Network Management

last person joined: 4 days ago 

Keep an informative eye on your network with HPE Aruba Networking network management solutions
Back to discussions
Expand all | Collapse all

Trouble applying configuration to mobility controller using Airwave

This thread has been viewed 2 times

  • 1.  Trouble applying configuration to mobility controller using Airwave

    Posted Jun 02, 2014 04:31 AM

    On our Airwave server, I made a number of changes to the configuration of a group of 3 mobility controllers (model 7210 running firmware 6.3.1.2), and applied the changes to the group. The changes included creation of a new campus WLAN and associated settings such as AAA and SSID profiles, as well as a user role, and a firewall policy.

     

    All the settings got pushed out correctly, except that the firewall policy has not been applied to the user role. Both the role and the policy were applied to the controllers, though. Airwave reports that the 3 controllers have mismatched configurations, and show the following when clicking on the "mismatched" link:

       

                                                                       Current Device Configuration                              Desired Configuration

     
     User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Aruba AP Group(not set)default
     User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Policy(not set)FC-RESIDENTIAL-GUEST_ACL_POLICY
     User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Position(not set)1
     User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Status(not set)Create

     

    Repairing the configuration does not change the result. I cannot see any errors logged in relation to applying the configuration.

     

    I have not tried changing this directly in the controller GUI and would prefer not to as our policy is to use Airwave. Please advise steps I need to take to get the Airwave to apply the firewall policy.

     

    I have one other (hopefully) simple question: under the virtual AP for the WLAN in question, I have set a VLAN ID. In the AAA profile under the virtual AP profile, the role is the "FC-RESIDENTIAL-GUEST_role" from the table above. However the role itself does not have a VLAN ID assigned. The WLAN is working fine (except that the firewall policy is not applied) and the traffic is on the right VLAN once it hits the wired network, so I'm assuming that the VLAN ID doen't need to be applied at the role level too? Or could this be related to the issue above, or be likely to cause any other complications?

     

    Thanks in advance!


    #7210


  • 2.  RE: Trouble applying configuration to mobility controller using Airwave

    Posted Jun 02, 2014 06:41 AM

     

    Do you have a PEF licenses installed on your controller ?



  • 3.  RE: Trouble applying configuration to mobility controller using Airwave

    EMPLOYEE
    Posted Jun 02, 2014 06:53 AM

    Login to one of the controllers (must be the master) and type "show audit-trail) to see exactly what was pushed and when.  You might have to go back some to find out what happened.

     



  • 4.  RE: Trouble applying configuration to mobility controller using Airwave

    Posted Jun 02, 2014 09:10 PM

    Thanks for the replies.

     

    Victor, the PEF licences are installed and I have previously applied firewall policies without issue.

     

    Colin, checking the audit trail, all I see is the commands being executed successfully (no errors). I can see that the user role command is executed, followed by the access list policy being created and the rules added. I am not sure if there is supposed to be another command that specifically applies the policy to the role or not...?

     

    When I attempt to repair the configuration from the Airwave, the following is logged:

    Jun 3 09:19:19 fpcli: USER:admin@10.100.100.42 COMMAND:<no paging > -- command executed successfully
    Jun 3 09:19:19 fpcli: USER:admin@10.100.100.42 COMMAND:<encrypt disable > -- command executed successfully
    Jun 3 09:19:58 fpcli: USER:admin@10.100.100.42 COMMAND:<user-role "FC-RESIDENTIAL-GUEST_role" > -- command executed successfully
    Jun 3 09:19:59 fpcli: USER:admin@10.100.100.42 COMMAND:<write memory > -- command executed successfully
    Jun 3 09:20:12 fpcli: USER:admin@10.100.100.42 COMMAND:<no paging > -- command executed successfully
    Jun 3 09:20:12 fpcli: USER:admin@10.100.100.42 COMMAND:<encrypt disable > -- command executed successfully

     

    Something else I've noticed and don't understand is the first line under the mismatched config: "User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Aruba AP Group". Current config is "not set" and desired is "default". This matches what is shown by Airwave when clicking on "Controller Config" under the group with the controllers in it: the "default" AP group (which has all APs in it) has "FC-RESIDENTIAL-GUEST_role" as the user role. There are a number of roles on these controllers, so why does Airwave want to assign this role to the AP group? If and when this applies on the controllers, will it affect any other roles? Can I stop Airwave from having this as the desired configuration?

     

    Thanks again,

    Matt



  • 5.  RE: Trouble applying configuration to mobility controller using Airwave
    Best Answer

    EMPLOYEE
    Posted Jun 03, 2014 06:25 AM

    You can look at the user role in Airwave Configuration and see if it is assigned to a user group, and if it is, remove it (change it to none):

    policy.png

     



  • 6.  RE: Trouble applying configuration to mobility controller using Airwave

    Posted Jun 03, 2014 11:02 PM

    Thanks Colin, the default AP group was set there, and removing it allowed the configuration to be applied without any problems.

     

    To answer my own question in my original post about setting the VLAN ID on the user role to match the virtual AP: this apparently is necessary - clients had no connectivity until this was set.