Controllerless Networks

Reply
Highlighted

Debugging Instant DUR issue

Aruba Instant 8.7.0

CPPM 6.9.1

 

3 AP Instant cluster 303Hs

 

Have already got DUR working on 2930 switch thoguht I'd try Instant b4 looking at mobility controller

 

Get the following on the Instant master controller

 

show download-role local

Downloadable Role from CPPM
---------------------------
Role State Refcount Deprecated
---- ----- -------- ----------
ND_eduroam_user_DUR-3163-6 Error 0 No

 

Heres some details

 

authentication server

wlan ssid-profile eduroam
auth-server cppmnd.sharaz.info
....
download-role

 

wlan auth-server cppmnd.sharaz.info
ip cppmnd.sharaz.info
port 1812
acctport 1813
key <shared key>
nas-ip 192.168.1.20
rfc5997 auth-only
rfc3576
cppm-rfc3576-port 5999
service-type-framed-user 1x
service-type-framed-user mac
cppm username getcppmroles password <carefully typed password>

On clearpass create profile eduroam-user-dur

wlan access-rule eduroam-user-dur
rule any any match any any any permit

 

show clearpassca

gives

 

Default clearpass CA Certificate:
Version :2
Serial Number :44AFB080D6A327BA893039862EF8406B
Issuer :/O=Digital Signature Trust Co./CN=DST Root CA X3
Subject :/O=Digital Signature Trust Co./CN=DST Root CA X3
Issued On :Sep 30 21:12:19 2000 GMT
Expires On :Sep 30 14:01:15 2021 GMT
RSA Key size :2048 bits
Signed Using :RSA-SHA1

 

which is correct as I'm using LetsEncrypt as clerpass http cert

NTP time sync is correct, both APs and cppm use same NTP source


show download-role local

Downloadable Role from CPPM
---------------------------
Role State Refcount Deprecated
---- ----- -------- ----------
ND_eduroam_user_DUR-3163-6 Error 0 No

 

show log security gives

Jul 10 10:59:37 stm[6772]: <199802> <ERRS> |AP Kitchen@192.168.1.12 stm| auth_cppm_fsm.c, ac_afsm_rreq_timer_cb:255: Dldb Role ND_eduroam_user_DUR-3163-5: Role request to CPPM failed, cfg_sz=0
Jul 10 11:05:42 stm[6772]: <199802> <ERRS> |AP Kitchen@192.168.1.12 stm| auth_cppm_api.c, auth_curl_perform:126: Dldb Role ND_eduroam_user_DUR-3163-6: Curl response with HTTP code: 0
Jul 10 11:05:42 stm[6772]: <199802> <ERRS> |AP Kitchen@192.168.1.12 stm| auth_cppm_api.c, auth_curl_perform:133: Dldb Role ND_eduroam_user_DUR-3163-6: Curl peer verification fine
Jul 10 11:06:12 stm[6772]: <199802> <ERRS> |AP Kitchen@192.168.1.12 stm| auth_cppm_api.c, auth_curl_perform:126: Dldb Role ND_eduroam_user_DUR-3163-6: Curl response with HTTP code: 0
Jul 10 11:06:12 stm[6772]: <199802> <ERRS> |AP Kitchen@192.168.1.12 stm| auth_cppm_api.c, auth_curl_perform:133: Dldb Role ND_eduroam_user_DUR-3163-6: Curl peer verification fine
Jul 10 11:06:12 stm[6772]: <124830> <ERRS> |AP Kitchen@192.168.1.12 stm| Dldb Role ND_eduroam_user_DUR-3163-6: Users dequeued, role in incomplete state
Jul 10 11:06:12 stm[6772]: <199802> <ERRS> |AP Kitchen@192.168.1.12 stm| auth_cppm_fsm.c, ac_afsm_rreq_timer_cb:255: Dldb Role ND_eduroam_user_DUR-3163-6: Role request to CPPM failed, cfg_sz=0

 

CPPM Sends back the following in the Aruba-CPPM-Role attribute in Access-Accept

Radius:Aruba:Aruba-CPPM-Role ND_eduroam_user_DUR-3163-6
wlan access-rule eduroam-user-dur
rule any any match any any any permit
Radius:IETF:Acct-Interim-Interval 900
Radius:IETF:Session-Timeout 3600
Radius:IETF:Termination-Action 1
Status-Update:Endpoint Known

 

 

Admin/Users/Admin Users

 

has

getcppmroles "User Role Getter" Read-only Administrator Enabled

password typed in really really carefully

 

 

 

 

Screenshot 2020-07-10 at 12.21.59.png

 

 

 

 

 

Highlighted
Frequent Contributor I

Re: Debugging Instant DUR issue

Remove the other attributes. You should only be returning the role.

