Wireless Access

Hello,

We have Master(Aruba 3200, 5.0.4.4) and Local (Aruba 3200, 5.0.4.4) redunduncy.

Configuration in Master synchronizes with Local.

Master(10.128.0.88/24, Loopback 10.128.0.89/24) and Local(10.128.210.88/24, Loopback 10.128.210.89/24) are conencted with router.

RAP (AP-105) is connected to Local 3200. RAP IP address is supplied by DHCP and same subnet with Local 3200 (10.128.210.100/24)

Defined VLAN184 in Master(Gateway 10.128.184.1/24) and Local (10.128.184.2/24).

Connected Master/Local VLAN184 with Layer 2 GRE tunnel. Tunnel Endpoint is Loopback (10.128.0.89/24 and 10.128.210.89/24)

Defined Captive Portal with VLAN184. (Tunnel mode)

VLAN184 is routable to the Internet.

To make Master-Local redundancy, AP points aruba-ap (registeded in DNS server, IP 10.128.210.89) and LMS Master 10.128.210.89, LMS Backup 10.128.0.89.

When Local 3200 is down, RAP is connected to Master 3200 and Captive portal works fine. Cap authentication uses Master(Internal DB) and Master Captive screen setting.

The problem is  - when Local 3200 is up, RAP is connected to Local 3200 and Web authentication screen appears. (Screen setting is from Local, and Cap authentication is from Master(Internal DB)) But, after type in userid and password, the screen says "Web authentication is disabled."

Local 3200's user status says "guest - authenticated -Yes". Master 3200's user status says "guest-logon" (Still needs authentication).

I isolated the problem by creating VLAN184 only at Local 3200 and connected the Ethernet cable (routes to the Internet) to VLAN184 at Local 3200. Then Captive Portal works fine.

I think Master 3200 is interferring Local 3200's captive portal authentication.

I tried to modify Captive Portal profile (configuration> Security> Access Control) and tried to change   "user - controller - svc-https  dst-nat IP 10.128.0.89 (Master's loopback) expecting that dst-nat always points to Master. But this does not work.

I need help, please ...

Since the focus of this is on a RAP, is the RAP outside the firewall (public address) or does it have an internal address (private)?

EDIT:

You need to configure both controllers as master-backup master, instead of master-local for what you want to accomplish.  If you are using the local database in a master/local scenario, once the master is down, the local database is not accessible to the local controller.  In a master/backup master scenario, it is because the local database is replicated between the two.

Hi cjoseph,

RAP is configured in the private network.

Master (Aruba 3200, 5.0.4.4) VLAN1 10.128.0.88/24 Loopback 10.128.0.89

Router (Cisco 1841)   Fa0/0 10.128.0.1/24

                                        Fa0/1 10.128.210.1/24

Router has DHCP server role. DHCP Pool 10.128.210.0/24   Except 10.128.210.1-99, 10.128.210.120-255

No Option 43, No Option 60

There is a Cisco PoE switch (3560) to connect Cisco router, Local 3200, and AP-105. Notice that AP-105 is not connected to Local 3200, connected to 3560 PoE switch.

Local (Aruba 3200, 5.0.4.4)  VLAN 1 10.128.210.88/24 Loopback

VPN services IPSEC 0.0.0.0 passphrase yyyyyy

VPN Endpoint IP addres Pool 10.128.190.30 - 10.128.190.39

RAP (AP-105)  UserId RAP Password xxxxxx

Passphrase yyyyyy

Assigned IP address by DHCP  10.128.210.100/24

The reason why I configure RAP in private network is that we need to configure bridge mode. Bridge mode user (laptop user authenticated by Windows 2008 R2 802.1X PEAP) is also assigned by Cisco 1841 router and DHCP address is 10.128.210.0/24, same as Local 3200 , RAP, and Router 1841 Fa0/1

I have read an article that Captive Portal works with RAP (Tunnel Mode) but Captive authentication should be done at Local controller, where the RAP VPN endpoint exists.

Regards,

What are you using to store your guest usernames and passwords?  If you are configuring guest usernames and passwords in the internal database, you need to configure the controllers as master-backup master instead of master-local, because if the AP is on the local, it will just reroute the authentication to the master, so the master must always be up.  If you configure the controllers as master-backup master, you will not have that problem.

For the guest access situation, does each controller have an ip address in the guest VLAN?  If yes, on the commandline of each controller you need to do this:

config t

ip cp-redirect-address <ip address of controller in guest vlan>

That command above tells the captive portal what ip address to redirect guest traffic to.  That address needs to be the ip address of the controller on the guest network.

My last point is that you do not need to configure an AP as a RAP to do bridge mode.  You can turn on control-plane-security (make sure auto cert provisioning is enabled) and you can bridge 802.1x traffic without the additional complexity of making each AP a remote ap.

Hi cjoseph,

I tried ip cp-redirect-address <ip address of controller in guest vlan>, but it did not work ...

Master has Guest VLAN99 (IP 192.168.1.2/24) and it has interface GE-1/3 connected to 192.168.1.1 (Broadband router)

VLAN99 is connected to Local's VLAN99 with Layer2 GRE tunnel. VLAN99 is not inter-vlan-routable with other VLANs.

Local has VLAN99 (IP 192.168.1.3/24) and has no interface. VLAN99 is not inter-vlan-routable with other VLANs.

I tried  ip cp-redirect-address 192.168.1.2 at Master, and ip cp-redirect-address 192.168.1.3 at Local,

but the symptom (After I entered guest/password in Captive Web Auth screen, the message "Web Authentication is disabled. Contact Administrator") was same....

To figure out which controller's captive setting that the guest connects to, I choose blue-based captive screen for Master, and amber-based captive screen for Local.

To figure out which controller's captive authentication that the guest is connected to, I created userid "test" (guest role) and enter "test" userid on Captive portal screen. I figured that in both Master-active/Local-down and Master-active/Local-active case, captive authentication (= Internal DB) was done by Master Internal DB.

When I tried "aaa authentication-server internal use-local-switch", Local side's Internal DB was used.

The way I isolated this symptom was - I removed a cable from Master GE-1/3 (which conencts to 192.168.1.1) and created GE-1/3 at Local with VLAN99. Connects a cable from 192.168.1.1 to Local GE-1/3. Delete VLAN99 from Master. Afterwords, Captive Portal works fine with Local controller. This result makes me assume if VLAN99 has a connection with Master, Captive Portal does not work.

---

I tried hard to create Bridge mode with Campus AP mode under Local controller, but it did not work. That was the reason why I started using RAP mode. In the bridge configuration using RAP, I leave VLAN blank, so that AP-105 RAP works as Bridge mode.

Mikek8877,

Your problem is:

"The problem is  - when Local 3200 is up, RAP is connected to Local 3200 and Web authentication screen appears. (Screen setting is from Local, and Cap authentication is from Master(Internal DB)) But, after type in userid and password, the screen says "Web authentication is disabled.""

Correct?

When you type "show switches" in the Master controller, do you see the second controller as a Local?

I want to make sure that the master/local relationship is established properly.

Hi cjoseph,

Yes, my problem is:

"The problem is  - when Local 3200 is up, RAP is connected to Local 3200 and Web authentication screen appears. (Screen setting is from Local, and Cap authentication is from Master(Internal DB)) But, after type in userid and password, the screen says "Web authentication is disabled.""

From Master, I performed show switches, show crypto ipsec sa, show user.

(Master) #show switches

All Switches
------------
IP Address     Name    Location          Type    Version  Status  Configuration State  Config Sync Time (sec)
----------     ----    --------          ----    -------  ------  -------------------  ----------------------
10.128.0.89    Master  Building1.floor1  master  5.0.4.4  up      UPDATE SUCCESSFUL    0
10.128.210.89  Local   Building2.Floor1  local   5.0.4.4  up      UPDATE SUCCESSFUL    10

(Master) #show crypto ipsec sa

IPSEC SA Active Session Information
-----------------------------------
Initiator IP     Responder IP      InitiatorID   ResponderID  Flags    Start Time      Inner IP
------------     ------------      -----------   -----------  ----------   ----------      --------
10.128.210.89    10.128.0.89        10.128.210.89/32 10.128.0.89/32  T    Feb 21 03:08:32     -

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client

Total IPSEC SAs: 1

(Master) #show  user

Users
-----
    IP              MAC            Name     Role      Age(d:h:m)  Auth  VPN link  AP name  Roaming  Essid/Bssid/Phy  Profile  Forward mode
----------     ------------       ------    ----      ----------  ----  --------  -------  -------  ---------------  -------  ------------
192.168.1.3    00:0b:86:6d:XX:XX            logon     00:00:05                    N/A                                         tunnel
192.168.1.101  58:94:6b:75:XX:XX            logon     00:00:03                    N/A                                         tunnel

Notice that 58:94:6b:75:XX:XX is laptop's wireless adapter which is connecting as a guest.

I also performed show switches, show crypto ipsec sa, show user from Local controller.

(Local) #show switches

All Switches
------------
IP Address     Name   Location          Type   Version  Status  Configuration State  Config Sync Time (sec)
----------     ----   --------          ----   -------  ------  -------------------  ----------------------
10.128.210.89  Local  Building2.Floor1  local  5.0.4.4  up      UPDATE SUCCESSFUL    0

(Local) # show crypto ipsec sa

IPSEC SA Active Session Information
-----------------------------------
Initiator IP     Responder IP      InitiatorID   ResponderID  Flags    Start Time      Inner IP
------------     ------------      -----------   -----------  ----------   ----------      --------
10.128.210.100   10.128.210.89      10.128.190.30/32 0.0.0.0/0  T    Feb 21 02:03:18   10.128.190.30
10.128.210.89    10.128.0.89        10.128.210.89/32 10.128.0.89/32  T    Feb 21 03:00:22     -

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client

Total IPSEC SAs: 2

Notice that Initiator IP 10.128.210.100, Inner IP 10.128.190.30 is RAP (AP-105) which connects to Local controller (10.128.210.89)

(Local) #show user

Users
-----
    IP                MAC            Name     Role      Age(d:h:m)  Auth  VPN link  AP name  Roaming   Essid/Bssid/Phy                  Profile   Forward mode
----------       ------------       ------    ----      ----------  ----  --------  -------  -------   ---------------                  -------   ------------
192.168.1.101    58:94:6b:75:XX:XX  guest     guest     00:00:05    Web             AP4      Wireless  XXXGUEST/00:24:6c:21:34:a3/g-HT  CaptiveP  tunnel

show user at Local controller says that guest auth was complated.

Can you please tell me what is your L2 GRE tunnel config looks like?

Did you configure any/both ends of GRE tunnel as "untrusted'?

Hi aalap22,

VERY GOOD POINT!

GRE Tunnel was not trusted. On the GUI screen, there is no "Trusted" check for GRE.

After I added "trusted" on Tunnel 1 using serial interface, captive portal is working beautifully.

I have one situation - when I connected to SSID XXXGUEST with Captive Portal using laptop (A), disconencts laptop (A) from SSID XXXGUEST, then connect laptop (A) to SSID XXXBRIDGE with bridge mode, disconnects laptop (A) from SSID XXXBRIDGE, then connect laptop (A) to SSID XXXGUEST again with Captive Portal.

This is intermittent symptom - it sometimes showed "Web Authentication is disbled"

I thought that Controller still hold information with bridge mode, so I waited 600secs (idle timeout) then tried guest access again, then it works fine.

Is there any good setting to trust some user/computer, not to show "Web Authentication is disabled" screen?

Or good solution is to wait 600secs for idle timeout?

One of my customer says after his portable wireless device became power save mode,  his guest access was disconnected. I resolved this symptom by extending idle timeout value to max (about 2 hours).

But if idle timeout is set to max 2 hours, when the user encounters "Web Authentication is disabled" situation, the user has to wait 2 hours, or call administrator to disconenct his session on Aruba Web manegement screen.

---------

Here is the configuration.

[Master controller 3200 5.0.4.4 Loopback 10.128.0.89]

interface vlan 184
        ip address 10.128.184.1 255.255.254.0

(Master) #show interface tunnel 1

Tunnel 1 is up line protocol is up
Description: Tunnel Interface
Source  10.128.0.89 (Loopback)
Destination 10.128.210.89
Tunnel mtu is set to 1100
Tunnel is a Layer2 GRE TUNNEL
Tunnel is Trusted
Inter Tunnel Flooding is enabled
Tunnel keepalive is disabled
tunnel vlan 184,187-189

# VLAN184
subnet 10.128.184.0 netmask 255.255.254.0 {
        default-lease-time 86400;
        max-lease-time 86400;
        option domain-name "test.local";
        option vendor-class-identifier  "ArubaAP";
        option vendor-encapsulated-options  "10.128.0.89";
        option domain-name-servers 8.8.8.8;
        option routers 10.128.184.1;
        range 10.128.184.10 10.128.184.254;
        range 10.128.185.2 10.128.185.250;
        authoritative;

[Local controller 3200 5.0.4.4 Loopback 10.128.210.89]

interface vlan 184
        ip address 10.128.184.2 255.255.254.0
        no ip routing
        ip helper-address 10.128.184.1  --> Obtains DHCP lease from Master, through Layer 2 GRE Tunnel.

(Local) #show interface tunnel 1

Tunnel 1 is up line protocol is up
Description: Tunnel Interface
Source  10.128.210.89 (Loopback)
Destination 10.128.0.89
Tunnel mtu is set to 1100
Tunnel is a Layer2 GRE TUNNEL
Tunnel is Trusted
Inter Tunnel Flooding is enabled
Tunnel keepalive is disabled
tunnel vlan 184,187-189

When I conencted the laptop for guest access, because RAP(AP-105) connects to Local controller,

Local controller's captive portal screen (amber based - I selected) was displayed.

Typed in userID (guest) password (xxxxxx) then authenticated.

Show user at Local controller

(Local) #show user

Users
-----
    IP               MAC            Name     Role      Age(d:h:m)  Auth  VPN link  AP name  Roaming   Essid/Bssid/Phy                  Profile   Forward mode
----------      ------------       ------    ----      ----------  ----  --------  -------  -------   ---------------                  -------   ------------
10.128.184.254  58:94:6b:75:XX:XX  guest     guest     00:00:27    Web             AP4      Wireless  XXXGUEST/00:24:6c:21:34:a3/g-HT  CaptiveP  tunnel

User Entries: 1/1

Show user at Master controller. After I trusted Tunnel 1 GRE Tunnel, Master side also says that guest is authenticated.

(Master) #show user

Users
-----
    IP               MAC            Name     Role      Age(d:h:m)  Auth  VPN link  AP name  Roaming   Essid/Bssid/Phy                  Profile   Forward mode
----------      ------------       ------    ----      ----------  ----  --------  -------  -------   ---------------                  -------   ------------
10.128.184.254  58:94:6b:75:XX:XX  guest     guest     00:01:36    Web             N/A      Wireless  XXXGUEST/00:24:6c:21:34:a3/g-HT  CaptiveP  tunnel

User Entries: 1/1

Good to hear that the original issue you mention on this thread has been resolved.

For the second issue you mentioned, just want to understand, why do you want to switch between different ssids?

Only reason behind web-auth disable issue I can think of is, somehow user-entry on the controller is not being updated properly. It will be hard to comment.

I would recommend starting new thread for that issue with related subject line, so that you can get replies from people who have seen/faced similar issue.

If that does not help, then open a TAC ticket. :) 

Hi aalap22,

The reason why I need to walk over different SSIDs is because I am testing this wireless system using my laptop.

In the actual usage, guest SSID must be used for guests or ipads, employee SSIDs must be used for laptops with 802.1X PEAP with Windows 2008 R2.

I will test more scenarios and if I would have new issue to ask, I will be back here.

Thank you very much for your support.

Regards,  Mike