Wireless Access

Hi experts,

I have a problem with the Aruba Central splash page. I have configured a simple splash page with username/password authentication. Last week was working OK, but yesterday and today customer is reporting login problems like this:

I have made some troubleshooting but I don't find the issue. AS1 is in CONNECTED state from the VC, and from other IAPs , but not from all of them, in those in in INIT state (is a cluster of 7 IAPs). I think because all the communication is through the VC, only this IAP should have the AS1 server in connected state.

Anyway, there are error authentication logs in every AP, though differents types.

When I log through an IAP with AS1 in CONNECTED state I have this:

AP_Gerente# show ap debug auth-trace-buf mac 4c:8d:79:ca:44:27

Auth Trace Buffer
-----------------

Feb 26 15:48:44 mac-auth-req -> 4c:8d:79:ca:44:27 bc:9f:e4:b2:f5:f2/AS1_#guest#_ - - 4C:8D:79:CA:44:27
Feb 26 15:48:44 mac-auth-fail <- 4c:8d:79:ca:44:27 bc:9f:e4:b2:f5:f2/AS1_#guest#_ - - failure
Feb 26 15:48:44 station-up * 4c:8d:79:ca:44:27 bc:9f:e4:b2:f5:f2 - - open system

When I log through an IAP with AS1 in INIT state I have this:

AP_Central# show ap debug auth-trace-buf mac 4c:8d:79:ca:44:27

Auth Trace Buffer
-----------------

Feb 26 15:52:21 mac-auth-req -> 4c:8d:79:ca:44:27 f4:2e:7f:16:b9:52/AS2_#guest#_ - - 4C:8D:79:CA:44:27
Feb 26 15:52:22 server out-of-service * 4c:8d:79:ca:44:27 f4:2e:7f:16:b9:52/AS2_#guest#_ - - server timeout
Feb 26 15:52:22 station-up * 4c:8d:79:ca:44:27 f4:2e:7f:16:b9:52 - - open system
Feb 26 15:54:18 mac-auth-req -> 4c:8d:79:ca:44:27 f4:2e:7f:16:b9:52/AS2_#guest#_ - - 4C:8D:79:CA:44:27
Feb 26 15:54:19 server out-of-service * 4c:8d:79:ca:44:27 f4:2e:7f:16:b9:52/AS2_#guest#_ - - server timeout
Feb 26 15:54:19 station-up * 4c:8d:79:ca:44:27 f4:2e:7f:16:b9:52 - - open system
Feb 26 15:54:54 cp-pap-auth-request -> 4c:8d:79:ca:44:27 f4:2e:7f:16:b9:52/AS2_#guest#_ - - 24JLKNLFQguGGto3zwN/qw==.XlbbHQ
Feb 26 15:54:54 server out-of-service * 4c:8d:79:ca:44:27 f4:2e:7f:16:b9:52/AS2_#guest#_ - - server timeout

Some APs authenticate through AS1 and some through AS2, I don't know why.

Other weird thing is client is in MAC Auth Role when I check in the VC:

AP_Costos# show clients | in 4C:8D:79:CA:44:27
4C:8D:79:CA:44:27 192.168.190.117 4c:8d:79:ca:44:27 iPhone SPSA_Invitado_Aruba AP_Central 132+ AN MAC Auth fe80::1489:835e:24c3:65d7 22(good) 135(good)

But is the same as the SSID when I check in the AP is associated with:

AP_Gerente# show clients | in 4c:8d:79:ca:44:27
24JLKNLFQguGGto3zwN/qw==.Xlbj8A 192.168.190.117 4c:8d:79:ca:44:27 iPhone SPSA_Invitado_Aruba AP_Gerente 100+ AN SPSA_Invitado_Aruba fe80::1489:835e:24c3:65d7 22(good) 150(good)

Ports TCP 443 and 2083 are open in firewall, and RADIUS proxy is enabled.

Any tip? Attached output logs. Please help.

Regards,

Julián

Attachment(s)

login_error.txt   7 KB 1 version

Hi,

After doing more research, I found the client can authenticate successfully with all the AP except one. With all the APs it can authenticate with, this APs have the AS1 server in CONNECTED state and AS2 server in Not In Use state, and the logs shows the user authenticate through AS1 server, like this:

AS2_#guest#_ 0.0.0.0 172.18.2.123 nae1-elb.cloudguest.central.arubanetworks.com RADIUS/TLS 443 172.18.2.123 0 Not In Use 2020-02-24 10:37:02.529432 Not Applicable
AS1_#guest#_ 52.34.243.241 172.18.2.123 nae1.cloudguest.central.arubanetworks.com RADIUS/TLS 2083 172.18.2.123 1 CONNECTED 2020-02-26 09:40:03.614143 Not Applicable

The AP the client cannot authenticate with has the AS1 and AS2 servers in INIT state, and the client authenticate through AS2. I don't know if this has something to do with, but sometimes when I issued some commands in this AP I got this message (and only in this AP):

AP_Central# show radius status
Module AP STM Low Priority is busy. Please try later.

And this AP has problems when connecting to Central:

AP_Central# show activate status

IAP MAC Address :f4:2e:7f:c9:6b:94
IAP Serial Number :CNHQKD5GH0
Cloud Activation Key :
Activate Server :device.arubanetworks.com
Activate Status :connection-failed
Provision interval :10080 minutes
AP_Central# show ap debug cloud-server

IAP mgmt mode :athena-mgmt login
cloud config recved :TRUE
state diff :disable
Device Cert status :SUCCESS
Device info send :FALSE
Aruba Central server :app1.central.arubanetworks.com
Aruba Central server path :/ws
Aruba Central proxy server :None
Aruba Central Protocol :WSS
Aruba Central status :Authenticating

Cloud Debug Statistics
-----------------------
Key Value
--- -----
Connect establish success 17431(17431)
Connect establish failed 2(2)
Authentication failed 17430(17430)
Connect retry times 17432(17432)

Cloud Last connect status
-------------------------
Last connect ID :17432
Last connect time :2020-02-26 17:57:20
Last connect trigger :retry auth

Cloud Last connect fail status
-------------------------
Last fail server :app1.central.arubanetworks.com
Last fail time :2020-02-26 17:57:20
Last fail reason :auth timeout
AP_Central#

Any idea? Attached logs.

Regards,

Julián

Attachment(s)

login_error_2.txt   5 KB 1 version

Hi fjulianom,

just to make sure, does the AP, which is not working, has a valid device subscription in central? Does the AP also have a valid service subscription for Guest? 

BR

Florian

Hi Florian,

Thanks for your interest. I forgot to say, but yes, the device has a valid device subscription, and it is suscribed for Guest.

Doing more research and nothing. Open a TAC case. Attached the "show tech-support", in case anyone has an idea what can be happening...

Regards,

Julián

Attachment(s)

putty2.txt   913 KB 1 version

Hi,

If someone is interested, I reloaded the problematic AP by CLI but kept failing. Accidentally the customer site had a power outage and all the APs rebooted. After that reboot the problematic AP connected to Activate and Central and started working properly. It just needed a hard reboot

Regards,

Julián