Highlighted

Re: Debugging Instant DUR issue

Nope, doesn't make a difference. Changed it so that only sent back Aruba-CPPM-Role.

 

Everything  seems to work till theres a role fetch (?)

 

Jul 10 16:04:40 stm[6722]: <121031> <DBUG> |AP Spare Room@192.168.1.11 stm| |aaa| [rc_request.c:65] Del Request: id=51, srv=192.168.1.12, fd=21
Jul 10 16:04:40 stm[6722]: <121050> <DBUG> |AP Spare Room@192.168.1.11 stm| in rc_aal.c(server_cbh),auth result = 0, with user name = 5a:bc:7f:4c:ef:ec
Jul 10 16:04:40 stm[6722]: <124004> <DBUG> |AP Spare Room@192.168.1.11 stm| SAE pairwise key mesg2 MIC for client 5a:bc:7f:4c:ef:ec : (16): 36 b6 94 9d 64 bd a3 93 4c 2a 95 9a 9b 12 a4 45
Jul 10 16:04:40 stm[6722]: <124839> <DBUG> |AP Spare Room@192.168.1.11 stm| Dldb Role eduroam_user_dur-3163-15: Timer type 4 expired

elated pmkcache
Jul 10 16:04:40 stm[6722]: <124838> <DBUG> |AP Spare Room@192.168.1.11 stm| Dldb Role eduroam_user_dur-3163-15: Start timer type role clean(4) duration 100
Jul 10 16:04:40 stm[6722]: <124004> <DBUG> |AP Spare Room@192.168.1.11 stm| Dldb Role eduroam_user_dur-3163-15: remove role
Jul 10 16:04:40 stm[6722]: <124854> <DBUG> |AP Spare Room@192.168.1.11 stm| Dldb Role eduroam_user_dur-3163-15: Role sucessfully destroyed
Jul 10 16:05:10 stm[6722]: <124839> <DBUG> |AP Spare Room@192.168.1.11 stm| Dldb Role eduroam_user_dur-3163-16: Timer type 1 expired
Jul 10 16:05:10 stm[6722]: <199802> <ERRS> |AP Spare Room@192.168.1.11 stm| auth_cppm_api.c, auth_curl_perform:126: Dldb Role eduroam_user_dur-3163-16: Curl response with HTTP code: 0
Jul 10 16:05:10 stm[6722]: <199802> <ERRS> |AP Spare Room@192.168.1.11 stm| auth_cppm_api.c, auth_curl_perform:133: Dldb Role eduroam_user_dur-3163-16: Curl peer verification fine
Jul 10 16:05:10 stm[6722]: <124850> <DBUG> |AP Spare Room@192.168.1.11 stm| Dldb Role eduroam_user_dur-3163-16: Dequeue pending users, total enqueued 1
Jul 10 16:05:10 stm[6722]: <124830> <ERRS> |AP Spare Room@192.168.1.11 stm| Dldb Role eduroam_user_dur-3163-16: Users dequeued, role in incomplete state
Jul 10 16:05:10 stm[6722]: <124837> <DBUG> |AP Spare Room@192.168.1.11 stm| Dldb Role eduroam_user_dur-3163-16: Curl cleanup done for role request
Jul 10 16:05:10 stm[6722]: <199802> <ERRS> |AP Spare Room@192.168.1.11 stm| auth_cppm_fsm.c, ac_afsm_rreq_timer_cb:255: Dldb Role eduroam_user_dur-3163-16: Role request to CPPM failed, cfg_sz=0
Spare Room#

Highlighted

Re: Debugging Instant DUR issue

... and it works!

 

although it might have been a case of "Swotc it off and on again :-("

 

Noticed the Instant AP in my cluster wouldn;t resp[ont to pings and I couldn't log onto it.

Changed it for another AP and although I  could log on, still exhibited the same issue.

 

Ran show summary support  and notice that in addition to my ipv4 DNS entry there were two ipv6 addresses that were being handed out by my broadband router.

 

Disabled ipv6 management  of the instant cluster, disabled advertising of ipv6 dns servers ( one of them had died) and rebooted  the cluster  ... and it all sprang into life!

 

Next step is to reinstate the IPv6 ( minus the bad DNS server) and check it till works.

 

The interesting thing was that nowher in the GUI did it  mention it was using the ipv6 DNS servers, everything had ipv4 ones assigned.

 

A

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: