Remote Networking

Reply
Highlighted
Super Contributor I

Re: RAP initial setup questions

Hi Colin,

The pool has definitely made a difference. I'll follow up with this post if I run into some more problems.

Thanks for your timely help, it has been appreciated!

-Mike
Highlighted
Super Contributor I

Re: RAP initial setup questions

Hi Colin,

I'm sure this next step is equally easy. I was able to successfully configure the RAP, receive a new image, as well as authenticate via 802.1x. But for whatever reason, I can't get an IP. The VLAN that is assigned to the link has a corresponding DHCP scope that's in use. I ran one of your COTDs:

(GL-Master) #show user-table verbose

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Server Vlan Bwm
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ------ ---- ---
10.20.30.45 00:00:00:00:00:00 00:0b:86:c3:74:4d ap-role 00:00:24 VPN 24.125.68.63 N/A default tunnel Internal 1
24.125.68.63 00:00:00:00:00:00 logon 00:01:15 VPN N/A default tunnel 1
169.254.133.54 00:17:f2:53:df:a3 mcourtney WLU-Staff 00:00:01 802.1x RAP-Mike Associated(Remote) WLUsec/00:0b:86:b7:44:d0/g WLU-8021x-AAA bridge m***.ad.wlu.edu 341 (341)

User Entries: 3/3

I am receiving the correct, non split-tunneling (for the moment), role and it authenticated against the correct authentication server, and is placed in the correct VLAN.

Should a "bridged" RAP provide a connected client with an IP address from the master controller? Or, does it provide a local IP address and then it does its black magic in the background? I thought it was the former, but I could be totally wrong.

Thanks for your continued help!

-Mike
Highlighted
Super Contributor I

Re: RAP initial setup questions

Colin,

I made an the following adjustment under the system profile for the RAP VAP:

native-vlan-id 341

Now, the DHCP is showing:

192.168.2.21 00:17:f2:53:df:a3 mcourtney WLU-Staff 00:00:02 802.1x RAP-Mike Associated(Remote) WLUsec/00:0b:86:b7:44:d0/g WLU-8021x-AAA bridge mvc2.ad.wlu.edu 341 (341)

I guess the question becomes, is the RAP just "bridging" the SSID, but none of the traffic? If so, then I can see where I'll need to enable split tunneling. I was under the impression that it would be a transparent extension of the controller.

Thanks for any help you can offer!

-Mike
Highlighted
Guru Elite

Re: RAP initial setup questions

Mike,

If your Virtual-AP is set to bridged, all of the traffic is being bridged out of the ethernet of the access point that it is connected to. That means users will get an ip address in the same range as the AP. That would NOT be an extension of how your controller works.

*It would be very easy just to add an existing tunneled Virtual AP to that RAP ap-group that you already have working for the school and the behavior will be identical to how it works right now. Users will get IP addresses in the same range as how they got it in school and all traffic will be tunneled back. That would be a true extension of the controller, and you would not have to do anything more.

Split-Tunneling Is more involved and is for when you want users to get an ip address from the headend, but send all local and internet traffic out of their local ISP. This requires a couple more things:

- The Virtual AP Must be set to Split-Tunnel
- The AAA profile must have a default 802.1x role set that has firewall policies configured for split tunneling.

That probably means you would have to:

Create a role with your split-tunnel rules (please see here: http://airheads.arubanetworks.com/vBulletin/showthread.php?t=2929)
Create a new AAA profile that has a duplicate of your server group and your 802.1x profile. The only difference is that you would make the default 802.1x role your role you created above with the split-tunnel rules
Create a new Virtual AP, make the forwarding mode split-tunnel and attach the old SSID profile, the new AAA profile.
Add that new Virtual AP to a New AP-Group

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Highlighted
Super Contributor I

Re: RAP initial setup questions

Hi Colin,

I guess my question is, what exactly is bridged? Is it just the authentication and SSID?

I changed the forward mode to "tunnel" and Remote-AP Operation to "standard." I now have an extension of the campus - which is a start.

