Wireless Access

Hi,

I have a wireless network consisting of 12 Local controllers and one Master controller.

I would like to attach AP's to the Master but I can't get an IP address off of an AP attached to it. Is there a reason I could not use the Master for a wireless network in the office?

I can see the SSID on the controller and can get a proper VLAN IP when directly connected to the router (when port is in switchport access mode) but cannot connect to the SSID??

thx for any help.

You should run a show ap essid and make sure that's the correct VLAN you have attached .

Also do a show profile-errors to see if there's any errors on that VAP 

And last do a show ap active | include <apname> to make sure that the AP is attached to the master 

Hi,

Thnaks for the quick reply.....

Yes, the AP is connected to the Master correctly.

I can see the SSID, I am prompted for credentials and can accept the certificate for Radius but after that,,, no IP and no access to wireless....

thx,

Please run the following :

show  ap association client-mac <clientmac>

show auth-tracebuf

logging level debugging user-debug <clientmac> and do show log user-debug all | include <clientmac>

show ip radius nas-ip "make sure that the IP showing after this command is in the radius server"

Also check your radius logs and see the peap failure reason

Hmmm,, so if I use my guest authenication,,, (no radius) I can connect to the Aruba. On my Master there is no IPsec key entry which is probably why Radius authentication is failing ...... is there a way to enter in the key on a master? Or how is this supposed to be configured?

thx

The master uses the same key as all of the other controllers.  Just add the master as a radius client on your radius server, with the same key.

on the master where do you enter in the key? if the controller is in master mode the key text field is not usable (locked)

Just do encrypt disable and then you will be able to see it in clear text

thanks for the reply.

I know what the key is but there is no way to add it into the text field on the Master.

Basically what I want to do is have the Master work as a Local controller so I can setup Aruba AP's at the office (where the Master is located). Can you use a Master as a local?

I do have another 650 here which I will connect as a local to the master and see if I can get it set up that way.... ??

thx

Lanman,

The Radius servers are defined and configurable on the master.  If the field is not editable, you are on the local controller or the backup master.

I am on the Master controller, not a local or a backup.

The Radius server is only defined in the Security server settings not in the Controller\General config (like on a local)

Should I be able to attach AP's to my master controller and configure them for use to connect to the wireless network?

thx

You can't add radius servers from a local controller in  a master/local configuration.  Those changes have to be done from the Master.

The controller/general tab is for the IPSEC key for master to local communication, not radius authentication of wireless clients.

If you have an AP terminated on the master and it isn't authneticating clients, I would check the radius server's config to make sure that the IP address of the master controller is listed as a RADIUS client, and re-check the shared secret for it on the radious server.

I have finally had a chance to work on this again.....

I now can see the SSID and connect one device to the wireless.... the only device that will attach to the AP and get a proper IP address from the VLAN is an HP laptop, all other devices will not connect?? I have a Dell laptop that connects to all other AP's I am using (130 of them) but will not connect to this AP? I also have an iPad and iPhone and Dell tablet that do not receive an IP when attempting to connect. Any ideas why the HP laptop can connect but noting else?

I have attached a debug log from the AP...

thx

Attachment(s)

New Text Document (2).txt   2 KB 1 version

---

@lanman wrote:

I have finally had a chance to work on this again.....

I now can see the SSID and connect one device to the wireless.... the only device that will attach to the AP and get a proper IP address from the VLAN is an HP laptop, all other devices will not connect?? I have a Dell laptop that connects to all other AP's I am using (130 of them) but will not connect to this AP? I also have an iPad and iPhone and Dell tablet that do not receive an IP when attempting to connect. Any ideas why the HP laptop can connect but noting else?

I have attached a debug log from the AP...

 

thx

 

---

What type of authentication are using ?

Do you have any user derivation rules to only allow a certain mac addresses or OUI to authenticate ?

Please enable the following :

logging level debug user-debug

and do  a show log user-debug all | inclue <device having issues mac address>

I am using WPA2 with AES

Enabled the logging for a device but did not see anything when doing a "show" logging....

thx

Please try:

show log user-debug all | inclue <device having issues mac address>

Thanks for your help... I still don't see any output from the command.... I have never used this before.

For whatever the reason....?? I do have my Dell tablet and Dell laptop connecting now... ??

The only devices are that are not connecting are Apple devices.... but I don' have this issue with an other AP or configuration on the wireless network (15 controllers and 130 AP's)

Where you able to enable the debugging first ?

logging level debugging user-debug 

is there a way to check if it is actually enabled?

I did run the command

If the device trying to authenticate at that moment when you run the command ?

You could also do a logging level debugging user

I have attached the log file from the AP with my iPad client trying to connect to the wireless network.

It looks as though the Raduis authenticates properly but I never receive an IP.....

Any windows machine is attaching fine now ...

Attachment(s)

New Text Document (2).txt   1 KB 1 version

Are you using VLAN pooling ?

Can other devices get an IP address on VLAN 196 ?

The correct VLAN for the SSID is 964 which I am getting an address from on the windows devices....

For some reason that device is trying to get an IP on VLAN 196, can you please check the Virtual AP config and see what's the vlans that you have in there?

the only VLAN that is being used on that VAP is 964 ...

Can you please do a show ap association client-mac <devicemac> ?

I have attached the file

I can see in the file that the device is trying to get an IP from the 196 VLAN...... I have no idea where that is configured. Why do the windows devices connect properly with a VLAN 964 address??

thx

Attachment(s)

New Text Document (2).txt   1 KB 1 version

As you can see here the device is getting VLAN 196 not 964

Are you using a NAMED VLAN pool ?

Can you please share the Virtual AP config, show wlan virtual-ap ?

show  aaa derivation-rules user 

Do you allow everything for that user-role ? you should probably consider using the authenticated role as your 802.1x role .

I have attached the wlan file

Attachment(s)

New Text Document (2).txt   1 KB 1 version

Can you please do the following :

show  aaa derivation-rules user 

when I run that command it does not show anything......

And also run this one :

show  aaa derivation-rules server-group

Have you assigned any VLANs under the role ?

attached is the server group output

Attachment(s)

New Text Document (2).txt   713 B 1 version

Run the same command for the aaa profile you are currently using :

show  aaa derivation-rules server-group ISD_Staff_Server_Group ?