Controllerless Networks

Have just deployed a bunch of 20 IAP225 that is using Clearpass for the authentication.  The customer is reporting that connectivity is lost on Windows devices, with the yellow exclamation, and connection to exchange server lost.  This happens about 2 minutes after connecting and will last about a min or so, but it keeps happening every 3-5 mins.

I don't have direct access to troubleshoot, but here are a couple of things on how it is configured.

• vlan is static with gateway being the core switch.
• 80 MHz channels enabled (not sure what band users connected on though)
• client-match enabled
• 802.11r enabled
• RFC3576 enabled on auth-server profile with accounting mode as 'authentication'.

I will be troubleshooting this with the customer further and looking at access tracker on Clearpass as well.  Normally I would put this sort of thing down to their own network, but this is my first IAP225 with Clearpass so I'm keeping an open mind.

I'm thinking to disable client-match to see how it looks then as well.

Has anyone else had issues such as this or any suggestions?

Thanks

What version of Instant?   There were some improvements for IAP-225s fixed in 6.3.1.2-4.0.0.3.     If you are already on this release, please PM me.

Currently 6.3.1.1-4.0.0.1, but I'm going to disable client-match and 80MHz channels as a first step.  Will let you know how it goes.

We have the same issue with windows clients, though not in every 3-5 minutes, but multiple times during the day.

We are not using ClearPass, just WPA2-PSK and we have 802.11r and client-match disabled. (there were more problems while these settings was enabled).

We are on 4.0.0.3

Config below.

version 6.3.1.0-4.0.0
virtual-controller-country GB
virtual-controller-key <key>
name VC
organization <org>
virtual-controller-ip 192.168.103.245
terminal-access
ntp-server 192.168.100.251
clock timezone London 00 00
clock summer-time BST recurring last sunday march 02:00 last sunday october 02:00
rf-band all
dynamic-radius-proxy
ams-ip 192.168.100.56
ams-key <key>
ams-identity <identity>

allow-new-aps




arm
 wide-bands 5ghz
 80mhz-support
 min-tx-power 12
 max-tx-power 18
 band-steering-mode prefer-5ghz
 air-time-fairness-mode preferred-access
 client-aware
 scanning
 client-match slb-mode 3

internal-domains
 domain-name <domain>

syslog-level warn ap-debug 
syslog-level warn network 
syslog-level warn security 
syslog-level warn system 
syslog-level warn user 
syslog-level warn user-debug 
syslog-level warn wireless 






user mickc 00dc25953325a1608158f07740625476d1a118620dd9f91d portal


mgmt-user admin <password>

wlan access-rule Guest
 index 0
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit
 rule 192.168.0.0 255.255.0.0 match any any any deny
 rule any any match any any any permit
 bandwidth-limit peruser downstream 512
 bandwidth-limit peruser upstream 512

wlan access-rule default_wired_port_profile
 index 1
 rule any any match any any any permit

wlan access-rule wired-instant
 index 2
 rule 192.168.102.41 255.255.255.255 match tcp 80 80 permit
 rule 192.168.102.41 255.255.255.255 match tcp 4343 4343 permit
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit

wlan access-rule Guest-logon
 index 3
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit
 rule 192.168.100.57 255.255.255.255 match tcp 80 80 permit
 rule 192.168.100.57 255.255.255.255 match tcp 443 443 permit
 rule any any match icmp any any permit
 rule any any match any any any deny
 bandwidth-limit peruser downstream 256
 bandwidth-limit peruser upstream 256

wlan access-rule Corp
 index 4
 rule 192.168.0.0 255.255.0.0 match any any any permit
 rule any any match any any any permit

wlan access-rule MDM-Quarantine
 index 5
 vlan 154
 captive-portal external profile Quatantine
 rule 192.168.100.57 255.255.255.255 invert tcp 80 80 permit
 rule 192.168.100.57 255.255.255.255 invert tcp 443 443 permit
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit
 rule any any match any any any deny

wlan access-rule MDM-ipad
 index 6
 rule any any match any any any permit

wlan access-rule MDM-Employee-device
 index 7
 rule 192.168.0.0 255.255.0.0 match any any any deny
 rule any any match any any any permit

wlan access-rule MDM-Corporate-device
 index 8
 rule any any match any any any permit

wlan access-rule BYOD
 index 9
 captive-portal external profile BYOD
 rule 192.168.100.57 255.255.255.255 match tcp 80 80 permit
 rule 192.168.100.57 255.255.255.255 match tcp 443 443 permit
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit
 rule any any match any any any deny

wlan access-rule Machine
 index 10
 rule any any match any any any permit

wlan access-rule Wifi
 index 11
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit
 rule any any match any any any permit

wlan access-rule Guest
 index 12
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit
 rule 192.168.0.0 255.255.0.0 match any any any deny
 rule any any match any any any permit
 bandwidth-limit peruser downstream 512
 bandwidth-limit peruser upstream 512

wlan ssid-profile Guest
 disable
 index 0
 type guest
 essid Guest
 opmode opensystem
 max-authentication-failures 0
 vlan guest
 auth-server clearpass
 set-role-pre-auth Guest-logon
 set-role Aruba-User-Role value-of
 rf-band all
 captive-portal external profile Guest
 mac-authentication
 mac-authentication-delimiter :
 dtim-period 2
 inactivity-timeout 1000
 broadcast-filter all
 radius-accounting
 radius-interim-accounting-interval 10
 g-min-tx-rate 11
 a-min-tx-rate 12
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 20
 max-clients-threshold 64

wlan ssid-profile Corp
 disable
 index 1
 type employee
 essid Corp
 opmode wpa2-aes
 max-authentication-failures 0
 vlan 150
 auth-server clearpass
 set-role Aruba-User-Role value-of
 rf-band all
 captive-portal disable
 dtim-period 2
 inactivity-timeout 1000
 broadcast-filter arp
 radius-accounting
 radius-interim-accounting-interval 20
 g-min-tx-rate 11
 a-min-tx-rate 12
 multicast-rate-optimization
 dynamic-multicast-optimization
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 20
 max-clients-threshold 64
 dot11r

wlan ssid-profile Wifi
 enable
 index 2
 type employee
 essid Wifi
 opmode wpa2-aes
 max-authentication-failures 0
 vlan 150
 auth-server clearpass
 auth-survivability
 set-role Aruba-User-Role value-of
 rf-band all
 captive-portal disable
 dtim-period 2
 inactivity-timeout 1000
 broadcast-filter arp
 radius-accounting
 g-min-tx-rate 11
 a-min-tx-rate 12
 multicast-rate-optimization
 dynamic-multicast-optimization
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 20
 max-clients-threshold 64

wlan ssid-profile Guest
 enable
 index 3
 type guest
 essid Guest
 opmode opensystem
 max-authentication-failures 0
 vlan 154
 auth-server clearpass
 set-role-pre-auth Guest-logon
 rf-band all
 captive-portal external profile Guest
 mac-authentication
 mac-authentication-delimiter :
 dtim-period 2
 inactivity-timeout 1000
 broadcast-filter all
 radius-accounting
 radius-interim-accounting-interval 10
 g-min-tx-rate 11
 a-min-tx-rate 12
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 20
 max-clients-threshold 64

auth-survivability cache-time-out 24



wlan auth-server clearpass
 ip 192.168.100.57
 port 1812
 acctport 1813
 key <key>
 rfc3576
 cppm-rfc3576-port 5999

wlan captive-portal
 background-color 13421772
 banner-color 16750848
 banner-text "Welcome to Guest Network"
 terms-of-use "This network is in development."
 use-policy "Do not ask for a username/password.  In development."
 authenticated

wlan external-captive-portal
 server localhost
 port 80
 url "/"
 auth-text "Authenticated"
 auto-whitelist-disable
 https

wlan external-captive-portal Guest
 server 192.168.100.57
 port 443
 url "/guest/landing.php/Guest.php"
 auth-text ""
 auto-whitelist-disable
 https

wlan external-captive-portal Quatantine
 server 192.168.100.57
 port 80
 url "/guest/landing.php/Quarantine.php"
 auth-text ""
 auto-whitelist-disable

wlan external-captive-portal BYOD
 server 192.168.100.57
 port 80
 url "/guest/landing.php/BYOD.php"
 auth-text ""
 auto-whitelist-disable

wlan external-captive-portal Guest
 server 192.168.100.57
 port 443
 url "/guest/landing.php/Guest.php"
 auth-text ""
 auto-whitelist-disable
 https


blacklist-time 3600
auth-failure-blacklist-time 3600

ids classification

ids
 wireless-containment none


wired-port-profile wired-instant
 switchport-mode access
 allowed-vlan all
 native-vlan guest
 no shutdown
 access-rule-name wired-instant
 speed auto
 duplex auto
 no poe
 type guest
 captive-portal disable
 no dot1x

wired-port-profile default_wired_port_profile
 switchport-mode trunk
 allowed-vlan all
 native-vlan 1
 shutdown
 access-rule-name default_wired_port_profile
 speed auto
 duplex full
 no poe
 type employee
 captive-portal disable
 no dot1x


enet0-port-profile default_wired_port_profile

uplink
 preemption
 enforce none
 failover-internet-pkt-lost-cnt 10
 failover-internet-pkt-send-freq 30
 failover-vpn-timeout 180


airgroup
 disable

airgroupservice airplay
 disable
 description AirPlay

airgroupservice airprint
 disable
 description AirPrint

I had same issues with iAP105 on 4.0.0.2 and reverted back to 3.4.0.6 and the connectivity issue disapeared.

There was a duplicate ip for the gateway which I guess was the primary cause of the issues.  Intel Proset software I think as well was doing funny things.

I had already disabled client-match, so unclear if that would have caused issues anyway.  Hopefully we'll get a chance to enable again to evaluate.

Wow.  That is notoriously difficult to track down.  Glad to hear you worked it out.

Actually it was pretty easy with a packet capture on a wired client.

:smileyhappy:

Customer has enabled client-match again to resolve some stubborn sticky clients. So far everything is still good.