Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Aruba Master/ Local

This thread has been viewed 0 times

  • 1.  Aruba Master/ Local

    Posted Mar 29, 2013 10:50 AM

    Hello,

     

    I am fairly new with the master-local setup. When this is done, what configurations are pushed to the local from the master? Also, if the radius server exist locally where the master controller is, how will I setup the radius server in the local controller? Will the local controller send the authentication to the master and the master to the radius, or will a radius server IP and shared key be manually put into the local controller? Just wondering also if authentication can be sent from local to master to radius. Not sure if a route from local to master would be sufficient.



  • 2.  RE: Aruba Master/ Local
    Best Answer

    EMPLOYEE
    Posted Mar 29, 2013 10:53 AM
    @baboyero wrote:

    Hello,

     

    I am fairly new with the master-local setup. When this is done, what configurations are pushed to the local from the master? Also, if the radius server exist locally where the master controller is, how will I setup the radius server in the local controller? Will the local controller send the authentication to the master and the master to the radius, or will a radius server IP and shared key be manually put into the local controller? Just wondering also if authentication can be sent from local to master to radius. Not sure if a route from local to master would be sufficient.

    Baboyero,

     

    I would say 95% of the WLAN configuration is pushed to the local.  The radius server is part of that configuration, so on your radius server you would have to add an entry for that local controller's ip address with the same preshared key as the master.  The radius authentication is sent directly from the local controller and NOT through the master.

     



  • 3.  RE: Aruba Master/ Local

    Posted Mar 29, 2013 11:01 AM

    Hello Cjoseph,

     

    I guess the master-local setup cannot be configured in such a way that the authentication goes from the local to master, and the master to radius?

    @cjoseph wrote:
    @baboyero wrote:

    Hello,

     

    I am fairly new with the master-local setup. When this is done, what configurations are pushed to the local from the master? Also, if the radius server exist locally where the master controller is, how will I setup the radius server in the local controller? Will the local controller send the authentication to the master and the master to the radius, or will a radius server IP and shared key be manually put into the local controller? Just wondering also if authentication can be sent from local to master to radius. Not sure if a route from local to master would be sufficient.

    Baboyero,

     

    I would say 95% of the WLAN configuration is pushed to the local.  The radius server is part of that configuration, so on your radius server you would have to add an entry for that local controller's ip address with the same preshared key as the master.  The radius authentication is sent directly from the local controller and NOT through the master.

     

     



  • 4.  RE: Aruba Master/ Local

    EMPLOYEE
    Posted Mar 29, 2013 11:03 AM

    Correct.  The radius requests always come from the local controller.  You don't want the master to be a single point of failure.  You also want to know where the radius requests are really coming from on your radius server.

     



  • 5.  RE: Aruba Master/ Local

    Posted Mar 31, 2013 01:49 PM

    Adding to the query, is it advisable to have a radius server at the site of each local controller ?

     

    Thanks

     



  • 6.  RE: Aruba Master/ Local

    EMPLOYEE
    Posted Mar 31, 2013 01:57 PM

    Not necessary.



  • 7.  RE: Aruba Master/ Local

    Posted Apr 23, 2013 01:18 PM

    Hello,

     

    We have a master/ local setup and the radius server is located locally within the Master's network. Right now, our local controller (located remote from the radius' server) sends authentication requests to the radius server but the radius server is not receiving these packets possibly due to firewall issues. However, I noticed that the nas IP of the packets sent from our local controller is the IP of the master controller. I went ahead and changed the radius profile of the local controller (through the local's radius profile configuration within the master) to have a specific NAS IP which is the local controller's IP. However, when I ran the packet capture, it is still the master controller's IP. Am I doing this correctly? Does it even matter if the NAS IP are not correct? Any help would be appreciated. Thanks. 



  • 8.  RE: Aruba Master/ Local

    EMPLOYEE
    Posted Apr 23, 2013 01:23 PM

    The NASIP is an optional and configurable global variable for the server, but it plays no role from a network perspective.  Some radius servers use this variable to make decisons.  The source ip address of the radius request, however, should be the local controller.



  • 9.  RE: Aruba Master/ Local

    Posted Apr 26, 2013 10:09 AM

    Hello,

     

    We took some packet captures through our local controller since no user can authenticate successfully. We found out that the controller is generating the proper authentication requests, with the correct NAS-IP and NAS-Identifier etc.. However, we are not receiving any response from the radius server. When we checked the radius server logs, the authentication response is being sent to the master controller instead of being sent to the local. Has anyone of you experience this before? Thanks.



  • 10.  RE: Aruba Master/ Local

    EMPLOYEE
    Posted Apr 26, 2013 11:10 AM

    I guess the big question is why is the radius server sending it someplace else, if that is what is happening.

     

    What radius server is this?  That is unusual.



  • 11.  RE: Aruba Master/ Local

    Posted Apr 29, 2013 12:53 PM

    Ok, let me back up a little then. We are using a single radius server and we have a master local setup. We created 2 radius server profiles, 1 for the master and 1 for the local. We did not specify the NAS IP and identifier for each profile. However, we specified the IPs under the authentication>advanced under radius client NAS IP (setup in master the master's IP, and setup in local the local's IP). We did some packet captures through each controller and verified that the authentication requests sent to the radius are similar except the NAS-IPs and NAS-Identifiers (both are master's IPs or local's IP depending on source of authentication request) and some other attributes that are changing I believe based on the pre-shared key. Also, we verified that both master and local exist as clients in the radius server and that the pre-shared keys for each are correct. Clients associated to APs terminated directly to the master can successfully authenticate. However, clients associated to APs terminated to the local cannot successfully authenticate. When we looked at the radius logs when client through local tries to authenticate, it gives an "invalid message authentication and a shared secret key incorrect" error. We have verified that all radius attributes looks correct since they are similar to the master, pre-shared key is correct. What are we missing? We are using a 6.1.4.3 OS. Any thoughts?