Remote Networking

Reply
Occasional Contributor II

IKE_XAUTH provisioning error on RAP2 and 5

We have several RAP-2WG and RAP5-WNs. I'm trying to provision them on a M3 controller running 5.0.4.0. According to the docs the setup is dead simple. I have an AP group for them. I have their MACs whitelisted in the RAP Whitelist. But they won't provision.

On booting up they get to the Master Connectivity section and get "RC_ERROR_IKE_XAUTH_AUTHORIZATION_FAILED".

Both 2s and 5 do the same thing.

show datapath session | include 4500
shows traffic from the master to the RAP with the "F" Fast Age flag set only. So I'm sure I have connectivity

show crypto isakmp sa
only shows the two locals talking to the master.

This is on a very busy Master, so dumping the security logs and user table is rather impractical.

Anyone run into this and have a fix?
Guru Elite

Re: IKE_XAUTH provisioning error on RAP2 and 5


We have several RAP-2WG and RAP5-WNs. I'm trying to provision them on a M3 controller running 5.0.4.0. According to the docs the setup is dead simple. I have an AP group for them. I have their MACs whitelisted in the RAP Whitelist. But they won't provision.

On booting up they get to the Master Connectivity section and get "RC_ERROR_IKE_XAUTH_AUTHORIZATION_FAILED".

Both 2s and 5 do the same thing.

show datapath session | include 4500
shows traffic from the master to the RAP with the "F" Fast Age flag set only. So I'm sure I have connectivity

show crypto isakmp sa
only shows the two locals talking to the master.

This is on a very busy Master, so dumping the security logs and user table is rather impractical.

Anyone run into this and have a fix?




The solution is most likely located in the security logs. If you cannot look at the security logs, there is little chance we can get to the bottom of this.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: IKE_XAUTH provisioning error on RAP2 and 5

I can look at the security logs, but the there is a huge amount of data there and doubt posting it all the forum would help. How do I narrow down whats wrong in the logs. Is there anything less verbose than

show log security all | include ike

that might help? Or what am I looking for in the ike logs?
Guru Elite

Re: IKE_XAUTH provisioning error on RAP2 and 5

I would start with the word "fail", or "Fail"

Last, but not least, I would check the parameter under Configuration> security> authentication>l3 authentication> vpn authentication profile> default-rap. Make sure that the server group is "default". Click on the word "default" and make sure the Internal server is in that, as well.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: IKE_XAUTH provisioning error on RAP2 and 5

That last bit was the key. The Auth server had been set to something other than default for the default-rap group. That showed up in the security logs as "User Authentication Failed" with "auth method=VPN". Setting it back to default got the RAPs working.

Thanks muchly for the pointer.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: