Wireless Access

 View Only
  • 1.  Remote Access Point unable to connect, Auth Request

    Posted Dec 07, 2023 02:41 AM

    Hey everyone,

    I have an ArubaMM-VA (pri/backup) on version 8.10.0.7 LSR orchestrating two Physical 7210 controllers. I am trying to get some remote APs going, but am hitting a snag and I haven't been able to find the cause. The traffic is coming from a typical home user network with a NAT to the public Internet over to the corporate Palo firewall. There are two NAT addresses configured both in the firewall and the profile for the RAP in the controller, and a corresponding policy to allow "any" traffic from the home location ip address to the two NAT addresses on the controller. The controllers have private IP addresses, but the NAT rule points to those IPs. I don't think I should have to include specific ports, but I can do that (I'm testing now with wide open settings to get it working).

    The AP is an AP-303, it's in the allow list, and I can see it connect to the controller, but it will never come all the way online.  I'm unsure what I have missed, but I did see the AP go Up, then Down a few times

    The message is:
    AP is down since 2023-12-07 02:01:02 because of the following reason: Auth Request.

    On the controller:

    show datapath session table 10.200.200.51

    Source IP or MAC  Destination IP  Prot SPort DPort Cntr     Prio ToS Age Destination TAge Packets    Bytes      Flags           CPU ID
    ----------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------- ---------- --------------- -------
    10.200.200.51     10.29.0.101     17   8211  8515   0/0     0    0   1   local       4    0          0          FYI             11
     
    10.29.0.101       10.200.200.51   17   8515  8211   1/0     0    0   0   local       6    2          786        FCI             11

    I'm not sure what else to check. I'm sure I missed a step, as the RAP configuring isn't as well documented as I hoped. Where do I go next?

    Thanks!

    PH



  • 2.  RE: Remote Access Point unable to connect, Auth Request
    Best Answer

    Posted Dec 07, 2023 08:24 AM

    Are your controllers in a cluster? In that case you would need to configure the public IPs in your configuration as well... and there is a separate allow list for remote APs (from normal / Campus APs).

    If the controllers are not in a cluster, the NAT should be enough.

    This page seems to have a good summary... a bit down from the top there is the cluster configuration.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Remote Access Point unable to connect, Auth Request

    Posted Dec 07, 2023 04:09 PM

    Thanks Herman! I was hoping it was something simple.  I had followed that guide, but somehow missed the remote AP tab.  I'll try that and see if it comes online.  

    I did have the AP in the wrong list (Campus)

    I do have the LMS ip set for both controllers in the cluster here in the IP address and Backup IP address field. This is the public NAT address (which is surely working since I can see the RAP trying to connect.



    I'm not in the same area as the AP right now but I'll give it another reset this eve and see if it will come online if it doesn't before that.  




  • 4.  RE: Remote Access Point unable to connect, Auth Request

    Posted Dec 08, 2023 09:14 AM

    Did you set the RAP Public IP in your cluster?

    With controller clusters, most of LMS configuration is ignored and an AP will connect directly to the controller IP as configured in the cluster, or when in RAP mode to the RAP Public IP.

    The Auth Request message suggests an authentication problem, but it may be that the RAP just cannot reach its anchor or user controllers.

    If this is not your issue, it may be more effective to work with your partner or Aruba Support as there are many things to look at and verify.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Remote Access Point unable to connect, Auth Request

    Posted Dec 08, 2023 10:22 AM

     

    Herman,

     

    Thanks for checking back. Yes – I believe that's what the issue was. I had followed that guide mostly but I missed both the Remote AP (in the previous post) and the RAP IP for the cluster.

     

     

    For those following along, you can not change the entry for the cluster, and deleting a single device and adding it back won't allow you to use the RAP IP.  But you can re-create a new cluster, in the GUI; MD/Config/Services/Clusters, add a new cluster profile with the proper values, then go to the actual devices and move them to the new profile.

     

    Remove existing profile, then add them to the new profile, and that may or may not cause a blip on some of the APs connected..  But not many people notice at 2AM.

     

    Create new profile:

    Change the profile for each controller:

     

    Now I just have to remember how to activate the ports on the 303H..  Thanks for the help!

     

    Thanks,

    Phillip

     

    -

     

    Phillip Horn

    Network and Systems Engineer

    Union College

    606-546-1650

     






  • 6.  RE: Remote Access Point unable to connect, Auth Request

    Posted Feb 27, 2024 12:31 AM

    Hello everyone,


    I'm back with another question that should have a simple answer, but I've been having a hard time finding it.

    We're all set up with the above - I have a RAP that works fine connecting to the controller from a remote location. The working AP is an AP303H that originally shipped with IAP mode, and I was able to go in and provision it to the controller and convert it to RAP.

    What I can't figure out is how to configure existing campus APs to work remotely. I have tried with a 505H, and a 315 and a 325 (though I'll admit that I can't remember if these are the universal AP or if they are only campus APs - JW797A and JW327A (both have the model and then -61001 on the sticker if I am reading  that right).
    Anyway - what would be the process to get these converted to RAP? We had them online, and then set them up on the controller as RAP, and they showed up like they were going to work, but they never come online. I don't have handy the serial adapter for the 315, but I could console in to the 325 if I knew what I needed to do. 

    Any help or nudge in the correct direction would be appreciated!




  • 7.  RE: Remote Access Point unable to connect, Auth Request

    Posted Feb 27, 2024 10:34 AM

    The 505H can be easy, just factory default the AP and convert from IAP.

    For Campus APs, should just need to re-provision the AP to remote mode.  As long as the AP can get an IP address and reach one of the cluster nodes as seen in the node-list environment variable, that should work.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 8.  RE: Remote Access Point unable to connect, Auth Request

    Posted Feb 28, 2024 08:03 PM
    I thought that too but it isn't working. I can set them as RAP in the controller, it will even show them in the RAP section, but when I take the device off site, it doesn't connect. I'm not sure what the most effective way for troubleshooting this is - I suppose I will need to locate console cables and see what the APs are doing. 

    I thought there was a section on the activate site (activate.arubanetworks.com) that I could add the details, but then when I went there it said it was moved and now I can't find it. ��

    Phillip






  • 9.  RE: Remote Access Point unable to connect, Auth Request

    Posted Feb 28, 2024 10:21 PM

    Activate has moved under the GLCP umbrella, https://activate.arubanetworks.com/registration/ will redirect you to the proper location.

    I have a feeling that the AP once converted to RAP is still trying to talk to the private IP rather than the public.  You might be able to re-provision the RAP while still one the internal network to an AP group that specifies the LMS as one of the public IP addresses.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------