Remote Networking

Occasional Contributor I

RAP2WG IKE Authorization Failure

About 2 weeks ago all of my RAP-2WGs (4 total) dropped their connections, and now are getting a "RC_ERROR_IKE_XAUTH_AUTHORIZATION_FAILED" error on the RAP's provisioning page, and a "Authentication result=Authentication failed(1)" message on the 3200 Controller running version 5.0.1.

One of my guys was testing RADIUS server solutions, and it is possible he changed something, but I haven't found it, other than pointing the profile for the RAPs back to their original RADIUS servers.

Once again, there is probably some small change that needs to be made and I'm not sure where to look.

I appreciate any help.

Verify these areas in the WEBUI

I would verify that

a) The VPN authentication profile server group remains 'internal'.

This can be facilitated by checking:
Configuration/All Profiles/Wireless LAN/VPN Authentication Profile/Server Group. This should be set to internal for the RAPs, perhaps it was moved during RADIUS testing.

b) The RAP whitelist to ensure all the MAC addreses of your RAPs remain in tact.
This can be facilitated by checking:
Configuration/AP Installation/RAP Whitelist
Occasional Contributor I

Re: RAP2WG IKE Authorization Failure

The VPN Authentication profile was set to "default" and is still that way. Prior to the RAPs dropping, it worked with the default profile.

The RAP whitelist is also still set up the way it was when things were functioning properly.

I'm not as familiar as I'd like to be with the debug process on the Aruba controllers, especially with IPSec.

Is there an Aruba IPSec guru out there?

Guru Elite

Re: RAP2WG IKE Authorization Failure

There are quite a few ways that you can configure it. The best thing that you can do is find out what was changed. Get into the commandline of the controller and type "show audit-trail" and that will tell you what your guy changed. That is the first place to look.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Super Contributor I

IPSEC troubleshooting

First remove encryption:
#encrypt dis

check your IPSEC key to see if the correct key is still there:
#show crypto isakmp key (your problem is probably here)

If you are sure your keys match then:
#show crypto ipsec sa
#show crypto isakmp sa

Don't forget to re-enable encryption:
#encrypt en

More serious trouble-shootings:

Using datapath:
#show datapath session ap-name MYRAP2

Following are debugging commands for IPSEC:
#logging level debug security process crypto
#logging level debug security subcat ike
#logging level debug security process l2tp
#logging level debug security process localdb
#logging level debug security process authmgr

~Trinh Nguyen~
Boys Town