I'm trying to come up with a scalable way of doing a RAP deployment on my campus. I think I'm going to use a different AAA strategy for the RAP2s and the RAP5s. II'm going to have the RAP2s act as tunnels back to campus and the RAP5s / 105s / 125s operate in split-tunnel mode. There's a couple of remote dorms that use a cable or DSL connection for their houses. I'm going to replace their non-Aruba gear for our first off-campus deployment. I don't want those houses to utilize the campus bandwidth for anything other than campus traffic. I'm not really worried about this with the RAP2s since they can't push a lot of throughput to begin with. Does the above seem like a good deployment strategy?

Thanks!

-Mike
Highlighted
Super Contributor I

Re: RAP initial setup questions

Colin,

Another question. Is there a connection limit on a RAP2? Right now I have my Mac Mini associated via 802.1X and it is getting the appropriate role. But my Mac Book for whatever reason can't connect. I've tried running our 802.1X Cloudpath utility and that's still a no go.

Unfortunately, I have two neighbors, who must be students, attempting to associate with the AP. They're getting a "DenyAll" rule as expected. But, I didn't know if that was making the RAP2 hit a limit.

I've been learning a lot about the RAP infrastructure because of your patience - as always, thanks!

-Mike
Highlighted
Guru Elite

Re: RAP initial setup questions

Bridged is just the user traffic. The authentication is tunneled back through the controller to the radius server.

Your deployment strategy for users is valid: You only want traffic that needs to tunnel back to the controller over the internet. The rest, should be natted locally and sent to the internet.

There is no connection limit for the RAP2 that is enforced, per se. There are a number of issues with MAC OSX and Austin Hawthorne wrote an article about what you can do about it, here: http://airheads.arubanetworks.com/vBulletin/showthread.php?t=914

Users who attempt to associate with the SSID and do not have credentials, or have invalid credentials might get the "denyall" rule based on your policies. It would not be because of a limit with the rap that they end up there.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Super Contributor I

Re: RAP initial setup questions

Hi Colin,

I created an additional SSID profile that supported the weaker encryption rates to no avail. I then did a user-debug on my Mac address and this popped up:

Jan 16 15:45:51 :501095: |AP RAP-Mike@10.20.30.52 stm| Assoc request @ 15:45:51.921423: f8:1e:df:d6:f7:4d (SN 44): AP 10.20.30.52-00:0b:86:b7:44:d0-RAP-Mike
Jan 16 15:45:51 :501097: |AP RAP-Mike@10.20.30.52 stm| Assoc request: f8:1e:df:d6:f7:4d: Dropped AP 10.20.30.52-00:0b:86:b7:44:d0-RAP-Mike for STA DoS protection

I did a search and found your post:

http://airheads.arubanetworks.com/vBulletin/showthread.php?t=2455&highlight=protection

I ran the following command:

stm remove-blacklist-client f8:1e:df:d6:f7:4d

When I did this, the following successful association occurred:

