Wireless Access

Hello everyone,

 

I have been having this huge issue that I cant seem to find a way around and hoping for some direction from one of you. I have several 305 IAPs that talk with CPPM to offer 802.1x such that authenticated users are put in different vlans based on their ldap group. 

The problem is that every now and then one of the IAPs stops talking to the CPPM (says server is down). The IAP can no longer ping the CPPM nor can the CPPM ping the IAP. However both IAP and CPPM can ping other machines on the management vlan.

 

Wireless devices trying to connect to that IAP get "Connecting..." but wont be allowed until the issue resolves itself after some time and IAP and CPPM can talk to each other again (The wait time is totally random)

 

Any advice or direction will be highly appreciated on the matter as I have ran out of things to try, thanks.

Are you sharing the IAP Management VLAN with anything else ?



Thank you

Victor Fabian

Pardon typos sent from Mobile

 

Hey Victor,

 

The management vlan (2) is only for switches, APs, CPPM and the activedirectory. All units on the management vlan are given static IPs. Also to make sure that there is no collision by mistake we have taken to breaking them into the following:

 

10.2.1.x is for servers

10.2.2.x is for switches

10.2.4.x is for APs 

 

They are all of course on the same subnet (255.255.0.0).

 

Finally it might be important to note that the IAPs have the uplink management vlan set to 2 and the switch port where the IAP is connected has the management vlan as tagged.

 

Hope that was not too tangential :) 

 

 

 

Ideally you should set the interface going to the IAP as a trunk with native VLAN /untagged VLAN as 2 , with additional data VLANs tagged

For the cluster you should enable (in case you don’t ) dynamic radius proxy
http://community.arubanetworks.com/t5/Controller-less-WLANs/IAP-Dynamic-radius-proxy-ip-configuration-and-troubleshooting/ta-p/175248

You should consider separating the IAP and server traffic :
- The IAPs use broadcast to communicate within the cluster
http://community.arubanetworks.com/t5/Controller-less-WLANs/IAP-communication-within-a-cluster/ta-p/288916




Thank you

Victor Fabian

Pardon typos sent from Mobile

Hey Victor,

 

Thank you so much for such quick feedback.

 

I had tried to use dynamic radius proxy but I had not set up the DRP since they were all on the same VLAN.

 

However if i understand correctly then I should set a separate vlan (say 6) to be just for the IAPs and then use Dynamic proxy and DRP to communicate with the CPPM, while making sure that the DRP vlan is the untagged on the switch.

 

Am i correct in understanding your advice (I will be trying it shortly and will post results)

So I tried the suggestions by Victor and everything was amazing for 48 hours and then suddenly we are back to the same problem. 

 

The IAPs keep saying that the authentication server is down. Ironically if i change the DRP IP the problem is automatically fixed for a few hours and then we revert back to having issues.

 

Any suggestions please