Controllerless Networks

Hello,

We have an Aruba 7030 controller, using SSID with 802.1x and others SSIDS with captive portal provided by a Pfsense.

I have two doubts: One about the output of the command "show profile-errors" and the other an information present in the log about Assigned VLAN XX is not configured, using default VLAN 0.

The output of the show profile-errors command

Invalid Profiles
----------------
Profile Error
------- -----
aaa profile "default-dot1x" Error: Role 'authenticated' is Unknown
aaa profile "default-mac-auth" Error: Role 'authenticated' is Unknown
aaa authentication via connection-profile "default"

I already tried to edit, change any information in these profiles, but the message when saved is: "Error processing command 'aaa profile" default-dot1x "dot1x-server-group" default "': Error: Role 'authenticated' is Unknown."

I don't know if this is a problem or not. Does anyone know how to inform me?

The other situation, is the log that shows several outputs:

Mar 31 14:39:42 authmgr [4005]: <522028> <4632> <WARN> | authmgr | MAC = XXXXXXX Assigned VLAN XX is not configured, using default VLAN 0
Mar 31 14:39:44 authmgr [4005]: <522028> <4632> <WARN> | authmgr | MAC = XXXXXXX Assigned VLAN XY is not configured, using default VLAN 0
Mar 31 14:39:45 authmgr [4005]: <522028> <4632> <WARN> | authmgr | MAC = XXXXXXX Assigned VLAN XX is not configured, using default VLAN 0
Mar 31 14:39:47 authmgr [4005]: <522028> <4632> <WARN> | authmgr | MAC = XXXXXXX Assigned VLAN XY is not configured, using default VLAN 0

I also don't know if it's a problem that may be affecting something or not. Someone can help me with the information.

Thanks

Do you have PEF (Firewall licenses) installed ? in order to make changes to the roles you will need the PEF license

Sent from Mail for Windows 10

Disabled 

Policy Enforcement Firewall DISABLED
Auto Radio Resource Alloc ENABLED

this error does not cause any problem, right?

 

 

What AOS version are you running?

 

As mentioned, without a PEF license installed, you won't be able to edit user roles. Can you provide more information about your setup and what you're trying to accomplish? You mention using a pfsense firewall for captive portal in your original post. Is it trying to interact with the controller via RADIUS in any fashion?

One more thing, can you paste the output from "show rights" on your controller? That will list the user roles available in the current configuration.

Thanks for the answer

OS Version: 6.5.4.6

 

I have two SSIDs, one using XX with 802.1X (using radius on another server), I created a new AAA profile with the authentication server, works great, but in the default profile default-dot1x, I can't make any changes to remove the error. And i have another SSID XY Open via Captive portal provided by pfsense. Everything is working ok.

I don't know if the profile errors and the warnings of the vlans are causing some kind of problem that I don't know about.

 

#show rights

RoleTable
---------
Name ACL Bandwidth ACL List Type
---- --- --------- -------- ----
ap-role 7 Up: No Limit,Dn: No Limit System
cpbase 24 Up: No Limit,Dn: No Limit cpbase/ User
default-iap-user-role 11 Up: No Limit,Dn: No Limit allowall/ User
denyall 22 Up: No Limit,Dn: No Limit denyall/ User
guest 5 Up: No Limit,Dn: No Limit global-sacl/,apprf-guest-sacl/ User
guest-logon 10 Up: No Limit,Dn: No Limit User
logon 2 Up: No Limit,Dn: No Limit User
stateful-dot1x 8 Up: No Limit,Dn: No Limit global-sacl/,apprf-stateful-dot1x-sacl/ System
switch-logon 14 Up: No Limit,Dn: No Limit switch-logon-acl/ System
sys-ap-role 12 Up: No Limit,Dn: No Limit sys-control/,sys-ap-acl/ System (not editable)
sys-switch-role 13 Up: No Limit,Dn: No Limit sys-control/,sys-switch-acl/ System

 

 

thanks

 

Looks like you don't have PEF license ..You can confirm this by checking

show license. You will only see AP license.

 

If you want to use the firewall on the controller, you will need PEF licenses.

Yes I know, I don't want to use a firewall, my question is whether this profile error and the vlan warning, may be affecting something I don't know.

We would need to see more of the controller config to state with confidence whether the profile errors are causing issues, but I would assume they are at this point until proven otherwise.

 

Also understand that you don't want to use the controller as a firewall, but the PEF license controls whether user roles can be edited/created, which is related to your question.

 

Lastly, I don't normally suggest doing a code update just because you've run into an issue, but 6.5.4.6 is rather old code that was release before the 6.5.4 software train obtained the Conservative Release status. I would recommend upgrading to the latest (6.5.4.16) to ensure all identified fixes have been rolled in. I don't have the specific bug id, but I seem to remember an issue in earlier 6.5 code that wanted to change dot1x profiles when doing a PSK network, and I see those config remnants in my lab config. An upgrade and reconfiguration of the SSID(s) to remove the profile errors could help.

---

@AAS wrote:

Yes I know, I don't want to use a firewall, my question is whether this profile error and the vlan warning, may be affecting something I don't know.

---

 

Thanks cclemmer for your help.

 

Can I update version 6.5.4.6 directly to 6.5.4.16, or do I need to install some intermediary?

You can upgrade directly. As a best practice, we recommend making a flashbackup prior to upgrading, in order to have the most options available if you should need to roll back for any reason.

Thanks.

 

OS version: 6.5.4.16 - updated

 

I inserted the Policy Enforcement Firewall license again, so I can edit and fix profile error. It worked.

 

#show profile-errors

Invalid Profiles
----------------
Profile Error
------- -----
aaa authentication via connection-profile "default"

 

But now a can´t disable the Policy Enforcement Firewall.

Policy Enforcement Firewall ENABLED

 

I already removed the license but it is still ENABLED, do I have to reboot controller.?

 

 

 

Yes, you would need to reboot the controller to disabled functionality that was previously enabled.

 

This process concerns me though, we should not have needed to add the PEF license in addition to doing the upgrade to resolve the issue. If changes were made that depended on the PEF license being there, when you delete the license and reboot ... those changes will be removed from the config. If you have a PEF license available for the controller, why is it now being removed?

I don't want to use it, is there any way to disable this feature keeping de license ?

To be clear, the Policy Enforcement Firewall (PEF) license provides two things: the stateful firewall option of course, but also the ability to create custom user roles and policy profiles.

 

It is possible to have the PEF license installed and active simply to make use of the custom profiles. These profiles might perform VLAN steering (override the Virtual-AP's default VLAN assignment, etc). The policy does not need to apply any stateful firewall.

 

Again, I haven't seen your configuration so I can't make definitive statements about how your system will behave, but having enabled the license in order to get a configuration to be accepted and not throw any profile errors, removing the license afterwards could cause unforeseen issues. 

Ok Charlie, i got it. Thank you for all this information.

 

Regarding these messages in the controller log about the vlans below, do you have any idea what it might be?

 

Apr 1 16:39:07 authmgr[4031]: <522028> <4660> <WARN> |authmgr| MAC=XXXXXX Assigned VLAN YYY is not configured, using default VLAN 0
Apr 1 16:39:09 authmgr[4031]: <522028> <4660> <WARN> |authmgr| MAC=XXXXXX Assigned VLAN YYZ is not configured, using default VLAN 0
Apr 1 16:39:10 authmgr[4031]: <522028> <4660> <WARN> |authmgr| MAC=XXXXXX Assigned VLAN YYY is not configured, using default VLAN 0
Apr 1 16:39:10 authmgr[4031]: <522028> <4660> <WARN> |authmgr| MAC=XXXXXX Assigned VLAN XXX  is not configured, using default VLAN 0

How are the SSID(s) configured that users are connecting to? Is there mac authentication taking place, or 802.1X, or some other authentication mechanism?

 

It appears something is trying to return an attribute to move a user to a different VLAN that does not exist on this controller. That move is being ignored and the log message is created. As long as the users are connecting to the VLAN(s) you expect, their connectivity is fine, but you'll want to investigate why these attributes are being returned to the controller and correct the behavior.

 

If you do a "show vlan", do you see the vlans that are referenced in the logs? I suspect not, and that the authentication method referenced above will be the clue where those are coming from.

---

@AAS wrote:

Ok Charlie, i got it. Thank you for all this information.

 

Regarding these messages in the controller log about the vlans below, do you have any idea what it might be?

 

Apr 1 16:39:07 authmgr[4031]: <522028> <4660> <WARN> |authmgr| MAC=XXXXXX Assigned VLAN YYY is not configured, using default VLAN 0
Apr 1 16:39:09 authmgr[4031]: <522028> <4660> <WARN> |authmgr| MAC=XXXXXX Assigned VLAN YYZ is not configured, using default VLAN 0
Apr 1 16:39:10 authmgr[4031]: <522028> <4660> <WARN> |authmgr| MAC=XXXXXX Assigned VLAN YYY is not configured, using default VLAN 0
Apr 1 16:39:10 authmgr[4031]: <522028> <4660> <WARN> |authmgr| MAC=XXXXXX Assigned VLAN XXX  is not configured, using default VLAN 0

---

 

I have in this WARN both 802.1X and SSID open with captive portal.

 

The command show vlan, I don't really see the vlans. Only the controller management vlan is configured. The other vlans, are configured in the WLANs going straight to the switches that have these vlans.

 

Do I need to have these vlans configured on the controller? ´Cause the communication is working, I don't know if this may be causing any problems.

Okay, so the WLANs are configured to use VLANs that aren't present on the controller ... so the errors are likely not related to RADIUS responses but simply to the configuration.

 

The wireless clients are working because the controller is placing the users into the management VLAN since the other VLANs aren't configured. If you look at "show users" from the CLI, you will likely see all of your 802.1X and captive portal users having IP addresses that match the management VLAN.

---

@AAS wrote:

I have in this WARN both 802.1X and SSID open with captive portal.

 

The command show vlan, I don't really see the vlans. Only the controller management vlan is configured. The other vlans, are configured in the WLANs going straight to the switches that have these vlans.

 

Do I need to have these vlans configured on the controller? ´Cause the communication is working, I don't know if this may be causing any problems.

---

 

Do I need to have all vlans configured on the WLANs on the controller as well?

 

I have static vlans for captive portal, and dynamic vlans for 802.1x.

 

User requests authentication - - - - freeradius + mysql
table radreply: parameters

 

Username     attribute     op  value
Username - Tunnel-Type: = VLAN
Username - Tunnel-Medium-Type: = IEEE-802
Username - Tunnel-Private-Group-ID: = XXX

 

I have other controllers from different manufacturers and these parameters in the database work. I don't think it's working well in Aruba.

 

In the other controllers there is a checkbox to enable dynamic vlan, I did not find it in Aruba, I thought it identified the attribute in the radius automatically.

 

Although when I run the command: show user, some users are being redirected to the correct vlan, but others are not.

 

- Is there an option to enable dynamic vlan on the controller? Is the attribute correct?

 

And the vlans that are static, I add where on the controller to not show the warning anymore?

 

Thanks a lot

The VLAN needs to be configured on the controller in order to be accessible for users. There isn't the notion of dynamic VLANs where the Radius server can return an attribute that isn't configured on the controller, and have the user take that VLAN. Without the user VLANs being configured, you'll get the errors you're seeing.

 

---

@AAS wrote:

Do I need to have all vlans configured on the WLANs on the controller as well?

 

---

 

Thanks Charlie, you help me a lot.

 

I added the vlans on the controller and it worked

 

 

Thankss

Good deal, glad to be able to help resolve this!

 

---

@AAS wrote:

Thanks Charlie, you help me a lot.

 

I added the vlans on the controller and it worked

 

 

Thankss

---