Jan 16 16:17:15 :501095: |stm| Assoc request @ 16:17:15.794547: f8:1e:df:d6:f7:4d (SN 2845): AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike
Jan 16 16:17:15 :501100: |stm| Assoc success @ 16:17:15.797118: f8:1e:df:d6:f7:4d: AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike
Jan 16 16:17:15 :501065: |stm| Sending STA f8:1e:df:d6:f7:4d message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr Dynamic WPA,WPA2 8021X TKIP VLAN 0x155, wmm:0, rsn_cap:0
Jan 16 16:17:15 :522035: |authmgr| MAC=f8:1e:df:d6:f7:4d Station UP: BSSID=00:0b:86:b7:44:d0 ESSID=WLUsec VLAN=341 AP-name=RAP-Mike
Jan 16 16:17:15 :522004: |authmgr| MAC=f8:1e:df:d6:f7:4d ingress 0x1089 (tunnel 9), u_encr 64, m_encr 4112, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Jan 16 16:17:15 :522004: |authmgr| station add: Created station with bssid=00:0b:86:b7:44:d0, valid=1, @=0x1079b7dc
Jan 16 16:17:15 :500511: |mobileip| Station f8:1e:df:d6:f7:4d, 0.0.0.0: Received association on ESSID: WLUsec Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name RAP-Mike Group WLU-Mobile-RAP2-AP-Group BSSID 00:0b:86:b7:44:d0, phy g, VLAN 341
Jan 16 16:17:15 :500010: |mobileip| Station f8:1e:df:d6:f7:4d, 0.0.0.0: Mobility trail, on switch 137.113.191.253, VLAN 341, AP RAP-Mike, WLUsec/00:0b:86:b7:44:d0/g
Jan 16 16:17:15 :501095: |AP RAP-Mike@10.20.30.54 stm| Assoc request @ 16:17:15.752931: f8:1e:df:d6:f7:4d (SN 2845): AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike
Jan 16 16:17:15 :501100: |AP RAP-Mike@10.20.30.54 stm| Assoc success @ 16:17:15.767035: f8:1e:df:d6:f7:4d: AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike
Jan 16 16:17:16 :522038: |authmgr| MAC=f8:1e:df:d6:f7:4d IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=mvc2.ad.wlu.edu
Jan 16 16:17:16 :522044: |authmgr| MAC=f8:1e:df:d6:f7:4d Station authenticate(start): method=802.1x, role=WLU-Secure-RAP-Login//, VLAN=341/341/0/0/0, Derivation=10/0, Value Pair=1
Jan 16 16:17:16 :522017: |authmgr| MAC=f8:1e:df:d6:f7:4d IP=0.0.0.0 Derived role 'WLU-Remote-Staff' from server rules: server-group=WLU-RAP-Radius-Servers, authentication=802.1x
Jan 16 16:17:16 :522004: |authmgr| {L2} Update role from WLU-Secure-RAP-Login to WLU-Remote-Staff for IP=0.0.0.0
Jan 16 16:17:16 :522004: |authmgr| download: ip=0.0.0.0 acl=76/0 role=WLU-Remote-Staff, Ubwm=0, Dbwm=0 tunl=0x1089, PA=0, HA=1, RO=0, VPN=0
Jan 16 16:17:16 :522004: |authmgr| Station authenticate has l2 role :WLU-Remote-Staff default role WLU-Secure-RAP-Login logon role logon
Jan 16 16:17:16 :522004: |authmgr| Valid Dot1xct, remote:0, assigned:341, default:341,current:341,termstate:5, wired:0,dot1x enabled:1, psk:0 static:0 bssid=00:0b:86:b7:44:d0
Jan 16 16:17:16 :522004: |authmgr| MAC=f8:1e:df:d6:f7:4d def_vlan 341 derive vlan: 0 auth_type 4 auth_subtype 4
Jan 16 16:17:16 :522004: |authmgr| Vlan assignment is not needed during station authentication
Jan 16 16:17:16 :522029: |authmgr| MAC=f8:1e:df:d6:f7:4d Station authenticate: method=802.1x, role=WLU-Remote-Staff//, VLAN=341/341/0/0/0, Derivation=2/0, Value Pair=1
Jan 16 16:17:16 :522004: |authmgr| {0.0.0.0} autTable ("mcourtney Authenticated 802.1x WLU-Remote-Staff ")
Jan 16 16:17:16 :522026: |authmgr| MAC=f8:1e:df:d6:f7:4d IP=137.113.190.144 User miss: ingress=0x1089, VLAN=341
Jan 16 16:17:16 :522006: |authmgr| MAC=f8:1e:df:d6:f7:4d IP=137.113.190.144 User entry added: reason=Sibtye
Jan 16 16:17:16 :522004: |authmgr| Station inherit: IP=137.113.190.144 start bssid:00:00:00:00:00:00 essid: port:0x1089 (0x1089)
Jan 16 16:17:16 :522004: |authmgr| {L3} Update role from logon to WLU-Remote-Staff for IP=137.113.190.144
Jan 16 16:17:16 :522004: |authmgr| Reset BWM contract: IP=137.113.190.144 role=WLU-Remote-Staff, contract= (0), type=Per role
Jan 16 16:17:16 :522004: |authmgr| download: ip=137.113.190.144 acl=76/0 role=WLU-Remote-Staff, Ubwm=0, Dbwm=0 tunl=0x1089, PA=0, HA=1, RO=0, VPN=0
Jan 16 16:17:16 :522008: |authmgr| User authenticated: Name=mcourtney MAC=f8:1e:df:d6:f7:4d IP=137.113.190.144 method=802.1x server=mvc2.ad.wlu.edu role=WLU-Remote-Staff
Jan 16 16:17:16 :522004: |authmgr| station inherit IP=137.113.190.144 bssid:00:0b:86:b7:44:d0 essid: WLUsec auth:1 type:802.1x role:WLU-Remote-Staff port:0x1089
Jan 16 16:17:16 :522004: |authmgr| {137.113.190.144} autTable ("mcourtney Authenticated 802.1x WLU-Remote-Staff ")
Jan 16 16:17:16 :522004: |authmgr| download: ip=137.113.190.144 acl=76/0 role=WLU-Remote-Staff, Ubwm=0, Dbwm=0 tunl=0x1089, PA=0, HA=1, RO=0, VPN=0
Jan 16 16:17:16 :522026: |authmgr| MAC=f8:1e:df:d6:f7:4d IP=137.113.190.144 User miss: ingress=0x1089, VLAN=341
Jan 16 16:17:16 :522004: |authmgr| Station inherit: IP=137.113.190.144 start bssid:00:0b:86:b7:44:d0 essid: WLUsec port:0x1089 (0x1089)
Jan 16 16:17:16 :522004: |authmgr| station inherit IP=137.113.190.144 bssid:00:0b:86:b7:44:d0 essid: WLUsec auth:1 type:802.1x role:WLU-Remote-Staff port:0x1089
Jan 16 16:17:16 :522004: |authmgr| {137.113.190.144} autTable ("mcourtney Authenticated 802.1x WLU-Remote-Staff ")
Jan 16 16:17:16 :522004: |authmgr| download: ip=137.113.190.144 acl=76/0 role=WLU-Remote-Staff, Ubwm=0, Dbwm=0 tunl=0x1089, PA=0, HA=1, RO=0, VPN=0

RIght after that, I'm put back on the blacklist:

Jan 16 16:17:16 :522039: |authmgr| MAC=f8:1e:df:d6:f7:4d IP=137.113.190.144 Blacklist user: reason=Monitor IP sessions attack
Jan 16 16:17:16 :501103: |stm| Blacklist add: f8:1e:df:d6:f7:4d: Reason: session-flood
Jan 16 16:17:16 :501065: |stm| Sending STA f8:1e:df:d6:f7:4d message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr Dynamic WPA,WPA2 8021X TKIP VLAN 0x155, wmm:0, rsn_cap:0
Jan 16 16:17:16 :500511: |mobileip| Station f8:1e:df:d6:f7:4d, 0.0.0.0: Received disassociation on ESSID: WLUsec Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name RAP-Mike Group WLU-Mobile-RAP2-AP-Group BSSID 00:0b:86:b7:44:d0, phy g, VLAN 341
Jan 16 16:17:16 :522036: |authmgr| MAC=f8:1e:df:d6:f7:4d Station DN: BSSID=00:0b:86:b7:44:d0 ESSID=WLUsec VLAN=341 AP-name=RAP-Mike
Jan 16 16:17:16 :522004: |authmgr| MAC=f8:1e:df:d6:f7:4d ingress 0x1089 (tunnel 9), u_encr 64, m_encr 4112, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Jan 16 16:17:16 :522004: |authmgr| station free: bssid=00:0b:86:b7:44:d0, valid=1, @=0x1079b7dc
Jan 16 16:17:16 :501080: |stm| Deauth to sta: f8:1e:df:d6:f7:4d: Ageout AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike Denied; STA Blacklisted
Jan 16 16:17:16 :501000: |stm| Station f8:1e:df:d6:f7:4d: Clearing state
Jan 16 16:17:16 :501105: |AP RAP-Mike@10.20.30.54 stm| Deauth from sta: f8:1e:df:d6:f7:4d: AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike Reason STA has left and is deauthenticated
Jan 16 16:17:16 :501000: |AP RAP-Mike@10.20.30.54 stm| Station f8:1e:df:d6:f7:4d: Clearing state
Jan 16 16:17:22 :501095: |stm| Assoc request @ 16:17:22.177760: f8:1e:df:d6:f7:4d (SN 2944): AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike
Jan 16 16:17:22 :501097: |stm| Assoc request: f8:1e:df:d6:f7:4d: Dropped AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike for STA DoS protection
Jan 16 16:17:22 :501095: |AP RAP-Mike@10.20.30.54 stm| Assoc request @ 16:17:22.137592: f8:1e:df:d6:f7:4d (SN 2944): AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike
Jan 16 16:17:22 :501100: |AP RAP-Mike@10.20.30.54 stm| Assoc success @ 16:17:22.143935: f8:1e:df:d6:f7:4d: AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike
Jan 16 16:17:22 :501105: |stm| Deauth from sta: f8:1e:df:d6:f7:4d: AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike Reason STA has left and is deauthenticated
Jan 16 16:17:22 :501000: |stm| Station f8:1e:df:d6:f7:4d: Clearing state
Jan 16 16:17:22 :501103: |AP RAP-Mike@10.20.30.54 stm| Blacklist add: f8:1e:df:d6:f7:4d: Reason: user-defined
Jan 16 16:17:22 :501080: |AP RAP-Mike@10.20.30.54 stm| Deauth to sta: f8:1e:df:d6:f7:4d: Ageout AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike Denied; STA Blacklisted
Jan 16 16:17:22 :501000: |AP RAP-Mike@10.20.30.54 stm| Station f8:1e:df:d6:f7:4d: Clearing state
Jan 16 16:17:22 :501105: |AP RAP-Mike@10.20.30.54 stm| Deauth from sta: f8:1e:df:d6:f7:4d: AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike Reason STA has left and is deauthenticated
Jan 16 16:17:22 :501044: |AP RAP-Mike@10.20.30.54 stm| Station f8:1e:df:d6:f7:4d: No authentication found trying to de-authenticate to BSSID 00:0b:86:b7:44:d0 on AP RAP-Mike
Jan 16 16:17:27 :501095: |AP RAP-Mike@10.20.30.54 stm| Assoc request @ 16:17:27.822275: f8:1e:df:d6:f7:4d (SN 2986): AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike
Jan 16 16:17:27 :501097: |AP RAP-Mike@10.20.30.54 stm| Assoc request: f8:1e:df:d6:f7:4d: Dropped AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike for STA DoS protection
Jan 16 16:17:33 :501095: |AP RAP-Mike@10.20.30.54 stm| Assoc request @ 16:17:33.825814: f8:1e:df:d6:f7:4d (SN 3028): AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike
Jan 16 16:17:33 :501097: |AP RAP-Mike@10.20.30.54 stm| Assoc request: f8:1e:df:d6:f7:4d: Dropped AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike for STA DoS protection
Jan 16 16:17:39 :501095: |AP RAP-Mike@10.20.30.54 stm| Assoc request @ 16:17:39.766224: f8:1e:df:d6:f7:4d (SN 3070): AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike
Jan 16 16:17:39 :501097: |AP RAP-Mike@10.20.30.54 stm| Assoc request: f8:1e:df:d6:f7:4d: Dropped AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike for STA DoS protection
Jan 16 16:17:45 :501095: |AP RAP-Mike@10.20.30.54 stm| Assoc request @ 16:17:45.707278: f8:1e:df:d6:f7:4d (SN 3112): AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike
Jan 16 16:17:45 :501097: |AP RAP-Mike@10.20.30.54 stm| Assoc request: f8:1e:df:d6:f7:4d: Dropped AP 10.20.30.54-00:0b:86:b7:44:d0-RAP-Mike for STA DoS protection

I went through my VAP and found that "DoS Prevention" was not enabled.

The funny thing now is that my Droid Incredible and my Mac Mini can associate and pull a tunneled IP from the RAP2, but my MacBook Pro won't. I can't wait for the Mac update that reads "Fixed all the wireless issues, our bad. -Love, Steve"... but I'm not going to hold my breath.

Any advice on this one?

Thanks!

-Mike
Highlighted
Guru Elite

Re: RAP initial setup questions

That means that you have firewall Attack-Rate Sessions configured (by default it is not). It is a global setting on the controller to prevent devices from attacking the controller by sending too many open sessions. if you type "show firewall" you will be able to see this setting. You want to just simply remove it:

config t
no firewall attack-rate session

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Highlighted
Super Contributor I

Re: RAP initial setup questions

Colin,

That worked like a charm, thanks! Actually, we've been having intermittent Mac issues on the campus, so there's a good chance that your catch may have fixed some other problems as well.

I'm going to try and get the split-tunneling stuff working either tonight or tomorrow. I'll follow up on this thread if I have any issues.

Thanks for your continued help!

-Mike