Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ssid incorect password if ap in other lan

This thread has been viewed 4 times

  • 1.  ssid incorect password if ap in other lan

    Posted Dec 21, 2018 10:13 AM

    Hi , We have a ssid ( not visible) that is on all your AP.

    forward mode tunnel , vlan 3090 AP 31X , Mobility controler.

     

    with a PC , We connect to the ssid on AP in the same network that the controller => ok (connection , dhcp , web access )

     

    we move to another building and try to connect to the same ssid.

    AP are on another ip network , they are adopted in the same controller.

    We use the same vap/ssid profile (tunnel , vlan 3090 ) we have the message : "incorrect password" => no connection.

     

    What do we mis-configured ?

    We can provide more information if necessary.

    Thanks for help.

    Nicolas. (sorry for bad english)



  • 2.  RE: ssid incorect password if ap in other lan

    Posted Dec 21, 2018 02:27 PM

    check to see if the ap is part of the same ap group. If it is not part of the same ap group check the vap's ssid profile and ensure you are applying the same ssid profile to the vap as the other 1



  • 3.  RE: ssid incorect password if ap in other lan

    EMPLOYEE
    Posted Dec 22, 2018 11:47 AM

    Is this an Aruba Instant (IAP) installation or a Controller-based installation?  What version of ArubaOS are you running?



  • 4.  RE: ssid incorect password if ap in other lan

    Posted Dec 27, 2018 03:32 AM

    Hi,

     

    So we have mobility controler (6.5.4.10 ). all AP are up-to-date.

    We check the configuration , the AP are in 8 ap-group and virtual-ap "xxxxxx.vap" are the same.  no diference between a ap-group were we don't have problem (i.e we can connect) and the ap-group were we have problem (i.e incorrect password) , except the name of the ap-group 

     

    (entrepots means warehouse)

    -------------------------------------------------------------

    ap-group "XXX_ENTREPOTS"

       virtual-ap "xxxxxx_XXX_mobile.vap"
       virtual-ap "xxxxxx_yyy.vap"
       dot11a-radio-profile "xxxxxxxx_entrepots_a.radio"
       dot11g-radio-profile "xxxxxxxx_entrepots_g.radio"
       ap-system-profile "xxxxxxxxxx.ap"
       regulatory-domain-profile "xxxxxxxxxx_entrepots.reg"
    !                                                 
    ap-group "default"
    !
    ap-group "YYYYYY_ENTREPOTS"

       virtual-ap "xxxxxx_YYY_mobile.vap"
         virtual-ap "xxxxxx_yyy.vap"
       dot11a-radio-profile "xxxxxxxx_entrepots_a.radio"
       dot11g-radio-profile "xxxxxxxx_entrepots_g.radio"
       ap-system-profile "xxxxxxxxxx.ap"
       regulatory-domain-profile "xxxxxxxxxx_entrepots.reg"
    !

    ------------------------------------------------------------------------------------

    ap-group "XXX_ENTREPOTS" works with xxxxxx_yyy.vap

    ap-group "YYYYYY_BUREAUX" don't work  with  xxxxxx_yyy.vap

     

    the virtual-ap "xxxxxx_YYY_mobile.vap" work in both ap-group ( it's a bridge mode ssid)

     

    But I don't think that tunel or bridge mode problem as the error show by windows client is "incorrect passord"  .

     

    let us known if you want more infrmation.

     

    Regards



  • 5.  RE: ssid incorect password if ap in other lan

    EMPLOYEE
    Posted Dec 27, 2018 06:44 AM

    If it is a bridge mode SSID, you need to make sure that the proper VLANs are trunked to the access points with the problem.  Check the switchport that the access point is connected to to ensure the VLANs are correct and the trunk configuration is correct.



  • 6.  RE: ssid incorect password if ap in other lan

    Posted Dec 27, 2018 10:46 AM

    Hi,

     

    here a log when windows 10 stations try to connect to the ssid and fail

     

