Controllerless Networks

I was trying to test and validate the IAP-345 hardware I received as part of various initatives.

 

However, much to my surprise, the IAP-345 decided to "see" my existing corporate IAP VC, tell me that it was pre-empted in the master election by my existing VC, and then lock itself into a slave role with no option for me to intervene.

 

I've also verified that my existing corporate IAP cluster has auto-join turned off.

 

I need to vet this hardware, test migrations to Aruba Central, and numerous other tasks.  How can I get this thing to create it's own independent cluster like I expect it to?

To my knowledge, this wasn't an issue before InstantOS 8.3.

Hi,

 

can you put it into a separated VLAN?

Not sure, if truning auto-join soved this in the past.

Seperate VLAN should.

 

Bye,

 

JH

Hi Jö,

 

I cannot put these on another vlan due to security requirements.  I have not had this issue prior to 8.3. 

If you need to run this as a single entity in the same VLAN, convert the IAP into a standlone mode. 

Hi zalion0,

 

Can this be done pre-boot? 

 

Right now I have to connect this IAP to my network to get it to come up properly, even in a default state (due to requiring internet access).

 

EDIT: This can be done after boot when the IAP is in a slave role. Thats good I guess.

 

I'll give it a shot, but something a bit more programmatic than "Login and convert it" is desirable.  I'm about to have a bunch of these, having to do this each time is going to lengthen my provisioning cycle immensely.  

 

This feels exactly like when Instant was first introduced and I had to "convert" all my "new" APs to campus APs.  Now I'm doing it again, just another direction. 

Hey, I saw your edit :) That's good, has it resolved the issue?  Obviously you will have the configuration downloaded from the VC cluster which may or may not be beneficial. 

If you don't have a separate VLAN, I believe the only way you could achieve this would be to assign the IAP a static IP on a local network (such as your laptop/POE external source), convert it to standalone, remove the static IP then plug back into your L2 domain.

How would I ensure that the existing configs do not sync to this device prior to me being able to convert it to standalone?

 

Also, why is my existing, non-compatible IAP cluster syncing it's config to a device when auto-join is disabled.  Isn't turning off auto-join supposed to prevent another AP from acquiring that config?

So conversion to a "standalone" Instant worked, however now I cannot login.  

 

My SE mentioned that something or another may be blocked during provisioning and the release notes for 8.3 reveal nothing as to what these new credentials might be.

 

I've tried the following:

admin/admin

admin/instant

admin/password

admin/arubanetworks123

admin/aruba123

Have you tried the existing VC password? You advised the new AP successfully joined the existing VC cluster correct? So it would've downloaded the configuration.

That's probably my miscommunication.

 

It never actually joined the cluster.  It got far enough to consider itself a slave to my existing 205 VC and that's where it all stopped.  

 

I've seen this behavior before when an IAP with a incompatible firmware version attempts to join a cluster. You'll see it appear in the APs list (though again, why it's doing this while autojoin is disabled is kinda sketchy) but it will never sync firmware or fully sync it's config.

 

I did check the local password I had for my cluster, it didn't function.  I just didn't list it as, well, internal passwords. 

I've had a quick think and you maybe able to complete the following if you cannot gain access to the CLI for whatever reason.

 

- Remove IAP from network.

- Power with POE source

- Factory Reset IAP

- Set a static IP

- Access SetMeUp SSID

- Convert into Standalone Mode

- Reboot

- Remove static IP.

- Plug back into original VLAN.

Update.

 

I went with the work-around mentioned above and set up what amounts to be a local network with internet access.

 

I was able to successfully default the AP and gain access.

 

However, as soon as I set the region code it kicked me out and now I can't login...again.

 

The 8.3 guide didn't reveal much either. 

That is odd. Can you remove the Internet access for the IAP? I am wondering if it is attempting to connect to Activate/Central.

<macaddy># swarm-mode standalone
CLI's management authentication settings have been changed. Your login credentials are now being re-checked...
Your credentials are no longer valid, you are being logged out. Please login again with the up-to-date username and password.

It might be, I'm digging around in my Central instance presently.

Will update if I find anything.

Good idea! Keep us posted.

Ok, 

 

So ultimately it's not reporting into central or managed by central at the present time.  

 

I'm still googling like mad trying to find out what changed my default credentials so I can get into this IAP, give it a config, attach it to central, import said config, and validate what I'm trying to validate.

I'm in the process of peeling out anything I can find of this AP from Central just in case.

 

Educated Guess: Do you think it was just coincidence that the credentials changed just as I set a region code?  I suspect there was a background process that was, in all liklihood, trying to talk with Central.

Have you tried resetting the AP back to factory default via console?



Thank you

Victor Fabian

Pardon typos sent from Mobile

Central was the cause of my headaches. 

Between automatic device enrollment, activate automatically syncing my APs, and various other things.  My AP was kinda in Central, but that kinda was enough to start modifying values on the AP.

 

 

I removed the device license, all it's service licenses, turned off automatic device enrollment.  Then I rebooted the AP, factory defaulted the AP, and let it boot again.  I then logged in and converted it to Standalone (this is a less than optimal step in this process.  It rebooted again, came up, and I was able to login to it.  

It looks like it should, and acts like it should at this point.

 

I've got to say though, this is a heinous set of steps just to test and configure one AP from my desk. 

 

I'll have to get this device configured and re-attached to Central.  Hopefully it maintains it's static IPs and config integrity in the process.

Thanks for the help!

Try using a different management VLAN for the new cluster/IAP345 and reset the new AP



Thank you

Victor Fabian

Pardon typos sent from Mobile

Hi Victor,

 

That's what I tried originally only to be told I should put the IAP on a network apart from my existin cluster.  I did this and was able to get the IAP to act as I would expect an out-of-box IAP to act.

 

However, regardless of what vlan it's on, I still have no idea what the "updated" credentials are when moving it into a standalone mode.