Controllerless Networks

Ever since we updated the firmware on our four IAP115 (one acting as the virtual controller) to firmware version 6.4.4.8-4.2.4.6_58505, it seems like occasionally users will be presented with an Aruba Networks certificate instead of the certificate being provided via EAP-TTLS on our external RADIUS server. After a while, it will fix itself and start presenting the correct cert to the user again.

We are piping the syslog from the controllers into a log correlation system we use and while the problem is happening, I am noticing radiusd on the APs crashing and restarting:

Apr 7 10:52:59 10.163.99.252 nanny[2002]: <303079> <ERRS> <10.163.99.252 18:64:72:C1:E7:E0> Restarted process /aruba/bin/radiusd-term, new pid 29032
Apr 7 10:52:59 10.163.99.252 nanny[2002]: <303074> <ERRS> <10.163.99.252 18:64:72:C1:E7:E0> Process /aruba/bin/radiusd-term [pid 29008] died: exited with 0x1
Apr 7 10:52:59 10.163.99.252 nanny[2002]: <303079> <ERRS> <10.163.99.252 18:64:72:C1:E7:E0> Restarted process /aruba/bin/radiusd, new pid 29031
Apr 7 10:52:59 10.163.99.252 nanny[2002]: <303074> <ERRS> <10.163.99.252 18:64:72:C1:E7:E0> Process /aruba/bin/radiusd [pid 29007] died: exited with 0x1

Apr 7 10:52:49 10.163.99.252 nanny[2002]: <303079> <ERRS> <10.163.99.252 18:64:72:C1:E7:E0> Restarted process /aruba/bin/radiusd-term, new pid 29008
Apr 7 10:52:49 10.163.99.252 nanny[2002]: <303074> <ERRS> <10.163.99.252 18:64:72:C1:E7:E0> Process /aruba/bin/radiusd-term [pid 28984] died: exited with 0x1
Apr 7 10:52:49 10.163.99.252 nanny[2002]: <303079> <ERRS> <10.163.99.252 18:64:72:C1:E7:E0> Restarted process /aruba/bin/radiusd, new pid 29007
Apr 7 10:52:49 10.163.99.252 nanny[2002]: <303074> <ERRS> <10.163.99.252 18:64:72:C1:E7:E0> Process /aruba/bin/radiusd [pid 28983] died: exited with 0x1

These are the only issues I could find in the logs coming from the access points. I checked for new firmware updates in the Maintenance settings, but we are on the newest one. I have not tried restarting the APs yet since it's a little difficult to do that while people are working. More just wondering if this is a known issue.

Thanks.

I would upgrade using the software on the Limited Lifetime Warranty page here:  http://support.arubanetworks.com/LifetimeWarrantySoftware/tabid/121/DMXModule/661/Default.aspx?EntryId=20388

We're already on the version that is the highest listed for General Availability. Do you mean we should try the Early Availability version 6.5? I'm not sure we want to go with something that isn't considered "stable".

Thanks.

You can open a TAC case to determine what your issue can be, so that you can get very specific troubleshooting information for you.  It is better that they advise you at this point.

Aruba Early Availability software has gone through full testing and should not be confused with beta software. In most cases, it is fine to go with the EA (called Standard Release going forward).

When reading your initial symptoms, please check in the Security tab if you might have enabled 'Authentication Survivability', as that could be a reason for presenting the internal certificate when your RADIUS server is unreachable. That also could be a reason why the radius on the AP is starting and stopping all the time. If turning off survivability solves your problem, please check the availability of your RADIUS as it seems unavailable from the Instant AP.

If that does not solve your issue, indeed open a TAC case to get this investigated why the internal cert is presented.

That's a setting in the IAP interface? I'm not seeing anything for authentication survivability. It seems this only started happening after we updated the firmware which we needed to do to fix another issue where the Aruba's were randomly trying to connect the Internal RADIUS server (which is not configured) instead of the remote RADIUS server and therefor not letting some users connect in the morning when they came into the office. We can try updating to 6.5 to see if it fixes the problems we are having I suppose. The remote RADIUS server is definitely up and available when these events are occurring. Thanks for the help.

Authentication survivability is in the same screen on the Instant AP where the authentication and RADIUS server is selected: 

Just make sure Authentication Survivability is disabled and you should never see the internal cert; Also make sure the Auth server 2 is NOT set to InternalServer.

Oh there it is. Thanks! That was enabled and is now disabled. Also second server is not set to Internal, verified. Thanks again hopefully that will help with the problems we saw.

Please be aware that the IAP should only fallback if your RADIUS server is unreachable or otherwise unresponding. The behavior that you saw can indicate a previously unknown issue in your network or on the RADIUS server that should be investigated. It can be that due to retries end-users don't really notice, but still, it looks like there is some other issue.

Thanks, I would assume that to be the case as well. Only problem is we have constant monitoring on our RADIUS server and nothing is skipping a beat. So I'm not sure what the issue is but since disabling that I haven't heard any complaints about wireless. Thanks for the assistance.