Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Can't provision access point

This thread has been viewed 15 times

  • 1.  Can't provision access point

    Posted Dec 10, 2018 04:47 AM
      |   view attached

    Hi all!

     

    I tried to provision access point, but see that in logs

    Dec 10 12:41:36 authmgr[3583]: <522275> <ERRS> |authmgr| User Authentication failed. username=ac:a3:1e:c4:ab:e4 userip=10.1.190.2 usermac=ac:a3:1e:c4:ab:e4 servername=Internal serverip=10.1.100.1 apname=N/A bssid=00:00:00:00:00:00
    Dec 10 12:41:40 authmgr[3583]: <522275> <ERRS> |authmgr| User Authentication failed. username=ac:a3:1e:c4:ab:e4 userip=10.1.190.2 usermac=ac:a3:1e:c4:ab:e4 servername=Internal serverip=10.1.100.1 apname=N/A bssid=00:00:00:00:00:00
    Dec 10 12:41:44 authmgr[3583]: <522275> <ERRS> |authmgr| User Authentication failed. username=ac:a3:1e:c4:ab:e4 userip=10.1.190.2 usermac=ac:a3:1e:c4:ab:e4 servername=Internal serverip=10.1.100.1 apname=N/A bssid=00:00:00:00:00:00
    Dec 10 12:41:48 authmgr[3583]: <522275> <ERRS> |authmgr| User Authentication failed. username=ac:a3:1e:c4:ab:e4 userip=10.1.190.2 usermac=ac:a3:1e:c4:ab:e4 servername=Internal serverip=10.1.100.1 apname=N/A bssid=00:00:00:00:00:00

     

     

    ap get dhcp options

    option 43 ascii 10.1.190.1,RU
    option 60 ascii ArubaMC

     

    I add mac like username  address in local DB, but none changes

    Attachment(s)

    txt
    aruba.txt   27 KB 1 version


  • 2.  RE: Can't provision access point

    MVP EXPERT
    Posted Dec 10, 2018 05:02 AM

    Is this a RAP? What kind of AP is this, what is the firmware version of your controller? Do you have CPSEC enabled?



  • 3.  RE: Can't provision access point

    Posted Dec 10, 2018 05:45 AM

    Senks for answer!

    It is a local AP. Access point and controller in same l2 domain.

     

    The version is

    ArubaOS (MODEL: Aruba7005), Version 6.4.3.4

     

    Control plane security (CPSEC) is disables



  • 4.  RE: Can't provision access point

    MVP EXPERT
    Posted Dec 10, 2018 05:46 AM

    What is the model of the AP?  Some APs for example, the 3xx series require the controller to be running AOS 6.5 and higher.



  • 5.  RE: Can't provision access point

    Posted Dec 10, 2018 08:37 AM

    AP model is "Apin0205"



  • 6.  RE: Can't provision access point

    MVP EXPERT
    Posted Dec 10, 2018 08:48 AM
    What state is it in? CAP, IAP? From the logs it might be already configured
    as a RAP. Have you factory reset it?


  • 7.  RE: Can't provision access point

    Posted Dec 11, 2018 09:37 AM

    Excuse me for long answer.

    It is a RAP.

    Yesterday I didn't add it to whitelist. Today I was add it.

    Now I see that:

    Dec 11 17:28:17 isakmpd[3508]: <103046> <ERRS> |ike| IKE XAuth client UP failed 10.1.190.2 (External 10.1.190.2)

     

    I run this command for debug "logging level debug security process authmgr", but I can't found why provisioning not work.

     

