Security

We have the Bradford Network Sentry NAC (version 6.2), which we have used for some time on our Wired side of network. We are running version 6.3.1.5 AOS on our controllers. We have recently set up an SSID to use the Bradford NAC for VLAN assignments, and it was working. Now, the Bradford is putting the SSID clients into Registration, and not making the correct VLAN assignment.

 

Contacted Bradford TAC and they pointed us to an alert document entitled "INCORRECT VLAN ASSIGNMENT WITH ARUBA
FIRMWARE 6.3.1.1".pdf (see atthaced.)

 

Anyone else having issues with Bradford 6.2 and and Aruba 6.3.x ?

 

 

We are running Network Sentry 6.0 and Aruba OS 6.1.3.6-airgroup and are seeing similar results. For the majority of the time, everything is fine and our users get put into the correct VLAN. But somedays, all of a sudden, our users will get thrown in to registration even though they are registered. 

 

The document you supplied from Bradford doesn't pertain to our situation as the default roles have been set since inception.

 

The only remedy for us is to reboot the controller.

Was that a reboot of the Aruba controller, or, a reboot of the Bradford controller?

 

Our Aruba is in a Master/Backup HA pair, and the Bradford is also in a active-passive HA pair. A reboot of either system would not cause an outage, but I still have to go through change management approval.

 

If the Aruba reboot clears the issue, then I may open a case with Aruba TAC, to see if there is a way to restart a particular service. This problem has something to do with authentication? When I do Aruba Diagnostics \ AAA Test Server \ Begin Test (on the Bradford RADIUS), I get Authentication failure.

---

@wdawes wrote:

When I do Aruba Diagnostics \ AAA Test Server \ Begin Test (on the Bradford RADIUS), I get Authentication failure.

 

---

I get Authentication failure as well. Clients are authenticating. I suspect the test is having problems.

 

Guys, we've run into the same issue as well. A reboot of the Aruba controller would fix the issue temporarily. We were experiencing the authentication issue about once a week. A user would come onto campus, and never get out of the initial role (registration) even though their device was registered in Bradford.

 

I spent hours on the phone with Aruba, to no avail. we upgraded our controllers from 6.1.3.6-airgroup to 6.3.1.6. The issue was still occurring.

 

After calling Bradford back for a second time (the first time they said they didn't see anything wrong and that it was an Aruba issue) they noticed a bunch of SSH authentication errors coming from Aruba. Aruba was having issues logging in.

 

At the time we were running Bradford NS 6.0.x. We upgraded to Bradford 6.2.3.98 and the issue seems to be resolved. It's been a full week without a problem.

 

I hope this helps.

---

@derbystar16 wrote:

 

At the time we were running Bradford NS 6.0.x. We upgraded to Bradford 6.2.3.98 and the issue seems to be resolved. It's been a full week without a problem.

 

---

Thanks,
Our Network Sentry is running 6.2.3.98. Would you mind running the Aruba daig test?

Diagnostics->AAA Test Server ->Begin Test->Bradford

 

We are having an issue where clients have the initial role (denyall), but their IP address is from production networks. It is like they are authenticating and getting assigned to the correct role/VLAN and then their role changes. I don't mean to hijack this thread, but I wonder if this is a related issue. This is happening on a non-Bradford SSID as well. I've had a ticket open with TAC for a while, and they can't reproduce the problem. 

 

Yeah, not sure if that test is accurate. I get a AAA timeout error when trying that.
--
Nathan Kuhl
Information Technology
Wyoming Seminary
570-270-2241

*** Report all problems to the help desk: http://it.wyomingseminary.org or ext. 2240 ***