Security

Reply
Occasional Contributor II

ssid incorect password if ap in other lan

Hi , We have a ssid ( not visible) that is on all your AP.

forward mode tunnel , vlan 3090 AP 31X , Mobility controler.

 

with a PC , We connect to the ssid on AP in the same network that the controller => ok (connection , dhcp , web access )

 

we move to another building and try to connect to the same ssid.

AP are on another ip network , they are adopted in the same controller.

We use the same vap/ssid profile (tunnel , vlan 3090 ) we have the message : "incorrect password" => no connection.

 

What do we mis-configured ?

We can provide more information if necessary.

Thanks for help.

Nicolas. (sorry for bad english)

Contributor II

Re: ssid incorect password if ap in other lan

check to see if the ap is part of the same ap group. If it is not part of the same ap group check the vap's ssid profile and ensure you are applying the same ssid profile to the vap as the other 1

Guru Elite

Re: ssid incorect password if ap in other lan

Is this an Aruba Instant (IAP) installation or a Controller-based installation?  What version of ArubaOS are you running?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: ssid incorect password if ap in other lan

Hi,

 

So we have mobility controler (6.5.4.10 ). all AP are up-to-date.

We check the configuration , the AP are in 8 ap-group and virtual-ap "xxxxxx.vap" are the same.  no diference between a ap-group were we don't have problem (i.e we can connect) and the ap-group were we have problem (i.e incorrect password) , except the name of the ap-group 

 

(entrepots means warehouse)

-------------------------------------------------------------

ap-group "XXX_ENTREPOTS"

   virtual-ap "xxxxxx_XXX_mobile.vap"
   virtual-ap "xxxxxx_yyy.vap"
   dot11a-radio-profile "xxxxxxxx_entrepots_a.radio"
   dot11g-radio-profile "xxxxxxxx_entrepots_g.radio"
   ap-system-profile "xxxxxxxxxx.ap"
   regulatory-domain-profile "xxxxxxxxxx_entrepots.reg"
!                                                 
ap-group "default"
!
ap-group "YYYYYY_ENTREPOTS"

   virtual-ap "xxxxxx_YYY_mobile.vap"
     virtual-ap "xxxxxx_yyy.vap"
   dot11a-radio-profile "xxxxxxxx_entrepots_a.radio"
   dot11g-radio-profile "xxxxxxxx_entrepots_g.radio"
   ap-system-profile "xxxxxxxxxx.ap"
   regulatory-domain-profile "xxxxxxxxxx_entrepots.reg"
!

------------------------------------------------------------------------------------

ap-group "XXX_ENTREPOTS" works with xxxxxx_yyy.vap

ap-group "YYYYYY_BUREAUX" don't work  with  xxxxxx_yyy.vap

 

the virtual-ap "xxxxxx_YYY_mobile.vap" work in both ap-group ( it's a bridge mode ssid)

 

But I don't think that tunel or bridge mode problem as the error show by windows client is "incorrect passord"  .

 

let us known if you want more infrmation.

 

Regards

Guru Elite

Re: ssid incorect password if ap in other lan

If it is a bridge mode SSID, you need to make sure that the proper VLANs are trunked to the access points with the problem.  Check the switchport that the access point is connected to to ensure the VLANs are correct and the trunk configuration is correct.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: ssid incorect password if ap in other lan

Hi,

 

here a log when windows 10 stations try to connect to the ssid and fail

 

