects like 10 years back. But, now since I have a full Aruba wireless customer environment, I need to lab it but got stuck in this simple step. AOS 6.x was so simple I remember it strongly, just do like mentioned above, and the AP can be seen from the physical MC easily and I can provision it after that. I don't know what I am missing here with the MM-MD setup, kindly please guide me to the right direction. If there is a "pinned" thread, like all-in-one MM-MD setup, I would like to scour through it and refresh my knowledge on this MM-MD thing.

So, I have two issue now:

1) How do I get to see the AP-105 from the 8.6.0.23 MM-MD

2) and the root of all this is because we found that the RADIUS NAD-IP-Address at customer site is the MM, with the Src-IP-Address is the MD. Customer's have multiple MD Groups, for example in total 4 groups, in 3 groups we found that the Src-IP is the MD's individual IP, and the NAD-IP is the MD's VRRP, but then in one group we see that the NAD-IP is the MM with the Src-IP is the MD's individual IP. The 3 groups has 3 VRRP IP (not sure why since we are not the one configuring it at the first place), and the one group has only 1 VRRP IP; but I do not think this will make a difference in terms of the RADIUS attributes detail. Please advise if other otherwise.

Thank you..!