    Dec 27 16:01:51 :501093:  <NOTI> |AP DYDDD2AP03@172.29.123.214 stm|  Auth success: 1c:4d:70:05:f0:c8: AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03
Dec 27 16:01:51 :501095:  <NOTI> |AP DYDDD2AP03@172.29.123.214 stm|  Assoc request @ 16:01:51.862362: 1c:4d:70:05:f0:c8 (SN 2056): AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03
Dec 27 16:01:51 :501218:  <NOTI> |AP DYDDD2AP03@172.29.123.214 stm|  stm_sta_assign_vlan 18455: VLAN: sta 1c:4d:70:05:f0:c8, STM assigns MAC based vlan_id 3090
Dec 27 16:01:51 :501218:  <4172> <NOTI> |stm|  stm_sta_assign_vlan 18449: VLAN: sta 1c:4d:70:05:f0:c8, STM assigns MAC based vlan_id 3090
Dec 27 16:01:51 :501100:  <NOTI> |AP DYDDD2AP03@172.29.123.214 stm|  Assoc success @ 16:01:51.862955: 1c:4d:70:05:f0:c8: AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03
Dec 27 16:01:51 :501100:  <4172> <NOTI> |stm|  Assoc success @ 16:01:51.869899: 1c:4d:70:05:f0:c8: AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03
Dec 27 16:01:51 :522035:  <4956> <INFO> |authmgr|  MAC=1c:4d:70:05:f0:c8 Station UP: BSSID=80:8d:b7:e4:20:53 ESSID=XXXXX VLAN=3090 AP-name=DYDDD2AP03
Dec 27 16:01:51 :522049:  <4956> <INFO> |authmgr|  MAC=1c:4d:70:05:f0:c8,IP=N/A User role updated, existing Role=logon/none, new Role=allowall/none, reason=Set AAA profile defaults
Dec 27 16:01:51 :522050:  <4956> <INFO> |authmgr|  MAC=1c:4d:70:05:f0:c8,IP=N/A User data downloaded to datapath, new Role=allowall/74, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300
Dec 27 16:01:54 :501106:  <5218> <NOTI> |stm|  Deauth to sta: 1c:4d:70:05:f0:c8: Ageout AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03 wifi_deauth_sta
Dec 27 16:01:54 :522036:  <4956> <INFO> |authmgr|  MAC=1c:4d:70:05:f0:c8 Station DN: BSSID=80:8d:b7:e4:20:53 ESSID=XXXX VLAN=3090 AP-name=DYDDD2AP03
Dec 27 16:01:54 :527004:  <4370> <INFO> |mdns|  mdns_parse_auth_useridle_message 169 Auth User Idle Timeout: MAC:1c:4d:70:05:f0:c8
Dec 27 16:01:54 :501080:  <5218> <NOTI> |stm|  Deauth to sta: 1c:4d:70:05:f0:c8: Ageout AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03 Ptk Challenge Failed
Dec 27 16:01:54 :501105:  <NOTI> |AP DYDDD2AP03@172.29.123.214 stm|  Deauth from sta: 1c:4d:70:05:f0:c8: AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03 Reason Ptk Challenge Failed
Dec 27 16:02:26 :501093:  <NOTI> |AP DYDDD2AP03@172.29.123.214 stm|  Auth success: 1c:4d:70:05:f0:c8: AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03
Dec 27 16:02:26 :501095:  <NOTI> |AP DYDDD2AP03@172.29.123.214 stm|  Assoc request @ 16:02:26.037863: 1c:4d:70:05:f0:c8 (SN 1248): AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03
Dec 27 16:02:26 :501218:  <NOTI> |AP DYDDD2AP03@172.29.123.214 stm|  stm_sta_assign_vlan 18455: VLAN: sta 1c:4d:70:05:f0:c8, STM assigns MAC based vlan_id 3090
Dec 27 16:02:26 :501100:  <NOTI> |AP DYDDD2AP03@172.29.123.214 stm|  Assoc success @ 16:02:26.038457: 1c:4d:70:05:f0:c8: AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03
Dec 27 16:02:26 :501218:  <4172> <NOTI> |stm|  stm_sta_assign_vlan 18449: VLAN: sta 1c:4d:70:05:f0:c8, STM assigns MAC based vlan_id 3090
Dec 27 16:02:26 :501100:  <4172> <NOTI> |stm|  Assoc success @ 16:02:26.042084: 1c:4d:70:05:f0:c8: AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03
Dec 27 16:02:26 :522035:  <4956> <INFO> |authmgr|  MAC=1c:4d:70:05:f0:c8 Station UP: BSSID=80:8d:b7:e4:20:53 ESSID=XXXX VLAN=3090 AP-name=DYDDD2AP03
Dec 27 16:02:26 :522049:  <4956> <INFO> |authmgr|  MAC=1c:4d:70:05:f0:c8,IP=N/A User role updated, existing Role=logon/none, new Role=allowall/none, reason=Set AAA profile defaults
Dec 27 16:02:26 :522050:  <4956> <INFO> |authmgr|  MAC=1c:4d:70:05:f0:c8,IP=N/A User data downloaded to datapath, new Role=allowall/74, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300
Dec 27 16:02:29 :501106:  <5218> <NOTI> |stm|  Deauth to sta: 1c:4d:70:05:f0:c8: Ageout AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03 wifi_deauth_sta
Dec 27 16:02:29 :522036:  <4956> <INFO> |authmgr|  MAC=1c:4d:70:05:f0:c8 Station DN: BSSID=80:8d:b7:e4:20:53 ESSID=XXXXX VLAN=3090 AP-name=DYDDD2AP03
Dec 27 16:02:29 :527004:  <4370> <INFO> |mdns|  mdns_parse_auth_useridle_message 169 Auth User Idle Timeout: MAC:1c:4d:70:05:f0:c8

    we check the pass it's good , it is a TUNNEL mode ssid (I just said that a bridge mode ssid is OK).

     

    the ssid work in the warehouse were the AP and controleur are on the same network but not in the Warehouse were AP are on another IP network

    the ap are in two distinct  AP-groupe but we use the same ssid profile and the same conf ( except name ).

     

    Regards



  • 7.  RE: ssid incorect password if ap in other lan

    EMPLOYEE
    Posted Dec 27, 2018 12:06 PM

    What is the difference between:

     

    ap-group "XXX_ENTREPOTS" 

     

    and 

     

    ap-group "YYYYYY_BUREAUX"   ?



  • 8.  RE: ssid incorect password if ap in other lan

    Posted Jan 02, 2019 07:43 AM

    Hi,

     

    for us there is no différences between the two ap-group that rely on the problem  (only rf domain or arm )

    We spend more than 2 hours to compare ( from sh run ) the two ap-group without  finding something .

     

    but from "show running" command :

     

    ap-group "dddd_BUREAUX"
   virtual-ap "XXXXXXX_visiteurs.vap"
   virtual-ap "XXXXXXX_dddd_bureaux.vap"
   virtual-ap "XXXXXXX_dddd_exploit_OLD.vap"
   virtual-ap "XXXXXXX_dddd_exploit.vap"
   virtual-ap "XXXXXXX_dddd_mobile.vap"
   virtual-ap "XXXXXXX_gggggg.vap"
   virtual-ap "XXXXXXX_ppppppp.vap"
   dot11a-radio-profile "XXXXXXX_bureaux_a.radio"
   dot11g-radio-profile "XXXXXXX_bureaux_g.radio"
   ap-system-profile "XXXXXXX.ap"
   regulatory-domain-profile "XXXXXXX_bureaux.reg"

    and

    ap-group "bbb_ENTREPOTS"
   virtual-ap "XXXXXXX_bbb_exploit_OLD.vap"
   virtual-ap "XXXXXXX_bbb_bureaux.vap"
   virtual-ap "XXXXXXX_gggggg.vap"
   virtual-ap "XXXXXXX_bbb_mobile.vap"
   virtual-ap "XXXXXXX_bbb_exploit.vap"
   virtual-ap "XXXXXXX_ppppppp.vap"
   dot11a-radio-profile "XXXXXXX_entrepots_a.radio"
   dot11g-radio-profile "XXXXXXX_entrepots_g.radio"
   ap-system-profile "XXXXXXX.ap"
   regulatory-domain-profile "XXXXXXX_entrepots.reg"

    the vap and ssid profile :

    wlan virtual-ap "XXXXXXX_ppppppp.vap"
   aaa-profile "ddddddddddd_wpa.aaa"
   ssid-profile "PPPP.ssid"
   vlan 3090
   dynamic-mcast-optimization                     
   dynamic-mcast-optimization-thresh 80

wlan ssid-profile "PPPP.ssid"
   essid "SSSSSSSSSSSSS"
   opmode wpa2-psk-aes
   hide-ssid
   deny-bcast
   wpa-passphrase XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   ht-ssid-profile "ddddd.htssid"

    it is 'virtual-ap "XXXXXXX_ppppppp.vap" '  that have problem ( tunnel ) .

    the others one whitch are bridge mode vap are ok

    'ap-system-profile' are the same.

    dot11g-radio-profile and regulatory-domain-profile are not the same but they talk about channel or arm profile so I think this is not the problem.

     

    so we made an correct connection on a AP tha is on the "bbb_ENTREPOTS" ap-group :

     

    Jan 2 10:47:45 :501093:  <NOTI> |AP BOAA04AP02@172.29.59.56 stm|  Auth success: 00:23:15:e7:25:43: AP 172.29.59.56-38:17:c3:f9:39:11-BOAA04AP02
Jan 2 10:47:45 :501095:  <NOTI> |AP BOAA04AP02@172.29.59.56 stm|  Assoc request @ 10:47:45.253697: 00:23:15:e7:25:43 (SN 0): AP 172.29.59.56-38:17:c3:f9:39:11-BOAA04AP02
Jan 2 10:47:45 :501218:  <NOTI> |AP BOAA04AP02@172.29.59.56 stm|  stm_sta_assign_vlan 18455: VLAN: sta 00:23:15:e7:25:43, STM assigns MAC based vlan_id 3090
Jan 2 10:47:45 :501218:  <4172> <NOTI> |stm|  stm_sta_assign_vlan 18449: VLAN: sta 00:23:15:e7:25:43, STM assigns MAC based vlan_id 3090
Jan 2 10:47:45 :501100:  <NOTI> |AP BOAA04AP02@172.29.59.56 stm|  Assoc success @ 10:47:45.254572: 00:23:15:e7:25:43: AP 172.29.59.56-38:17:c3:f9:39:11-BOAA04AP02
Jan 2 10:47:45 :501100:  <4172> <NOTI> |stm|  Assoc success @ 10:47:45.257576: 00:23:15:e7:25:43: AP 172.29.59.56-38:17:c3:f9:39:11-BOAA04AP02
Jan 2 10:47:45 :522035:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:25:43 Station UP: BSSID=38:17:c3:f9:39:11 ESSID=SSSSSSSSSS VLAN=3090 AP-name=BOAA04AP02
Jan 2 10:47:45 :522049:  <4956> <INFO> |authmgr|  MAC=00:00:00:00:00:00,IP=N/A User role updated, existing Role=none/none, new Role=logon/none, reason=mac user created
Jan 2 10:47:45 :522049:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:25:43,IP=N/A User role updated, existing Role=logon/none, new Role=allowall/none, reason=Set AAA profile defaults
Jan 2 10:47:45 :522050:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:25:43,IP=N/A User data downloaded to datapath, new Role=allowall/74, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300

Jan 2 10:47:45 :522026:  <4168> <INFO> |authmgr|  MAC=00:23:15:e7:25:43 IP=192.168.93.69 User miss: ingress=0x10317, VLAN=3090 flags=0x40000040
Jan 2 10:47:45 :522006:  <4168> <INFO> |authmgr|  MAC=00:23:15:e7:25:43 IP=192.168.93.69 User entry added: reason=Sibtye
Jan 2 10:47:45 :527004:  <4370> <INFO> |mdns|  mdns_parse_auth_useradd_message 226 Auth User ADD: MAC:00:23:15:e7:25:43, IP:192.168.93.69, VLAN:3090, Role:allowall Name: APName:BOAA04AP02 Type:1. Groups: 
Jan 2 10:47:45 :522050:  <4168> <INFO> |authmgr|  MAC=00:23:15:e7:25:43,IP=192.168.93.69 User data downloaded to datapath, new Role=allowall/74, bw Contract=0/0, reason=New user IP processing, idle-timeout=300

    and on a AP on the "dddd_BUREAUX" ap-group :

     

    Jan 2 10:55:39 :501093:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Auth success: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 10:55:39 :501095:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Assoc request @ 10:55:39.486827: 00:23:15:e7:26:a1 (SN 2056): AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 10:55:39 :501218:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  stm_sta_assign_vlan 18455: VLAN: sta 00:23:15:e7:26:a1, STM assigns MAC based vlan_id 3090
Jan 2 10:55:39 :501218:  <4172> <NOTI> |stm|  stm_sta_assign_vlan 18449: VLAN: sta 00:23:15:e7:26:a1, STM assigns MAC based vlan_id 3090
Jan 2 10:55:39 :501100:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Assoc success @ 10:55:39.487764: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 10:55:39 :501100:  <4172> <NOTI> |stm|  Assoc success @ 10:55:39.494076: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 10:55:39 :522035:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:26:a1 Station UP: BSSID=80:8d:b7:e5:85:73 ESSID=SSSSSSSSSSS VLAN=3090 AP-name=DYDDD2AP04
Jan 2 10:55:39 :522049:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:26:a1,IP=N/A User role updated, existing Role=logon/none, new Role=allowall/none, reason=Set AAA profile defaults
Jan 2 10:55:39 :522050:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:26:a1,IP=N/A User data downloaded to datapath, new Role=allowall/74, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300
Jan 2 10:55:42 :501106:  <5218> <NOTI> |stm|  Deauth to sta: 00:23:15:e7:26:a1: Ageout AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04 wifi_deauth_sta
Jan 2 10:55:42 :522036:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:26:a1 Station DN: BSSID=80:8d:b7:e5:85:73 ESSID=SSSSSSSSSS VLAN=3090 AP-name=DYDDD2AP04
Jan 2 10:55:42 :527004:  <4370> <INFO> |mdns|  mdns_parse_auth_useridle_message 169 Auth User Idle Timeout: MAC:00:23:15:e7:26:a1
Jan 2 10:55:42 :501080:  <5218> <NOTI> |stm|  Deauth to sta: 00:23:15:e7:26:a1: Ageout AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04 Ptk Challenge Failed
Jan 2 10:55:42 :501105:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Deauth from sta: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04 Reason Ptk Challenge Failed

    when we compare the two log they differ at this point :

    User data downloaded to datapath, new Role=allowall/74, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300 (same in the two log )

     

    if good , no delay we see this 2 line :

    Jan 2 10:47:45 :522026: <4168> <INFO> |authmgr| MAC=00:23:15:e7:25:43 IP=192.168.93.69 User miss: ingress=0x10317, VLAN=3090 flags=0x40000040
    Jan 2 10:47:45 :522006: <4168> <INFO> |authmgr| MAC=00:23:15:e7:25:43 IP=192.168.93.69 User entry added: reason=Sibtye

     

    if not good , 3 secondes delay and we have this line

     

    Jan 2 10:55:42 :501106: <5218> <NOTI> |stm| Deauth to sta: 00:23:15:e7:26:a1: Ageout AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04 wifi_deauth_sta

     

    we also made "logging level debugging user-debug 00:23:15:e7:26:a1" and after a failed test a "show log user-debug all | include 00:23:15:e7:26:a1"

     

    Jan 2 12:07:41 :501093:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Auth success: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 12:07:41 :501095:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Assoc request @ 12:07:41.718981: 00:23:15:e7:26:a1 (SN 768): AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 12:07:41 :501218:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  stm_sta_assign_vlan 18455: VLAN: sta 00:23:15:e7:26:a1, STM assigns MAC based vlan_id 3090
Jan 2 12:07:41 :501100:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Assoc success @ 12:07:41.719950: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 12:07:41 :501218:  <4172> <NOTI> |stm|  stm_sta_assign_vlan 18449: VLAN: sta 00:23:15:e7:26:a1, STM assigns MAC based vlan_id 3090
Jan 2 12:07:41 :501065:  <4172> <DBUG> |stm|  a2c_sm_process_stalist: client (00:23:15:e7:26:a1) is 11k-enabled
Jan 2 12:07:41 :501100:  <4172> <NOTI> |stm|  Assoc success @ 12:07:41.726256: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 12:07:41 :522295:  <4956> <DBUG> |authmgr|  Auth GSM : USER_STA event 0 for user 00:23:15:e7:26:a1
Jan 2 12:07:41 :522035:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:26:a1 Station UP: BSSID=80:8d:b7:e5:85:73 ESSID=SSSSSSSSSSSSS VLAN=3090 AP-name=DYDDD2AP04
Jan 2 12:07:41 :522077:  <4956> <DBUG> |authmgr|  MAC=00:23:15:e7:26:a1 ingress 0x0x10b6d (tunnel 2925), u_encr 32, m_encr 32, slotport 0x0x2100 , type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Jan 2 12:07:41 :522264:  <4956> <DBUG> |authmgr|  "MAC:00:23:15:e7:26:a1: Allocating UUID: 0xb26df04d2001e1f
Jan 2 12:07:41 :522258:  <4956> <DBUG> |authmgr|  "VDR - Add to history of user user 00:23:15:e7:26:a1 vlan 0 derivation_type Reset VLANs for Station up index 0.
Jan 2 12:07:41 :522255:  <4956> <DBUG> |authmgr|  "VDR - set vlan in user for 00:23:15:e7:26:a1 vlan 3090 fwdmode 0 derivation_type Default VLAN.
Jan 2 12:07:41 :522258:  <4956> <DBUG> |authmgr|  "VDR - Add to history of user user 00:23:15:e7:26:a1 vlan 3090 derivation_type Default VLAN index 1.
Jan 2 12:07:41 :522255:  <4956> <DBUG> |authmgr|  "VDR - set vlan in user for 00:23:15:e7:26:a1 vlan 3090 fwdmode 0 derivation_type Current VLAN updated.
Jan 2 12:07:41 :522258:  <4956> <DBUG> |authmgr|  "VDR - Add to history of user user 00:23:15:e7:26:a1 vlan 3090 derivation_type Current VLAN updated index 2.
Jan 2 12:07:41 :522158:  <4956> <DBUG> |authmgr|  Role Derivation for user N/A-00:23:15:e7:26:a1- N/A Set AAA profile defaults.
Jan 2 12:07:41 :522142:  <4956> <DBUG> |authmgr|  Setting default role to allowall for user 00:23:15:e7:26:a1".
Jan 2 12:07:41 :522127:  <4956> <DBUG> |authmgr|  {L2} Update role from logon to allowall for IP=N/A, MAC=00:23:15:e7:26:a1.
Jan 2 12:07:41 :522049:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:26:a1,IP=N/A User role updated, existing Role=logon/none, new Role=allowall/none, reason=Set AAA profile defaults
Jan 2 12:07:41 :522246:  <4956> <DBUG> |authmgr|  Idle timeout should be driven by STM for MAC 00:23:15:e7:26:a1.
Jan 2 12:07:41 :524141:  <4956> <DBUG> |authmgr|  clr_pmkcache_ft():1016: MAC:00:23:15:e7:26:a1 BSS:80:8d:b7:e5:85:73
Jan 2 12:07:41 :522287:  <4956> <DBUG> |authmgr|  Auth GSM : MAC_USER publish for mac 00:23:15:e7:26:a1 bssid 80:8d:b7:e5:85:73 vlan 3090 type 1 data-ready 0
Jan 2 12:07:41 :522254:  <4956> <DBUG> |authmgr|  VDR - mac 00:23:15:e7:26:a1 rolename allowall fwdmode 0 derivation_type Initial Role Contained vp not present.
Jan 2 12:07:41 :522258:  <4956> <DBUG> |authmgr|  "VDR - Add to history of user user 00:23:15:e7:26:a1 vlan 0 derivation_type Reset Role Based VLANs index 3.
Jan 2 12:07:41 :522320:  <4956> <DBUG> |authmgr|  handle_sta_up_dn (3007): rtts user=00:23:15:e7:26:a1  enabled=0 initial tput=395200
Jan 2 12:07:41 :524124:  <4956> <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:00:23:15:e7:26:a1, pmkid_present:False, pmkid:N/A
Jan 2 12:07:41 :522255:  <4956> <DBUG> |authmgr|  "VDR - set vlan in user for 00:23:15:e7:26:a1 vlan 3090 fwdmode 0 derivation_type Current VLAN updated.
Jan 2 12:07:41 :522258:  <4956> <DBUG> |authmgr|  "VDR - Add to history of user user 00:23:15:e7:26:a1 vlan 3090 derivation_type Current VLAN updated index 4.
Jan 2 12:07:41 :522260:  <4956> <DBUG> |authmgr|  "VDR - Cur VLAN updated 00:23:15:e7:26:a1 mob 0 inform 1 remote 0 wired 0 defvlan 3090 exportedvlan 0 curvlan 3090.
Jan 2 12:07:41 :522308:  <4956> <DBUG> |authmgr|  Device Type index derivation for 00:23:15:e7:26:a1 : dhcp (0,0,0) oui (0,0) ua (16,39,27) derived Win 10(39)
Jan 2 12:07:41 :522299:  <4956> <DBUG> |authmgr|  Auth GSM : DEV_ID_CACHE publish for mac 00:23:15:e7:26:a1 dev-id Win 10 index 39
Jan 2 12:07:41 :522050:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:26:a1,IP=N/A User data downloaded to datapath, new Role=allowall/74, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300
Jan 2 12:07:41 :522242:  <4956> <DBUG> |authmgr|  MAC=00:23:15:e7:26:a1 Station Created Update MMS: BSSID=80:8d:b7:e5:85:73 ESSID=SSSSSSSSSSSSS VLAN=3090 AP-name=DYDDD2AP04
Jan 2 12:07:41 :522301:  <4956> <DBUG> |authmgr|  Auth GSM : USER publish for uuid 0xb26df04d2001e1f mac 00:23:15:e7:26:a1 name  role allowall devtype Win 10 wired 0 authtype 0 subtype 0  encrypt-type 9 conn-port 8448 fwd-mode 0
Jan 2 12:07:44 :522289:  <4168> <DBUG> |authmgr|  Auth GSM : MAC_USER mu_delete publish for mac 00:23:15:e7:26:a1 bssid 80:8d:b7:e5:85:73 vlan 3090 type 1 data-ready 0 deauth-reason 52
Jan 2 12:07:44 :501106:  <5218> <NOTI> |stm|  Deauth to sta: 00:23:15:e7:26:a1: Ageout AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04 wifi_deauth_sta
Jan 2 12:07:44 :522296:  <4956> <DBUG> |authmgr|  Auth GSM : USER_STA delete event for user 00:23:15:e7:26:a1 age 0 deauth_reason 52
Jan 2 12:07:44 :522036:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:26:a1 Station DN: BSSID=80:8d:b7:e5:85:73 ESSID=SSSSSSSSSSSSS VLAN=3090 AP-name=DYDDD2AP04
Jan 2 12:07:44 :522234:  <4956> <DBUG> |authmgr|  Setting idle timer for user 00:23:15:e7:26:a1 to 300 seconds (idle timeout: 300 ageout: 0).
Jan 2 12:07:44 :522244:  <4956> <DBUG> |authmgr|  MAC=00:23:15:e7:26:a1 Station Deleted Update MMS
Jan 2 12:07:44 :522301:  <4956> <DBUG> |authmgr|  Auth GSM : USER publish for uuid 0xb26df04d2001e1f mac 00:23:15:e7:26:a1 name  role allowall devtype Win 10 wired 0 authtype 0 subtype 0  encrypt-type 9 conn-port 8448 fwd-mode 0
Jan 2 12:07:44 :522290:  <4956> <DBUG> |authmgr|  Auth GSM : MAC_USER delete for mac 00:23:15:e7:26:a1
Jan 2 12:07:44 :522303:  <4956> <DBUG> |authmgr|  Auth GSM : USER delete for mac 00:23:15:e7:26:a1 uuid 0xb26df04d2001e1f 
Jan 2 12:07:44 :527004:  <4370> <INFO> |mdns|  mdns_parse_auth_useridle_message 169 Auth User Idle Timeout: MAC:00:23:15:e7:26:a1
Jan 2 12:07:44 :527000:  <4370> <DBUG> |mdns|  ag_ssdp_get_token_list_for_mac 348 AirGroup user doesn't exist: mac=00:23:15:e7:26:a1
Jan 2 12:07:44 :527000:  <4370> <DBUG> |mdns|  ag_mdns_get_token_list_for_mac 650 AirGroup user doesn't exist: mac=00:23:15:e7:26:a1
Jan 2 12:07:44 :527000:  <4370> <DBUG> |mdns|  mdns_client_purge 1162 Purge mdns client, mac=00:23:15:e7:26:a1, del_client = 1
Jan 2 12:07:44 :501080:  <5218> <NOTI> |stm|  Deauth to sta: 00:23:15:e7:26:a1: Ageout AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04 Ptk Challenge Failed
Jan 2 12:07:44 :501000:  <5218> <DBUG> |stm|  Station 00:23:15:e7:26:a1: Clearing state
Jan 2 12:07:44 :501105:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Deauth from sta: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04 Reason Ptk Challenge Failed
Jan 2 12:07:44 :501000:  <DBUG> |AP DYDDD2AP04@172.29.123.215 stm|  Station 00:23:15:e7:26:a1: Clearing state
Jan 2 12:07:44 :501093:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Auth success: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 12:07:44 :501095:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Assoc request @ 12:07:44.827322: 00:23:15:e7:26:a1 (SN 0): AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 12:07:44 :501218:  <4172> <NOTI> |stm|  stm_sta_assign_vlan 18449: VLAN: sta 00:23:15:e7:26:a1, STM assigns MAC based vlan_id 3090
Jan 2 12:07:44 :501218:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  stm_sta_assign_vlan 18455: VLAN: sta 00:23:15:e7:26:a1, STM assigns MAC based vlan_id 3090
Jan 2 12:07:44 :501100:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Assoc success @ 12:07:44.828822: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 12:07:44 :501065:  <4172> <DBUG> |stm|  a2c_sm_process_stalist: client (00:23:15:e7:26:a1) is 11k-enabled
Jan 2 12:07:44 :501100:  <4172> <NOTI> |stm|  Assoc success @ 12:07:44.834375: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 12:07:44 :522295:  <4956> <DBUG> |authmgr|  Auth GSM : USER_STA event 0 for user 00:23:15:e7:26:a1

    we think the problem is here on the log :

     

    Jan 2 12:07:41 :522301: <4956> <DBUG> |authmgr| Auth GSM : USER publish for uuid 0xb26df04d2001e1f mac 00:23:15:e7:26:a1 name role allowall devtype Win 10 wired 0 authtype 0 subtype 0 encrypt-type 9 conn-port 8448 fwd-mode 0
    Jan 2 12:07:44 :522289: <4168> <DBUG> |authmgr| Auth GSM : MAC_USER mu_delete publish for mac 00:23:15:e7:26:a1 bssid 80:8d:b7:e5:85:73 vlan 3090 type 1 data-ready 0 deauth-reason 52
    Jan 2 12:07:44 :501106: <5218> <NOTI> |stm| Deauth to sta: 00:23:15:e7:26:a1: Ageout AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04 wifi_deauth_sta

     

    we see the 3 second delay and a

     

    deauth-reason 52 ( google search said ) :

     

    52MESH-PEERING-CANCELLEDSME cancels the mesh peering instance with the reason other than reaching the maximum number of peer mesh STAs

    but we don't use mesh in this wlan , all ap are connected to aruba switchs and all switchs are connected togethers .

    AP on the AP-group that work are on the same ip network that the controller ( AP 172.29.59.XXX /23 and controleur 172.29.58.150/23 ) and ap on the AP group that does'nt work are on another IP network (172.29.123.XXX/23 ) but ap are adopted on the controler, no firewalling betwen the two network ... 

     

    let us known if you want more information (sh run / others )

     

    Regards

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     



  • 9.  RE: ssid incorect password if ap in other lan

    Posted Jan 02, 2019 12:27 PM

    hi,

     

    we are searching a lot  so idea :

     

    We think that the problem is from the tunnel mode if AP are on another network. if AP are in the same network is Layer 2 communications ? 

    the client get an AP from the dhcp server ( 192.168.93.XXX/24) and then it is authenticated and it's work.

    on the AP that are on the other IP network for some reasons the dhcp process failed and client are deauth from ssid ?

     

    tunnel stat from a AP not in the same network

     

    (BOB1B1CW01) #show datapath tunnel table | include 172.29.123.215
1189    172.29.58.150   172.29.123.215  47   8240  1500  3084 0   0    74   75   0     80:8D:B7:E5:85:74          0          0          0 IMASPma1  
1219    172.29.58.150   172.29.123.215  47   8200  1500  3086 0   0    74   75   0     80:8D:B7:E5:85:70      68664       1978          0 IMASPma1  
2936    172.29.58.150   172.29.123.215  47   8230  1500  3090 0   0    74   75   0     80:8D:B7:E5:85:73          0          0          0 IMASPma1  
489     172.29.58.150   172.29.123.215  47   8000  1200  0    0   0    0    0    0     80:8D:B7:C6:58:56          0          0          0 TEPs  
1511    172.29.58.150   172.29.123.215  47   9000  1500  0    0   0    0    0    0     80:8D:B7:C6:58:56    3349460          0    3321547 TES  
399     172.29.58.150   172.29.123.215  47   8310  1500  3090 0   0    74   75   0     80:8D:B7:E5:85:61          7         20          0 IMASPma1  
1114    SPI879DCF00out  172.29.123.215  50   IPSE  1500  0    routeDest 0422     0                                
0       1103                              0           0

    tunnel stat from a AP in the same network as the controller.

    (BOB1B1CW01) (config) #show datapath tunnel table | include 172.29.59.56  
491     172.29.58.150   172.29.59.56    47   8320  1500  3090 0   0    74   75   0     38:17:C3:F9:39:02       8722         28          0 IMASPma1  
1717    SPI95127600out  172.29.59.56    50   IPSE  1500  0    routeDest 0422     0                                0        400                              0           0
1532    172.29.58.150   172.29.59.56    47   8000  1200  0    0   0    0    0    0     38:17:C3:C7:93:90          0          0          0 TEPs  
1067    172.29.58.150   172.29.59.56    47   9000  1500  0    0   0    0    0    0     38:17:C3:C7:93:90    3354202          0    3326250 TES  
791     172.29.58.150   172.29.59.56    47   8210  1500  3090 0   0    74   75   0     38:17:C3:F9:39:11      43538      34209          0 IMASPma1  
1521    172.29.58.150   172.29.59.56    47   8220  1500  3084 0   0    74   75   0     38:17:C3:F9:39:12          0          0          0 IMASPma1

    if we look at the 3090 vlan network , in the first case , no encaps / deencaps. in the second we see trafic.   but may be it's because as the auth succed the client have exchange with the vlan 3090. 

     

    At the end we will do complete change : deploy vlan 3090 an all switch and ports (more thant 100 switch and 400 ports) and then the ssid wil go in bridge mode as the others that works....

    so we have a solutionbut it is not satisfying because we cannot deploy SSID in less than 5 minutes in this case .... 

     

    Regards



  • 10.  RE: ssid incorect password if ap in other lan

    EMPLOYEE
    Posted Jan 03, 2019 12:48 AM

    tunnel mode vap is L3 capable, as long as the vlan that the AP boots up in has either L2 or L3 reachability to the controller (and is able to learn the controller IP using dhcp, dns, config etc) then it should work fine.

     

    Can you try defining the vlan explicitly in the virtual-ap profile for the tunnel mode vap ?



  • 11.  RE: ssid incorect password if ap in other lan
    Best Answer

    Posted Jan 03, 2019 09:41 AM

     

    Hi,

     first thanks for help.

     

    here the vap from "show run" :

     

     

    wlan virtual-ap "ddddd_pppppppp.vap"
   aaa-profile "dddddd_wpa.aaa"
   ssid-profile "PPPPPPPPP.ssid"
   vlan 3090
   dynamic-mcast-optimization
   dynamic-mcast-optimization-thresh 80
!

    We try to set "forward-mode tunnel" in the CLI but it never appears , We thinks that it is the default value so that's why we cannont see the line in the conf ?

    In other vap conf we see "forward-mode bridge", if they are in bridge mode.

    We think that the vlan is already  explicitly define in the vap ( and it is as this when we first configure the vap ).

     

    Regards,

     



  • 12.  RE: ssid incorect password if ap in other lan
    Best Answer

    Posted Jan 30, 2019 08:23 AM

    Hi,

     

    we finaly find the solution :

     

    on the wired ap profile

    profile ethernet 0  :  mode bridge => split-tunnel

     

    at the beginning we think that all the ssid we make were in bridge mode so we made this conf. but when we add tunneled ssid this made this error.

     

    regards.