Dec 27 16:01:51 :501093:  <NOTI> |AP DYDDD2AP03@172.29.123.214 stm|  Auth success: 1c:4d:70:05:f0:c8: AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03
Dec 27 16:01:51 :501095:  <NOTI> |AP DYDDD2AP03@172.29.123.214 stm|  Assoc request @ 16:01:51.862362: 1c:4d:70:05:f0:c8 (SN 2056): AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03
Dec 27 16:01:51 :501218:  <NOTI> |AP DYDDD2AP03@172.29.123.214 stm|  stm_sta_assign_vlan 18455: VLAN: sta 1c:4d:70:05:f0:c8, STM assigns MAC based vlan_id 3090
Dec 27 16:01:51 :501218:  <4172> <NOTI> |stm|  stm_sta_assign_vlan 18449: VLAN: sta 1c:4d:70:05:f0:c8, STM assigns MAC based vlan_id 3090
Dec 27 16:01:51 :501100:  <NOTI> |AP DYDDD2AP03@172.29.123.214 stm|  Assoc success @ 16:01:51.862955: 1c:4d:70:05:f0:c8: AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03
Dec 27 16:01:51 :501100:  <4172> <NOTI> |stm|  Assoc success @ 16:01:51.869899: 1c:4d:70:05:f0:c8: AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03
Dec 27 16:01:51 :522035:  <4956> <INFO> |authmgr|  MAC=1c:4d:70:05:f0:c8 Station UP: BSSID=80:8d:b7:e4:20:53 ESSID=XXXXX VLAN=3090 AP-name=DYDDD2AP03
Dec 27 16:01:51 :522049:  <4956> <INFO> |authmgr|  MAC=1c:4d:70:05:f0:c8,IP=N/A User role updated, existing Role=logon/none, new Role=allowall/none, reason=Set AAA profile defaults
Dec 27 16:01:51 :522050:  <4956> <INFO> |authmgr|  MAC=1c:4d:70:05:f0:c8,IP=N/A User data downloaded to datapath, new Role=allowall/74, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300
Dec 27 16:01:54 :501106:  <5218> <NOTI> |stm|  Deauth to sta: 1c:4d:70:05:f0:c8: Ageout AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03 wifi_deauth_sta
Dec 27 16:01:54 :522036:  <4956> <INFO> |authmgr|  MAC=1c:4d:70:05:f0:c8 Station DN: BSSID=80:8d:b7:e4:20:53 ESSID=XXXX VLAN=3090 AP-name=DYDDD2AP03
Dec 27 16:01:54 :527004:  <4370> <INFO> |mdns|  mdns_parse_auth_useridle_message 169 Auth User Idle Timeout: MAC:1c:4d:70:05:f0:c8
Dec 27 16:01:54 :501080:  <5218> <NOTI> |stm|  Deauth to sta: 1c:4d:70:05:f0:c8: Ageout AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03 Ptk Challenge Failed
Dec 27 16:01:54 :501105:  <NOTI> |AP DYDDD2AP03@172.29.123.214 stm|  Deauth from sta: 1c:4d:70:05:f0:c8: AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03 Reason Ptk Challenge Failed
Dec 27 16:02:26 :501093:  <NOTI> |AP DYDDD2AP03@172.29.123.214 stm|  Auth success: 1c:4d:70:05:f0:c8: AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03
Dec 27 16:02:26 :501095:  <NOTI> |AP DYDDD2AP03@172.29.123.214 stm|  Assoc request @ 16:02:26.037863: 1c:4d:70:05:f0:c8 (SN 1248): AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03
Dec 27 16:02:26 :501218:  <NOTI> |AP DYDDD2AP03@172.29.123.214 stm|  stm_sta_assign_vlan 18455: VLAN: sta 1c:4d:70:05:f0:c8, STM assigns MAC based vlan_id 3090
Dec 27 16:02:26 :501100:  <NOTI> |AP DYDDD2AP03@172.29.123.214 stm|  Assoc success @ 16:02:26.038457: 1c:4d:70:05:f0:c8: AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03
Dec 27 16:02:26 :501218:  <4172> <NOTI> |stm|  stm_sta_assign_vlan 18449: VLAN: sta 1c:4d:70:05:f0:c8, STM assigns MAC based vlan_id 3090
Dec 27 16:02:26 :501100:  <4172> <NOTI> |stm|  Assoc success @ 16:02:26.042084: 1c:4d:70:05:f0:c8: AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03
Dec 27 16:02:26 :522035:  <4956> <INFO> |authmgr|  MAC=1c:4d:70:05:f0:c8 Station UP: BSSID=80:8d:b7:e4:20:53 ESSID=XXXX VLAN=3090 AP-name=DYDDD2AP03
Dec 27 16:02:26 :522049:  <4956> <INFO> |authmgr|  MAC=1c:4d:70:05:f0:c8,IP=N/A User role updated, existing Role=logon/none, new Role=allowall/none, reason=Set AAA profile defaults
Dec 27 16:02:26 :522050:  <4956> <INFO> |authmgr|  MAC=1c:4d:70:05:f0:c8,IP=N/A User data downloaded to datapath, new Role=allowall/74, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300
Dec 27 16:02:29 :501106:  <5218> <NOTI> |stm|  Deauth to sta: 1c:4d:70:05:f0:c8: Ageout AP 172.29.123.214-80:8d:b7:e4:20:53-DYDDD2AP03 wifi_deauth_sta
Dec 27 16:02:29 :522036:  <4956> <INFO> |authmgr|  MAC=1c:4d:70:05:f0:c8 Station DN: BSSID=80:8d:b7:e4:20:53 ESSID=XXXXX VLAN=3090 AP-name=DYDDD2AP03
Dec 27 16:02:29 :527004:  <4370> <INFO> |mdns|  mdns_parse_auth_useridle_message 169 Auth User Idle Timeout: MAC:1c:4d:70:05:f0:c8

we check the pass it's good , it is a TUNNEL mode ssid (I just said that a bridge mode ssid is OK).

