Controllerless Networks

Hi

I have two 7210 running 6.3.1.2 for SOHO access. On the controller I have enabled a configuration to download the whitelist from activate

activate-service-whitelist
   whitelist-enable
   username "actuser"
   password xxxxxxxxxxxxxxxxxxxx

Controller is retrieving the list from activate but after downloading the details, most of them or in some cases all RAP are rebooted by the controller:

22:08:46  fpcli: USER:admin@10.95.1.19 COMMAND:<activate-service-whitelist > -- command executed successfully
Mar 26 22:09:02  fpcli: USER:admin@10.95.1.19 COMMAND:<activate-service-whitelist interval 1 > -- command executed successfully
Mar 26 22:09:09  fpcli: USER:admin@10.95.1.19 COMMAND:<activate-service-whitelist whitelist-enable > -- command executed successfully
Mar 26 22:09:23  fpcli: USER:admin@10.95.1.19 COMMAND:<write memory > -- command executed successfully
Mar 26 22:09:44  nanny[1060]: <303022> <WARN> |AP xx:xx:xx:xx:xx:xx@192.168.200.84 nanny|  Reboot Reason: AP rebooted Wed Mar 26 22:08:17 CET 2014; SAPD: Reboot requested by controller
Mar 26 22:09:44  nanny[1060]: <303022> <WARN> |APxx:xx:xx:xx:xx:yy@192.168.200.83 nanny|  Reboot Reason: AP rebooted Wed Mar 26 22:08:17 CET 2014; SAPD: Reboot requested by controller
Mar 26 22:09:44  nanny[1061]: <303022> <WARN> |AP xx:xx:xx:xx:xx:zz@192.168.200.82 nanny|  Reboot Reason: AP rebooted Wed Mar 26 22:08:17 CET 2014; SAPD: Reboot requested by controller
Mar 26 22:09:44  nanny[1061]: <303022> <WARN> |AP xx:xx:xx:xx:xx:xy@192.168.200.81 nanny|  Reboot Reason: AP rebooted Wed Mar 26 22:08:17 CET 2014; SAPD: Reboot requested by controller

 

This is causing a reset for all teleworkers and specially anoying for the ones using IP phones
Anyone facing the same problem?  could it be a software bug?

 

Regards,

Antonio

#7210

aboj,

 

The whitelist synchronization in the controller is only meant for IAPs at this time.  If you use the whitelist synchronization in the controller for RAPs, it will download the ap-group as "default" and cause any of your RAPs that have a different ap-group to reboot.  Please disable this synchronization...

 

Thanks cjoseph. I have a Zero touch provisioning implementation and it sounds I do need an entry with Mac and ap group on the controller for the initial build of the VPN tunnel between the rap and my controller besides the activate configuration. I was trying to avoid this manual intervention

Hi Aboj,

 

As Colin has indicated, the whitelist sync feature on the controller was meant for IAP.  However, Zero Touch RAP deployment can be supported with Clearpass which will account for AP-Group and AP-Name. 

 

1. At a high level, Clearpass will synchronize with Activate and maintain the "global" whitelist.  

2. When RAP attempts to authenticate, instead of performing a local lookup, it will authenticate against Clearpass.

 

Regards,

 -michael

Hi Aboj,

 

We did a session at Airheads on configuring this service.  Please refer to this link for the slides:  http://community.arubanetworks.com/t5/Americas-Airheads-Conference/Breakout-Enabling-the-Virtual-Enterprise/gpm-p/129201

 

Regards,

 -michael

Thanks all for the answers.

I have two problems with this scenario:

 

1) On ClearPass 6.3 the active connection doesn't work. Endpoint Database is not updated at all.  Only if you restart  "Async   network services" under Servcie Control on the Publisher of the Cluster will trigger the retrieval from Activate Service, otherwise the database is not being updated. Also, even I have the Activate Connetion under Endpoint Context Server with a device filter to retieve only RAP devices , CPPM is getting alot more devices I want, so definetily there is an issue here.

 

2) I might be doing something wrong but the AP needs to terminated the IPSec tunnel to the controller at the initial provisioning otherwise the AP won't be able to connect and the IPsec Session won't be completed.

 

 

Regards,

Antonio

 

 

 

 

Hi Antonio,

 

1) Clearpass will sync the whitelist every 60 minutes by default.  If the Endpoint db is not getting updated, I would suggest opening a case to investigate further.  Can you elaborate more on what is a lot more?  When Activate service is enabled in Clearpass, there is some basic filtering to pick up RAP*,IAP*.  Even without the filter, if you are getting more devices, it is okay, Clearpass is designed to handle many entries.

 

2)  I missed out one piece of info that may be important.  The controller needs to be running AOS 6.3.1 or better.  The termination should work.

 

Regards,

 -michael

Hi Michael

I already have a case with TAC as this is very important to elaborate the zero touch scenario. What I mean by a lot more is that for testing I have 20 RAP and even with the filter to just retriebe RAP* units , CPPM is receiveed about 800 more.

My pair of controllers are running 6.3.1.2

 

Regards,

Antonio

Issue is fixed now.

Basically a missing configuration on the controller based on the assumption that RAP AP didn't need any IAP configuration.

When the AP boot from factory is booting as IAP so in other to be autorized I needed the below entry as well

 

aaa authentication vpn "default-iap"
   server-group "cppm"

 

 

Thanks all for your support and feedback

Antonio