Controllerless Networks

Hi,

We have a site with 9 iap225s and having trouble getting RADIUS authentication working.

The RADIUS authenticates our 7220 controller in house, but the remote site, vpn'd with other data traffic, is not working.

RADIUS box can get to iaps and vice-versa. 

One thing we see is that when a user attempts to connect using the RADIUS-linked SSID, the traffic is not coming in from the Virtual Controller, but from the iap that the device is connected to.

Do I need to add every iAP into the RADIUS server to enable authentication?

Thanks for your thoughts.

Chris

Enable dynamic radius proxy so it only come from one AP (the vc).

Thanks cjoseph!

The DRP IP address is meant to be the address of the Virtual Controller or Master iAP.  Correct?

Yes, it will be the Virtual Controller IP Address.

If there is a requirement, you can also define DRP VLAN, IP address, and subnet on a per-RADIUS server basis:

https://community.arubanetworks.com/t5/Controller-less-WLANs/What-is-dynamic-radius-proxy-and-related-settings-in/ta-p/180918

I'm working with TAC, having killed the Master iAP.

I put in the IP/Mask/Gateway info of the Master AP and immediately lost access after hitting OK.

Any thoughts?

So you added a VC ip, gw and vlan. That is where your VC will be managed. Was that VLAN tagged on your switch? :)

edit.. Saw the screenshot now. You're working on quite an old version aren't you - I would suggest you upgrade if possible.

In that version you can just add DRP ip/gw - not do VC IP's. This is done under Authentication servers -> Your-Radius-Server..