 

the ssid work in the warehouse were the AP and controleur are on the same network but not in the Warehouse were AP are on another IP network

the ap are in two distinct  AP-groupe but we use the same ssid profile and the same conf ( except name ).

 

Regards

Highlighted
Guru Elite

Re: ssid incorect password if ap in other lan

What is the difference between:

 

ap-group "XXX_ENTREPOTS" 

 

and 

 

ap-group "YYYYYY_BUREAUX"   ?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: ssid incorect password if ap in other lan

Hi,

 

for us there is no différences between the two ap-group that rely on the problem  (only rf domain or arm )

We spend more than 2 hours to compare ( from sh run ) the two ap-group without  finding something .

 

but from "show running" command :

 

ap-group "dddd_BUREAUX"
   virtual-ap "XXXXXXX_visiteurs.vap"
   virtual-ap "XXXXXXX_dddd_bureaux.vap"
   virtual-ap "XXXXXXX_dddd_exploit_OLD.vap"
   virtual-ap "XXXXXXX_dddd_exploit.vap"
   virtual-ap "XXXXXXX_dddd_mobile.vap"
   virtual-ap "XXXXXXX_gggggg.vap"
   virtual-ap "XXXXXXX_ppppppp.vap"
   dot11a-radio-profile "XXXXXXX_bureaux_a.radio"
   dot11g-radio-profile "XXXXXXX_bureaux_g.radio"
   ap-system-profile "XXXXXXX.ap"
   regulatory-domain-profile "XXXXXXX_bureaux.reg"

and

ap-group "bbb_ENTREPOTS"
   virtual-ap "XXXXXXX_bbb_exploit_OLD.vap"
   virtual-ap "XXXXXXX_bbb_bureaux.vap"
   virtual-ap "XXXXXXX_gggggg.vap"
   virtual-ap "XXXXXXX_bbb_mobile.vap"
   virtual-ap "XXXXXXX_bbb_exploit.vap"
   virtual-ap "XXXXXXX_ppppppp.vap"
   dot11a-radio-profile "XXXXXXX_entrepots_a.radio"
   dot11g-radio-profile "XXXXXXX_entrepots_g.radio"
   ap-system-profile "XXXXXXX.ap"
   regulatory-domain-profile "XXXXXXX_entrepots.reg"

the vap and ssid profile :

wlan virtual-ap "XXXXXXX_ppppppp.vap"
   aaa-profile "ddddddddddd_wpa.aaa"
   ssid-profile "PPPP.ssid"
   vlan 3090
   dynamic-mcast-optimization                     
   dynamic-mcast-optimization-thresh 80

wlan ssid-profile "PPPP.ssid"
   essid "SSSSSSSSSSSSS"
   opmode wpa2-psk-aes
   hide-ssid
   deny-bcast
   wpa-passphrase XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   ht-ssid-profile "ddddd.htssid"

it is 'virtual-ap "XXXXXXX_ppppppp.vap" '  that have problem ( tunnel ) .

the others one whitch are bridge mode vap are ok

'ap-system-profile' are the same.

dot11g-radio-profile and regulatory-domain-profile are not the same but they talk about channel or arm profile so I think this is not the problem.

 

so we made an correct connection on a AP tha is on the "bbb_ENTREPOTS" ap-group :

 

