Requirement:
By default, Aruba Remote AP re-authenticates every time when the ISAKMP/IPSEC timer expires. The default timer for ISAKMP is 8 hours and IPSEC is 2 hours. When these timer expires, Remote AP with establish a new SPI index to the controller. These values are hard-coded into the controller, and are not configurable. However in some use cases, there is a need to re-authenticate the RAP before these timer expires.
Solution:After Re-authentication interval kicked-in:
(Aruba-Master) #show crypto isakmp sa peer 10.17.168.174
Initiator IP: 10.17.168.174
Responder IP: 10.17.168.178
Initiator: No
Initiator cookie:1818fa09f4791dd3 Responder cookie:75c3c753255dd168
SA Creation Date: Wed Jan 17 04:25:29 2018
Life secs: 28800
Initiator Phase1 ID: CN=CM0617084::84:d4:7e:c3:d9:02
Responder Phase1 ID: CN=CG0002010::00:0b:86:9a:50:77 L=SW
Exchange Type: IKE_SA (IKEV2)
Phase1 Transform:EncrAlg:AES256 HashAlg:HMAC_SHA1_96 DHGroup:2
Authentication Method: RSA Digital Signature 2048-bits
CFG Inner-IP 1.1.1.3
IPSEC SA Rekey Number: 0
Aruba AP
(Aruba-Master) #show crypto ipsec sa peer 10.17.168.174
Initiator IP: 10.17.168.174
Responder IP: 10.17.168.178
Initiator: No
SA Creation Date: Wed Jan 17 04:25:29 2018
Life secs: 7200
Exchange Type: IKE_SA (IKEV2)
Phase2 Transform:Encryption Alg: AES 256 Authentication Alg: SHA1
Encapsulation Mode Tunnel
IP Compression Disabled
PFS: no
IN SPI: FA4A0400, OUT SPI: DBC8BB00
CFG Inner-IP 1.1.1.3
Responder IP: 10.17.168.178
(Aruba-Master) #show ap bss-table ap-name 84:d4:7e:c3:d9:02
fm (forward mode): T-Tunnel, S-Split, D-Decrypt Tunnel, B-Bridge (s-standard, p-persistent, b-backup, a-always), n-anyspot
Aruba AP BSS Table
------------------
bss ess port ip phy type ch/EIRP/max-EIRP cur-cl ap name in-t(s) tot-t mtu acl-state acl fm
--- --- ---- -- --- ---- ---------------- ------ ------- ------- ----- --- --------- --- --
84:d4:7e:bd:90:20 aruba-ap N/A 1.1.1.3 g-HT ap 11/15/0 0 84:d4:7e:c3:d9:02 0 28s 1200 - 2 T
84:d4:7e:bd:90:30 aruba-ap N/A 1.1.1.3 a-VHT ap 60E/24/0 0 84:d4:7e:c3:d9:02 0 28s 1200 - 2 T
Channel followed by "*" indicates channel selected due to unsupported configured channel.
"Spectrum" followed by "^" indicates Local Spectrum Override in effect.
Num APs:2
Num Associations:0
NOTE: Although, the Remote AP re-authenticates at the time of timer expiry, it will turn off it's RADIO hence knocking off the clients. However when the Remote AP re-authenticates during the default timer expiry, it will not knock off the clients and RADIOS will not reset.
Configuration:Configuring Re-authentication interval from webUI:
Configuring Re-authentication interval from CLI:
(Hunter68st2) # show rights ap-role
Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'ap-role'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Enabled, Interval = 2 minutes
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
ACL Number = 6/0
Max Sessions = 65535
Configuring re-authentication interval from webUI:
VerificationBefore re-authentication interval:
(Aruba-Master) #show crypto isakmp sa peer 10.17.168.174
Initiator IP: 10.17.168.174
Responder IP: 10.17.168.178
Initiator: No
Initiator cookie:ab8ce372b6a2c775 Responder cookie:b19517ad9e85e486
SA Creation Date: Wed Jan 17 04:23:24 2018
Life secs: 28800
Initiator Phase1 ID: CN=CM0617084::84:d4:7e:c3:d9:02
Responder Phase1 ID: CN=CG0002010::00:0b:86:9a:50:77 L=SW
Exchange Type: IKE_SA (IKEV2)
Phase1 Transform:EncrAlg:AES256 HashAlg:HMAC_SHA1_96 DHGroup:2
Authentication Method: RSA Digital Signature 2048-bits
CFG Inner-IP 1.1.1.2
IPSEC SA Rekey Number: 0
Aruba AP
(Aruba-Master) #show crypto ipsec sa peer 10.17.168.174
Initiator IP: 10.17.168.174
Responder IP: 10.17.168.178
Initiator: No
SA Creation Date: Wed Jan 17 04:25:29 2018
Life secs: 7200
Exchange Type: IKE_SA (IKEV2)
Phase2 Transform:Encryption Alg: AES 256 Authentication Alg: SHA1
Encapsulation Mode Tunnel
IP Compression Disabled
PFS: no
IN SPI: FA4A0400, OUT SPI: DBC8BB00
CFG Inner-IP 1.1.1.3
Responder IP: 10.17.168.178
(Aruba-Master) #show ap bss-table ap-name 84:d4:7e:c3:d9:02
fm (forward mode): T-Tunnel, S-Split, D-Decrypt Tunnel, B-Bridge (s-standard, p-persistent, b-backup, a-always), n-anyspot
Aruba AP BSS Table
------------------
bss ess port ip phy type ch/EIRP/max-EIRP cur-cl ap name in-t(s) tot-t mtu acl-state acl fm
--- --- ---- -- --- ---- ---------------- ------ ------- ------- ----- --- --------- --- --
84:d4:7e:bd:90:20 aruba-ap N/A 1.1.1.2 g-HT ap 11/12/21 0 84:d4:7e:c3:d9:02 0 1m:34s 1200 - 2 T
84:d4:7e:bd:90:30 aruba-ap N/A 1.1.1.2 a-VHT ap 60E/22/22 0 84:d4:7e:c3:d9:02 0 1m:34s 1200 - 2 T
Channel followed by "*" indicates channel selected due to unsupported configured channel.
"Spectrum" followed by "^" indicates Local Spectrum Override in effect.
Num APs:2
Num Associations:0