    Dec 11 17:28:13 authmgr[3583]: <124003> <INFO> |authmgr| Authentication result=Authentication Successful(0), method=VPN, server=Internal, user=ac:a3:1e:c4:ab:e4
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| logging role event for 0x13bc1e4: 0x130951c,0x2, index 0
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| role 'value-of'
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| server=Internal, ena=1, ins=1 (1)
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| Matching `default' rules to derive role ...
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| RX (sock) message of type 19, len 28
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| RX (sock) message of type 66, len 1016
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| Select server for method=VPN, user=ac:a3:1e:c4:ab:e4, essid=<>, server-group=default, last_srv <>
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| aal_authenticate (975)(INC) : os_auths 1, s Internal type 1 inservice 1 markedD 0 sg_name default
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| auth_ip_down: send IP down to SAPM for RAP with inner ip 10.1.190.2 outer ip 10.1.190.2
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| ip=10.1.190.2, sg=default
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| ip=10.1.190.2, sg=default
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| match_rule Value Pair to match AP_Authenticated : 0
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| match_rule Value Pair to match AP_Group : default
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| match_rule Value Pair to match AP_Name : ac:a3:1e:c4:ab:e4
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| match_rule Value Pair to match Authentication-Sub-Type : 7
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| match_rule Value Pair to match Authentication-Type : 3
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| match_rule Value Pair to match DB_Entry_State : 0
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| match_rule Value Pair to match Remote-IP : 10.1.190.2
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| match_rule Value Pair to match Server-Group : default
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| match_rule Value Pair to match Server-Name : Internal
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| match_rule Value Pair to match User-Name : ac:a3:1e:c4:ab:e4
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| match_rule Value Pair to match User-Name : ac:a3:1e:c4:ab:e4
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| match_rule Value Pair to match essid :
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| match_rule Value Pair to match fw_mode : 0
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| match_rule Value Pair to match location : N/A
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| match_rule Value Pair to match macaddr : 00:00:00:00:00:00
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| ncfg_auth_server_group_authtype ip=10.1.190.2, method=VPN vpnflags:2
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| ncfg_auth_server_group_authtype ip=10.1.190.2, method=VPN vpnflags:2
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| ncfg_auth_server_group_authtype vpnflags:2 vpn-profile:default-rap
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| ncfg_auth_server_group_authtype vpnflags:2 vpn-profile:default-rap
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| rule: set role condition role value-of
    Dec 11 17:28:13 authmgr[3583]: <124004> <DBUG> |authmgr| server_cbh (477)(DEC) : os_auths 0, s Internal type 1 inservice 1 markedD 0 sg_name default
    Dec 11 17:28:13 authmgr[3583]: <124038> <INFO> |authmgr| Selected server Internal for method=VPN; user=ac:a3:1e:c4:ab:e4, essid=<>, domain=<>, server-group=default
    Dec 11 17:28:13 authmgr[3583]: <124097> <DBUG> |authmgr| Setting authserver 'Internal' for user 10.1.190.2, client VPN.
    Dec 11 17:28:13 authmgr[3583]: <124098> <DBUG> |authmgr| Setting authstate 'started' for user 10.1.190.2, client VPN.
    Dec 11 17:28:13 authmgr[3583]: <124099> <DBUG> |authmgr| Setting auth type 'VPN' for user 10.1.190.2, client VPN.
    Dec 11 17:28:13 authmgr[3583]: <124100> <DBUG> |authmgr| Setting auth subtype 'EAP-LEAP' for user 10.1.190.2, client VPN.
    Dec 11 17:28:13 authmgr[3583]: <124150> <DBUG> |authmgr| Create ipuser and user 00:00:00:00:00:00.
    Dec 11 17:28:13 authmgr[3583]: <124153> <DBUG> |authmgr| Free ipuser 0x0xeda94c (10.1.190.2) for user 0x0x13bc1e4.
    Dec 11 17:28:13 authmgr[3583]: <124154> <DBUG> |authmgr| Free user 0x0x13bc1e4.
    Dec 11 17:28:13 authmgr[3583]: <124155> <DBUG> |authmgr| No macuser for ip 10.1.190.2, mac 00:00:00:00:00:00.
    Dec 11 17:28:13 authmgr[3583]: <124156> <DBUG> |authmgr| Called ip_user_new() for ip 10.1.190.2.
    Dec 11 17:28:13 authmgr[3583]: <124184> <DBUG> |authmgr| {L3} Authenticating Server is Internal.
    Dec 11 17:28:13 authmgr[3583]: <124230> <DBUG> |authmgr| Rx message 62/79, length 739 from 127.0.0.1:8344
    Dec 11 17:28:13 authmgr[3583]: <124234> <DBUG> |authmgr| Tx message to Sibyte, blocking with ack, Opcode = 17, msglen = 332 action = 5
    Dec 11 17:28:13 authmgr[3583]: <124441> <DBUG> |authmgr| auth_user_query_resp: vpnflags:2
    Dec 11 17:28:13 authmgr[3583]: <124453> <DBUG> |authmgr| auth_user_query_resp: response user:ac:a3:1e:c4:ab:e4 ip:10.1.190.2 cookie:-519738132
    Dec 11 17:28:13 authmgr[3583]: <124454> <DBUG> |authmgr| auth_user_query_raw: recvd request user:ac:a3:1e:c4:ab:e4 ip:10.1.190.2 cookie:-519738132
    Dec 11 17:28:13 authmgr[3583]: <124459> <DBUG> |authmgr| IP DN int: 10.1.190.2, ext:10.1.190.2
    Dec 11 17:28:13 authmgr[3583]: <124467> <DBUG> |authmgr| Framed IP: found 0x0xa01be02 (mask 0x0x0)
    Dec 11 17:28:13 authmgr[3583]: <124546> <DBUG> |authmgr| aal_authenticate user:ac:a3:1e:c4:ab:e4 vpnflags:2.
    Dec 11 17:28:13 authmgr[3583]: <124547> <DBUG> |authmgr| aal_authenticate server_group:default.
    Dec 11 17:28:13 authmgr[3583]: <124607> <DBUG> |authmgr| server_cbh(): response=0 from Auth server 'Internal for client:3 proto:7 eap-type:0'.
    Dec 11 17:28:13 authmgr[3583]: <124861> <DBUG> |authmgr| Auth GSM : IP_USER delete for IP 10.1.190.2
    Dec 11 17:28:13 authmgr[3583]: <124862> <DBUG> |authmgr| Auth GSM : IP_USER delete failed for IP 10.1.190.2 result error_htbl_key_not_found
    Dec 11 17:28:13 isakmpd[3508]: <103046> <ERRS> |ike| IKE XAuth client UP failed 10.1.190.2 (External 10.1.190.2)



  • 8.  RE: Can't provision access point
    Best Answer

    Posted Dec 24, 2018 04:57 AM

    After reset Controller and AP problem not repeated