Wireless Access

Hello,

 

We are setting up a test environment for our Aruba 8.3.0.3 system.  I have:

 

2 x Mobility Master setup and VRRP enabled.

2 x Local Mobility controllers setup and VRRP enabled.

1 x Campus Access Point setup and connected to the local controllers.

 

The local controllers and the access points are on the same VLAN (Layer 2).  The Mobility Masters are on a separate VLan.  All of teh licensing has been installed on the MMs.

 

I am now to the point of setting up test WLans and I am having routing issues.  When I have setup 2 WLANs that require Pre-Sharede Keys (simple) and these 2 separate SSIDs are associated with company specific VLans, I can get laptops to connect to the SSID and the clinet laptops obtain an IP address from DHCP server for each VLan.

 

The DHCP server is on another VLAN that has different DHCP scopes setup for the different VLans in our environment.  So the laptops (devices) clients obtain an IP address and for the correct VLan; but, tehre is no internet connection and the laptops cannot ping eacho ther or the VLAN Gateway or any other device on  our corporate network.

 

The local Aruba Controllers can ping all other devices; but, they cannot ping the Aruba test clients.  The Aruba Mobility Master recognizes/lists the 2 clients (per mac address) on the Test Access Point in our lab.

 

My questions are:

 

1.  Why is there are problem with network communciation with these clients?  I am getting an IP addrress so there is some type of handshake going on. 

 

2.  How can the the local controllers regonize the clients from the Access Point; but, cannot ping the clients?

 

3.  On our current Production system (HP MSM 760) when other devices are on the same SSIDs and associated VLans those devices can ping and get pinged by other devices.  So it appears to be something I need to do or something that I am missing with the Aruba system.

      a.  The Aruba techs (over the phone) are saying it is a routing issue between out Router and the cliet deivce.  How?  Does the Aruba equipment require some security settings or firewall settings to allow traffic?

      b.  The wireless clients get an IP address but that appears to be it.

 

4.  How do the Access points work in relaying network communications to the clients?  If the controllers can ping the Access points but not the wireless clients on those access points what do we need to check next?

     a.  Do the access points just route traffic to the controller just like any other devce would?  Just like any switch with multiple connections?

 

5.  Is there a way to connect to the Aruba Access Point and conduct testing to teh wireless clients from there?

A lot of questions. I can recommend you the “abc networking” channel on youtube. With a good step by step videos from begin to end.

Accesspoints creates gre tunnels to the controllers so the subnet independs from the mobility controllers , all client traffic is (in tunnelmode) tunneled to the mobility controllers and decrypt the aes traffic there.

Upon the client traffic is placed in then vlan that you give in you wlan/ssid configuration. This vlan should be (most cases) tagged to the uplink ports to your edgeswitch.

In between all traffic gets a role on the mobility controller. The role exists out of firewall policy and rules. What role did you give your wireless clients?

The roles that are assigned to the 2 WLans (SSIDs) are shown in teh Web User interface:  Mobility Master - Managed Devices - Group - Configuration - WLANS

 

I then select the WLan and navigate to the 'Access' menue from the delow table.  The Access menue showes teh default role used for that WLAN.

 

1.  Authenticated.

 

2.  logon

 

See attached screen shots.  If you want some other information please let me know what oher roles you are looking for.

A WLAN (virtual ap) consists of:

 

Virtual AP

    SSID Profile - ( encryption type and what is broadcast in the air)

    AAA Profile  - (Authentication and what roles to place a user in)

 

The AAA profile determines what role a user is placed in depending on what authentication takes place.  An SSID profile with WPA2-AES, for example requires 802.1x authentication, so a user that successfully authenticates with 802.1x will get the default 802.1x profile in the AAA profile.  A user that associates with a WPA2-PSK SSID is also 802.1x, so it will obtain the default 802.1x profile in the AAA profile.

 

If you type "show user-table verbose", there is a profile column, which tells you what AAA profile is determining a user's role.  That is where you would change the role for a user.

 

Captive Portal uses a slightly more involved set of circumstances, however...

 

 

OK,

 

For the HandHeld device SSID it uses a passphrase and wps2-psk-aes Encryption.  This SSID also uses 802.1X Authentication according to its AAA inforamtion(default Role = guest).  This is the SSID that has teh 'authentication' initial riole designation.

 

The other SSID is for Wifi Printers.  I tis setup the same way.  wpa2-psk-aes encryption. This SSID also uses 802.1X Authentication according to its AAA inforamtion(Default Role = guest) .  This is the SSID that uses the 'logon role for the initial role.

 

Is the guest role being associated with the 802.1X Authentication is what is limiting the network access? See screen shot for the Wifi Printer SSID.

 

The next time I am connected via laptop to teh SSIDs I will run the 'show user-table verbose' command.

 

 

 

 

Do you have the PEFNG (Policy Enforcement License) installed?

I do see licnesing for 'PEFNG'.

 

Pleasse see screen shots.

 

 

Sounds like you should create a new user role with the policy you want to assign to each of the clients attached to the SSIDs and then set this as the default role for in each AAA profile.

The guest role is probably blocking most access other than HTTP and HTTPS.

 

David

What is the correct 'User role' to have?  I tried changing the 802.1X Authe tication from guest to 'authenticated' and 'logon' and that did not work.

 

While logged on to 1 of the PSK SSIDs, where my laptop receives an IP address but I cannot route, my login is not showing in in the "show user-table verbose" command.

 

 I was told by Aruba Support that the ethernet connection for the Aruba APs should be 1 VLan and and untagged(native) connection (not trunked/tagged).  I have that setup and the communication is still the same problem.  

 

I found an article that refences firewall settings: https://community.arubanetworks.com/t5/ArubaOS-and-Controllers/wireless-clients-can-t-communicate-with-each-other/td-p/15945

 

But thise specific settings are already unchecked.  FIrewall setting smakes sense that could be blocking the network communication.  If one navigates to: Group - Configuration - Services - Firewall Global Settings the only options checked are:

 

'Prohibit IP Spoofing'

'AMSDU COofiguration'

'Optimize duplicate address detection frames:'

'Stall detection'

'Session-tunnel FIB'.

 

I am not sure what to look for.  I have not made any changes here, I am sure everything is set by default.  What should I have for the 802.1X Authentiction profile?  

It appears that as soon as I connect to the TEST SSID the wireless connection is halted.  

 

If I login to the laptop (locally) with no network conenction.  Then start Wireshark (packet capturing)

 

Then connect to the test SSID, then WireShark states the wireless interface is down and no communcation continues.  YOu can see from teh screen shot that receved is a few bytes (to receive the IP address) and 0 bytes are sent.

 

Perhaps it is a firewall setting or a suer setting that is needed.  Any ideas?

Looks like your role is blocking DHCP.

Create a user role (or use authenticated for testing) and set this as the initial role in the AAA profile.

 

David

Ok,

 

Setting up a new user role, and setting that up in the AAA Profile, is that something that Aruba Support can assist with or does Aruba support only supposed to take care of 'Break' and 'Fix' issues?  

 

Or can instructions be found in user manuals.  I think I may need to work on this with someonne since I have never done this correctly beofre and I have no frame pf refefnce if I am doing this correctly or not.

 

The problem is fixed now.  Over the weekend we had a planned maitnenace window where we power off all of our network communication devices.  When communicatins came back on the Switch module that was connected to teh Aruba COntrollers showed an amber light.

 

We repalced the switch module (hot swapable) and then the wireless clients were able to communciate with the rest of teh network.  It appears that there was a hardware problem; but, we would have never discovered it if the amber light did not show. 

 

Very strange that the controller itself could indeed ping and tracert and route traffic successfully but the wireless clients could not.  But since all of the wilress client routing is done on the controller, I suppose that makes sense.  Does anyone have any questions?

 

The routing propblem appears to be related to replacing a faulty switch mpduel that the Aruba Hardware Controller were connected to.