Jan 2 10:47:45 :501093:  <NOTI> |AP BOAA04AP02@172.29.59.56 stm|  Auth success: 00:23:15:e7:25:43: AP 172.29.59.56-38:17:c3:f9:39:11-BOAA04AP02
Jan 2 10:47:45 :501095:  <NOTI> |AP BOAA04AP02@172.29.59.56 stm|  Assoc request @ 10:47:45.253697: 00:23:15:e7:25:43 (SN 0): AP 172.29.59.56-38:17:c3:f9:39:11-BOAA04AP02
Jan 2 10:47:45 :501218:  <NOTI> |AP BOAA04AP02@172.29.59.56 stm|  stm_sta_assign_vlan 18455: VLAN: sta 00:23:15:e7:25:43, STM assigns MAC based vlan_id 3090
Jan 2 10:47:45 :501218:  <4172> <NOTI> |stm|  stm_sta_assign_vlan 18449: VLAN: sta 00:23:15:e7:25:43, STM assigns MAC based vlan_id 3090
Jan 2 10:47:45 :501100:  <NOTI> |AP BOAA04AP02@172.29.59.56 stm|  Assoc success @ 10:47:45.254572: 00:23:15:e7:25:43: AP 172.29.59.56-38:17:c3:f9:39:11-BOAA04AP02
Jan 2 10:47:45 :501100:  <4172> <NOTI> |stm|  Assoc success @ 10:47:45.257576: 00:23:15:e7:25:43: AP 172.29.59.56-38:17:c3:f9:39:11-BOAA04AP02
Jan 2 10:47:45 :522035:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:25:43 Station UP: BSSID=38:17:c3:f9:39:11 ESSID=SSSSSSSSSS VLAN=3090 AP-name=BOAA04AP02
Jan 2 10:47:45 :522049:  <4956> <INFO> |authmgr|  MAC=00:00:00:00:00:00,IP=N/A User role updated, existing Role=none/none, new Role=logon/none, reason=mac user created
Jan 2 10:47:45 :522049:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:25:43,IP=N/A User role updated, existing Role=logon/none, new Role=allowall/none, reason=Set AAA profile defaults
Jan 2 10:47:45 :522050:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:25:43,IP=N/A User data downloaded to datapath, new Role=allowall/74, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300

Jan 2 10:47:45 :522026:  <4168> <INFO> |authmgr|  MAC=00:23:15:e7:25:43 IP=192.168.93.69 User miss: ingress=0x10317, VLAN=3090 flags=0x40000040
Jan 2 10:47:45 :522006:  <4168> <INFO> |authmgr|  MAC=00:23:15:e7:25:43 IP=192.168.93.69 User entry added: reason=Sibtye
Jan 2 10:47:45 :527004:  <4370> <INFO> |mdns|  mdns_parse_auth_useradd_message 226 Auth User ADD: MAC:00:23:15:e7:25:43, IP:192.168.93.69, VLAN:3090, Role:allowall Name: APName:BOAA04AP02 Type:1. Groups: 
Jan 2 10:47:45 :522050:  <4168> <INFO> |authmgr|  MAC=00:23:15:e7:25:43,IP=192.168.93.69 User data downloaded to datapath, new Role=allowall/74, bw Contract=0/0, reason=New user IP processing, idle-timeout=300

and on a AP on the "dddd_BUREAUX" ap-group :

 

Jan 2 10:55:39 :501093:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Auth success: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 10:55:39 :501095:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Assoc request @ 10:55:39.486827: 00:23:15:e7:26:a1 (SN 2056): AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 10:55:39 :501218:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  stm_sta_assign_vlan 18455: VLAN: sta 00:23:15:e7:26:a1, STM assigns MAC based vlan_id 3090
Jan 2 10:55:39 :501218:  <4172> <NOTI> |stm|  stm_sta_assign_vlan 18449: VLAN: sta 00:23:15:e7:26:a1, STM assigns MAC based vlan_id 3090
Jan 2 10:55:39 :501100:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Assoc success @ 10:55:39.487764: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 10:55:39 :501100:  <4172> <NOTI> |stm|  Assoc success @ 10:55:39.494076: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 10:55:39 :522035:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:26:a1 Station UP: BSSID=80:8d:b7:e5:85:73 ESSID=SSSSSSSSSSS VLAN=3090 AP-name=DYDDD2AP04
Jan 2 10:55:39 :522049:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:26:a1,IP=N/A User role updated, existing Role=logon/none, new Role=allowall/none, reason=Set AAA profile defaults
Jan 2 10:55:39 :522050:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:26:a1,IP=N/A User data downloaded to datapath, new Role=allowall/74, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300
Jan 2 10:55:42 :501106:  <5218> <NOTI> |stm|  Deauth to sta: 00:23:15:e7:26:a1: Ageout AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04 wifi_deauth_sta
Jan 2 10:55:42 :522036:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:26:a1 Station DN: BSSID=80:8d:b7:e5:85:73 ESSID=SSSSSSSSSS VLAN=3090 AP-name=DYDDD2AP04
Jan 2 10:55:42 :527004:  <4370> <INFO> |mdns|  mdns_parse_auth_useridle_message 169 Auth User Idle Timeout: MAC:00:23:15:e7:26:a1
Jan 2 10:55:42 :501080:  <5218> <NOTI> |stm|  Deauth to sta: 00:23:15:e7:26:a1: Ageout AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04 Ptk Challenge Failed
Jan 2 10:55:42 :501105:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Deauth from sta: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04 Reason Ptk Challenge Failed

when we compare the two log they differ at this point :

User data downloaded to datapath, new Role=allowall/74, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300 (same in the two log )

 

if good , no delay we see this 2 line :

Jan 2 10:47:45 :522026: <4168> <INFO> |authmgr| MAC=00:23:15:e7:25:43 IP=192.168.93.69 User miss: ingress=0x10317, VLAN=3090 flags=0x40000040
Jan 2 10:47:45 :522006: <4168> <INFO> |authmgr| MAC=00:23:15:e7:25:43 IP=192.168.93.69 User entry added: reason=Sibtye

 

if not good , 3 secondes delay and we have this line

 

Jan 2 10:55:42 :501106: <5218> <NOTI> |stm| Deauth to sta: 00:23:15:e7:26:a1: Ageout AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04 wifi_deauth_sta

 

we also made "logging level debugging user-debug 00:23:15:e7:26:a1" and after a failed test a "show log user-debug all | include 00:23:15:e7:26:a1"

 

Jan 2 12:07:41 :501093:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Auth success: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 12:07:41 :501095:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Assoc request @ 12:07:41.718981: 00:23:15:e7:26:a1 (SN 768): AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 12:07:41 :501218:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  stm_sta_assign_vlan 18455: VLAN: sta 00:23:15:e7:26:a1, STM assigns MAC based vlan_id 3090
Jan 2 12:07:41 :501100:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Assoc success @ 12:07:41.719950: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 12:07:41 :501218:  <4172> <NOTI> |stm|  stm_sta_assign_vlan 18449: VLAN: sta 00:23:15:e7:26:a1, STM assigns MAC based vlan_id 3090
Jan 2 12:07:41 :501065:  <4172> <DBUG> |stm|  a2c_sm_process_stalist: client (00:23:15:e7:26:a1) is 11k-enabled
Jan 2 12:07:41 :501100:  <4172> <NOTI> |stm|  Assoc success @ 12:07:41.726256: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 12:07:41 :522295:  <4956> <DBUG> |authmgr|  Auth GSM : USER_STA event 0 for user 00:23:15:e7:26:a1
Jan 2 12:07:41 :522035:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:26:a1 Station UP: BSSID=80:8d:b7:e5:85:73 ESSID=SSSSSSSSSSSSS VLAN=3090 AP-name=DYDDD2AP04
Jan 2 12:07:41 :522077:  <4956> <DBUG> |authmgr|  MAC=00:23:15:e7:26:a1 ingress 0x0x10b6d (tunnel 2925), u_encr 32, m_encr 32, slotport 0x0x2100 , type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Jan 2 12:07:41 :522264:  <4956> <DBUG> |authmgr|  "MAC:00:23:15:e7:26:a1: Allocating UUID: 0xb26df04d2001e1f
Jan 2 12:07:41 :522258:  <4956> <DBUG> |authmgr|  "VDR - Add to history of user user 00:23:15:e7:26:a1 vlan 0 derivation_type Reset VLANs for Station up index 0.
Jan 2 12:07:41 :522255:  <4956> <DBUG> |authmgr|  "VDR - set vlan in user for 00:23:15:e7:26:a1 vlan 3090 fwdmode 0 derivation_type Default VLAN.
Jan 2 12:07:41 :522258:  <4956> <DBUG> |authmgr|  "VDR - Add to history of user user 00:23:15:e7:26:a1 vlan 3090 derivation_type Default VLAN index 1.
Jan 2 12:07:41 :522255:  <4956> <DBUG> |authmgr|  "VDR - set vlan in user for 00:23:15:e7:26:a1 vlan 3090 fwdmode 0 derivation_type Current VLAN updated.
Jan 2 12:07:41 :522258:  <4956> <DBUG> |authmgr|  "VDR - Add to history of user user 00:23:15:e7:26:a1 vlan 3090 derivation_type Current VLAN updated index 2.
Jan 2 12:07:41 :522158:  <4956> <DBUG> |authmgr|  Role Derivation for user N/A-00:23:15:e7:26:a1- N/A Set AAA profile defaults.
Jan 2 12:07:41 :522142:  <4956> <DBUG> |authmgr|  Setting default role to allowall for user 00:23:15:e7:26:a1".
Jan 2 12:07:41 :522127:  <4956> <DBUG> |authmgr|  {L2} Update role from logon to allowall for IP=N/A, MAC=00:23:15:e7:26:a1.
Jan 2 12:07:41 :522049:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:26:a1,IP=N/A User role updated, existing Role=logon/none, new Role=allowall/none, reason=Set AAA profile defaults
Jan 2 12:07:41 :522246:  <4956> <DBUG> |authmgr|  Idle timeout should be driven by STM for MAC 00:23:15:e7:26:a1.
Jan 2 12:07:41 :524141:  <4956> <DBUG> |authmgr|  clr_pmkcache_ft():1016: MAC:00:23:15:e7:26:a1 BSS:80:8d:b7:e5:85:73
Jan 2 12:07:41 :522287:  <4956> <DBUG> |authmgr|  Auth GSM : MAC_USER publish for mac 00:23:15:e7:26:a1 bssid 80:8d:b7:e5:85:73 vlan 3090 type 1 data-ready 0
Jan 2 12:07:41 :522254:  <4956> <DBUG> |authmgr|  VDR - mac 00:23:15:e7:26:a1 rolename allowall fwdmode 0 derivation_type Initial Role Contained vp not present.
Jan 2 12:07:41 :522258:  <4956> <DBUG> |authmgr|  "VDR - Add to history of user user 00:23:15:e7:26:a1 vlan 0 derivation_type Reset Role Based VLANs index 3.
Jan 2 12:07:41 :522320:  <4956> <DBUG> |authmgr|  handle_sta_up_dn (3007): rtts user=00:23:15:e7:26:a1  enabled=0 initial tput=395200
Jan 2 12:07:41 :524124:  <4956> <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:00:23:15:e7:26:a1, pmkid_present:False, pmkid:N/A
Jan 2 12:07:41 :522255:  <4956> <DBUG> |authmgr|  "VDR - set vlan in user for 00:23:15:e7:26:a1 vlan 3090 fwdmode 0 derivation_type Current VLAN updated.
Jan 2 12:07:41 :522258:  <4956> <DBUG> |authmgr|  "VDR - Add to history of user user 00:23:15:e7:26:a1 vlan 3090 derivation_type Current VLAN updated index 4.
Jan 2 12:07:41 :522260:  <4956> <DBUG> |authmgr|  "VDR - Cur VLAN updated 00:23:15:e7:26:a1 mob 0 inform 1 remote 0 wired 0 defvlan 3090 exportedvlan 0 curvlan 3090.
Jan 2 12:07:41 :522308:  <4956> <DBUG> |authmgr|  Device Type index derivation for 00:23:15:e7:26:a1 : dhcp (0,0,0) oui (0,0) ua (16,39,27) derived Win 10(39)
Jan 2 12:07:41 :522299:  <4956> <DBUG> |authmgr|  Auth GSM : DEV_ID_CACHE publish for mac 00:23:15:e7:26:a1 dev-id Win 10 index 39
Jan 2 12:07:41 :522050:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:26:a1,IP=N/A User data downloaded to datapath, new Role=allowall/74, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300
Jan 2 12:07:41 :522242:  <4956> <DBUG> |authmgr|  MAC=00:23:15:e7:26:a1 Station Created Update MMS: BSSID=80:8d:b7:e5:85:73 ESSID=SSSSSSSSSSSSS VLAN=3090 AP-name=DYDDD2AP04
Jan 2 12:07:41 :522301:  <4956> <DBUG> |authmgr|  Auth GSM : USER publish for uuid 0xb26df04d2001e1f mac 00:23:15:e7:26:a1 name  role allowall devtype Win 10 wired 0 authtype 0 subtype 0  encrypt-type 9 conn-port 8448 fwd-mode 0
Jan 2 12:07:44 :522289:  <4168> <DBUG> |authmgr|  Auth GSM : MAC_USER mu_delete publish for mac 00:23:15:e7:26:a1 bssid 80:8d:b7:e5:85:73 vlan 3090 type 1 data-ready 0 deauth-reason 52
Jan 2 12:07:44 :501106:  <5218> <NOTI> |stm|  Deauth to sta: 00:23:15:e7:26:a1: Ageout AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04 wifi_deauth_sta
Jan 2 12:07:44 :522296:  <4956> <DBUG> |authmgr|  Auth GSM : USER_STA delete event for user 00:23:15:e7:26:a1 age 0 deauth_reason 52
Jan 2 12:07:44 :522036:  <4956> <INFO> |authmgr|  MAC=00:23:15:e7:26:a1 Station DN: BSSID=80:8d:b7:e5:85:73 ESSID=SSSSSSSSSSSSS VLAN=3090 AP-name=DYDDD2AP04
Jan 2 12:07:44 :522234:  <4956> <DBUG> |authmgr|  Setting idle timer for user 00:23:15:e7:26:a1 to 300 seconds (idle timeout: 300 ageout: 0).
Jan 2 12:07:44 :522244:  <4956> <DBUG> |authmgr|  MAC=00:23:15:e7:26:a1 Station Deleted Update MMS
Jan 2 12:07:44 :522301:  <4956> <DBUG> |authmgr|  Auth GSM : USER publish for uuid 0xb26df04d2001e1f mac 00:23:15:e7:26:a1 name  role allowall devtype Win 10 wired 0 authtype 0 subtype 0  encrypt-type 9 conn-port 8448 fwd-mode 0
Jan 2 12:07:44 :522290:  <4956> <DBUG> |authmgr|  Auth GSM : MAC_USER delete for mac 00:23:15:e7:26:a1
Jan 2 12:07:44 :522303:  <4956> <DBUG> |authmgr|  Auth GSM : USER delete for mac 00:23:15:e7:26:a1 uuid 0xb26df04d2001e1f 
Jan 2 12:07:44 :527004:  <4370> <INFO> |mdns|  mdns_parse_auth_useridle_message 169 Auth User Idle Timeout: MAC:00:23:15:e7:26:a1
Jan 2 12:07:44 :527000:  <4370> <DBUG> |mdns|  ag_ssdp_get_token_list_for_mac 348 AirGroup user doesn't exist: mac=00:23:15:e7:26:a1
Jan 2 12:07:44 :527000:  <4370> <DBUG> |mdns|  ag_mdns_get_token_list_for_mac 650 AirGroup user doesn't exist: mac=00:23:15:e7:26:a1
Jan 2 12:07:44 :527000:  <4370> <DBUG> |mdns|  mdns_client_purge 1162 Purge mdns client, mac=00:23:15:e7:26:a1, del_client = 1
Jan 2 12:07:44 :501080:  <5218> <NOTI> |stm|  Deauth to sta: 00:23:15:e7:26:a1: Ageout AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04 Ptk Challenge Failed
Jan 2 12:07:44 :501000:  <5218> <DBUG> |stm|  Station 00:23:15:e7:26:a1: Clearing state
Jan 2 12:07:44 :501105:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Deauth from sta: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04 Reason Ptk Challenge Failed
Jan 2 12:07:44 :501000:  <DBUG> |AP DYDDD2AP04@172.29.123.215 stm|  Station 00:23:15:e7:26:a1: Clearing state
Jan 2 12:07:44 :501093:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Auth success: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 12:07:44 :501095:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Assoc request @ 12:07:44.827322: 00:23:15:e7:26:a1 (SN 0): AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 12:07:44 :501218:  <4172> <NOTI> |stm|  stm_sta_assign_vlan 18449: VLAN: sta 00:23:15:e7:26:a1, STM assigns MAC based vlan_id 3090
Jan 2 12:07:44 :501218:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  stm_sta_assign_vlan 18455: VLAN: sta 00:23:15:e7:26:a1, STM assigns MAC based vlan_id 3090
Jan 2 12:07:44 :501100:  <NOTI> |AP DYDDD2AP04@172.29.123.215 stm|  Assoc success @ 12:07:44.828822: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 12:07:44 :501065:  <4172> <DBUG> |stm|  a2c_sm_process_stalist: client (00:23:15:e7:26:a1) is 11k-enabled
Jan 2 12:07:44 :501100:  <4172> <NOTI> |stm|  Assoc success @ 12:07:44.834375: 00:23:15:e7:26:a1: AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04
Jan 2 12:07:44 :522295:  <4956> <DBUG> |authmgr|  Auth GSM : USER_STA event 0 for user 00:23:15:e7:26:a1

we think the problem is here on the log :

 

Jan 2 12:07:41 :522301: <4956> <DBUG> |authmgr| Auth GSM : USER publish for uuid 0xb26df04d2001e1f mac 00:23:15:e7:26:a1 name role allowall devtype Win 10 wired 0 authtype 0 subtype 0 encrypt-type 9 conn-port 8448 fwd-mode 0
Jan 2 12:07:44 :522289: <4168> <DBUG> |authmgr| Auth GSM : MAC_USER mu_delete publish for mac 00:23:15:e7:26:a1 bssid 80:8d:b7:e5:85:73 vlan 3090 type 1 data-ready 0 deauth-reason 52
Jan 2 12:07:44 :501106: <5218> <NOTI> |stm| Deauth to sta: 00:23:15:e7:26:a1: Ageout AP 172.29.123.215-80:8d:b7:e5:85:73-DYDDD2AP04 wifi_deauth_sta

 

we see the 3 second delay and a

 

deauth-reason 52 ( google search said ) :

 

52MESH-PEERING-CANCELLEDSME cancels the mesh peering instance with the reason other than reaching the maximum number of peer mesh STAs

but we don't use mesh in this wlan , all ap are connected to aruba switchs and all switchs are connected togethers .

AP on the AP-group that work are on the same ip network that the controller ( AP 172.29.59.XXX /23 and controleur 172.29.58.150/23 ) and ap on the AP group that does'nt work are on another IP network (172.29.123.XXX/23 ) but ap are adopted on the controler, no firewalling betwen the two network ... 

 

let us known if you want more information (sh run / others )

 

Regards

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Occasional Contributor II

Re: ssid incorect password if ap in other lan

hi,

 

we are searching a lot  so idea :

 

We think that the problem is from the tunnel mode if AP are on another network. if AP are in the same network is Layer 2 communications ? 

the client get an AP from the dhcp server ( 192.168.93.XXX/24) and then it is authenticated and it's work.

on the AP that are on the other IP network for some reasons the dhcp process failed and client are deauth from ssid ?

 

tunnel stat from a AP not in the same network

 

(BOB1B1CW01) #show datapath tunnel table | include 172.29.123.215
1189    172.29.58.150   172.29.123.215  47   8240  1500  3084 0   0    74   75   0     80:8D:B7:E5:85:74          0          0          0 IMASPma1  
1219    172.29.58.150   172.29.123.215  47   8200  1500  3086 0   0    74   75   0     80:8D:B7:E5:85:70      68664       1978          0 IMASPma1  
2936    172.29.58.150   172.29.123.215  47   8230  1500  3090 0   0    74   75   0     80:8D:B7:E5:85:73          0          0          0 IMASPma1  
489     172.29.58.150   172.29.123.215  47   8000  1200  0    0   0    0    0    0     80:8D:B7:C6:58:56          0          0          0 TEPs  
1511    172.29.58.150   172.29.123.215  47   9000  1500  0    0   0    0    0    0     80:8D:B7:C6:58:56    3349460          0    3321547 TES  
399     172.29.58.150   172.29.123.215  47   8310  1500  3090 0   0    74   75   0     80:8D:B7:E5:85:61          7         20          0 IMASPma1  
1114    SPI879DCF00out  172.29.123.215  50   IPSE  1500  0    routeDest 0422     0                                
0       1103                              0           0

tunnel stat from a AP in the same network as the controller.

(BOB1B1CW01) (config) #show datapath tunnel table | include 172.29.59.56  
491     172.29.58.150   172.29.59.56    47   8320  1500  3090 0   0    74   75   0     38:17:C3:F9:39:02       8722         28          0 IMASPma1  
1717    SPI95127600out  172.29.59.56    50   IPSE  1500  0    routeDest 0422     0                                0        400                              0           0
1532    172.29.58.150   172.29.59.56    47   8000  1200  0    0   0    0    0    0     38:17:C3:C7:93:90          0          0          0 TEPs  
1067    172.29.58.150   172.29.59.56    47   9000  1500  0    0   0    0    0    0     38:17:C3:C7:93:90    3354202          0    3326250 TES  
791     172.29.58.150   172.29.59.56    47   8210  1500  3090 0   0    74   75   0     38:17:C3:F9:39:11      43538      34209          0 IMASPma1  
1521    172.29.58.150   172.29.59.56    47   8220  1500  3084 0   0    74   75   0     38:17:C3:F9:39:12          0          0          0 IMASPma1  

if we look at the 3090 vlan network , in the first case , no encaps / deencaps. in the second we see trafic.   but may be it's because as the auth succed the client have exchange with the vlan 3090. 

 

At the end we will do complete change : deploy vlan 3090 an all switch and ports (more thant 100 switch and 400 ports) and then the ssid wil go in bridge mode as the others that works....

so we have a solutionbut it is not satisfying because we cannot deploy SSID in less than 5 minutes in this case .... 

 

Regards

Moderator

Re: ssid incorect password if ap in other lan

tunnel mode vap is L3 capable, as long as the vlan that the AP boots up in has either L2 or L3 reachability to the controller (and is able to learn the controller IP using dhcp, dns, config etc) then it should work fine.

 

Can you try defining the vlan explicitly in the virtual-ap profile for the tunnel mode vap ?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: