Wireless Access

So, I have a client that had a power outage last night, and the Aruba controller didn't restore successfully.

Had to power cycle it, everything seemed to come back up, but now the customer is stating that whenever they try to use a web browser, the get the following message "Web Authentication is disabled. Please contact the Admin for assistance".

The browser has the red slash through the "https" and is trying to prompt them to log via GIU.

This should not be Captive based for the internal Corp users.

Any help would be greatly appreciated.

So are the clients authenticating correctly? They just cant browse?

Do you have a backup file?

Might even check the audit trail to see if something got accidently changed

Yes, from my understanding they can connect and authenticate. They just can't browse.

check the licences.  It sounds like the PEF licence is missing and they may be being put into some sort of logon role and hitting the captiveportal acl.

Not being very savy with the Arube, and wireless, where would I be checking on this?

If it helps, I have attached the current config. And the past config.

Attachment(s)

Aruba Config 0702.txt   18 KB 1 version

Current COnfig

not attached

For some reason it can't attach the current config

can you do a 'show license' on the controller?

Couple more that would be useful

show profile-errors

show user-table  --> to see what role the users are in

Show License results

(Equity620) #show license

License Table
-------------
Key                                               Installed   Expires  Flags  Service Type
---                                               ---------   -------  -----  ------------
NFP5OqR0-sXKaFEfv-lPUdRyGo-ENGSwwkZ-i2WHvnUr-EfY  2011-12-18  Never     E     Next Generation Policy Enforcement Firewall Module: 4
                                                  09:56:16
bGnbfn8J-yd4pzg/o-Y96JYnOq-5+3A0Maj-DYnv/Kwx-UtU  2011-12-18  Never     E     Wireless Intrusion Protection Module: 4
                                                  09:56:38
vYw7pjZu-YGmHAtUr-mjIstBZT-QKe8i8aM-tVAYY+z8-QOE  2011-12-23  Never     E     Access Points: 8
                                                  03:58:46
hLb0bg2U-5NN+LtsX-UGALa0W7-uAIxuy1w-dZ2kibTi-+As  2011-12-23  Never     E     Next Generation Policy Enforcement Firewall Module: 4
                                                  03:59:59
cGiIzSPj-hUmANNZe-uk16FqON-MIq1/XIj-nBtCO7Ga-Pmg  2011-12-23  Never     E     Wireless Intrusion Protection Module: 4
                                                  04:00:33

License Entries: 5

(Equity620) # show profile-errors

Invalid Profiles
----------------
Profile  Error
-------  -----

(Equity620) #show user-table

Users
-----
    IP                MAC            Name     Role           Age(d:h:m)  Auth  VPN link  AP name         Roaming   Essid/Bssid/Phy                    Profile        Forward mode
----------       ------------       ------    ----           ----------  ----  --------  -------         -------   ---------------                    -------        ------------
10.0.1.128       bc:77:37:c8:47:86            logon          00:00:01                    Equity_65_2_N   Wireless  Equity_Tenant/00:0b:86:5b:a4:e2/g  default-dot1x  tunnel
10.0.5.130       00:25:9c:a3:5d:2a            authenticated  00:04:24                    Equity_65_1_SW  Wireless  Equity_Tenant/00:0b:86:5b:a3:42/g  default-dot1x  tunnel
10.0.1.149       0c:84:dc:ad:8c:c2            logon          00:00:01                    Equity_65_2_N   Wireless  Equity_Tenant/00:0b:86:5b:a4:e2/g  default-dot1x  tunnel
10.0.1.223       d4:85:64:34:c6:01            logon          00:00:05                    Equity_65_2_N   Wireless  Equity_Tenant/00:0b:86:5b:a4:e2/g  default-dot1x  tunnel
10.0.1.228       08:86:3b:03:45:bb            logon          00:00:01                    Equity_65_2_N   Wireless  Equity_Tenant/00:0b:86:5b:a4:e2/g  default-dot1x  tunnel
169.254.201.151  00:25:9c:a3:5d:2a            authenticated  00:04:23                    Equity_65_1_SW  Wireless  Equity_Tenant/00:0b:86:5b:a3:42/g  default-dot1x  tunnel
169.254.42.134   2c:76:8a:b7:2a:86            authenticated  00:09:11                    Equity_65_2_S   Wireless  Equity_Tenant/00:1a:1e:ba:bc:e2/g  default-dot1x  tunnel

User Entries: 7/7

First glance.

Your vap profile has a aaa-profile of 'Captive-portal'

wlan virtual-ap "Corp_Tenant"

   aaa-profile "Captive-portal"

And there is no dot1x profile assigned to that as well and the users are ending up in that logon role.

Change the aaa profile to be  "Corp-dot1x".  I assume that is the one they should be using.

Here is the current config.

aaa authentication mac "default"

!

aaa authentication dot1x "Copr_peap"

--More-- (q) quit (u) pageup (/) search (n) repeat
                                                  
!

aaa authentication dot1x "Corp_peap"

   max-authentication-failures 5

   machine-authentication machine-default-role "Corp_Internal"

   machine-authentication user-default-role "Corp_Internal"

   reauthentication

   termination enable

   termination eap-type eap-peap

   termination inner-eap-type eap-mschapv2

!

aaa authentication dot1x "default"

!

aaa authentication dot1x "default-psk"

   termination enable

!

aaa server-group "default"

 auth-server Internal

 set role condition role value-of

!

aaa authentication via connection-profile "default"

!

aaa authentication via web-auth "default"

!

aaa authentication via global-config

--More-- (q) quit (u) pageup (/) search (n) repeat
                                                  
!

aaa profile "Captive-portal"

   initial-role "Captive_User"

   no wired-to-wireless-roam

!

aaa profile "Corp-dot1x"

   initial-role "authenticated"

   mac-default-role "logon"

   authentication-dot1x "Corp_peap"

   dot1x-default-role "authenticated"

   dot1x-server-group "internal"

   no wired-to-wireless-roam

!

aaa profile "Corp-psk"

   initial-role "authenticated"

   dot1x-default-role "authenticated"

   no wired-to-wireless-roam

!

aaa profile "default"

!

aaa profile "default-dot1x"

   initial-role "authenticated"

   authentication-dot1x "Corp_peap"

   dot1x-default-role "authenticated"

--More-- (q) quit (u) pageup (/) search (n) repeat
                                                  
   dot1x-server-group "internal"

!

aaa authentication captive-portal "default"

!

aaa authentication captive-portal "Equity_Guest"

   default-role "Captive_User"

   server-group "internal"

   max-authentication-failures 5

   login-page "/upload/custom/Equity_Guest/Equity_Guest.html"

   show-acceptable-use-policy

!

aaa authentication wispr "default"

!

aaa authentication vpn "default"

!

aaa authentication vpn "default-rap"

   server-group "internal"

!

aaa authentication mgmt

!

aaa authentication stateful-ntlm "default"

!

aaa authentication stateful-kerberos "default"

!

--More-- (q) quit (u) pageup (/) search (n) repeat
                                                  
aaa authentication stateful-dot1x

!

aaa authentication via auth-profile "default"

wlan virtual-ap "Corp_Tenant"

   aaa-profile "default-dot1x"

   ssid-profile "Corp_Tenant"

   dos-prevention

   band-steering

That is the current setting.

Can't understand why I am not able to attach this notepad with the current config.

I can't see why it is not working from that.  Couple of things though.

You have termination enabled.  Check the clock on the controller as it maybe have been reset to some wonky time.

The only thing I can suggest at this stage is the following.

wlan virtual-ap "Corp_Tenant"
aaa-profile default
write memory
aaa-profile "default-dot1x"
write memory

Failing that, you should restore a previous working flashbackup.

Okay, so I made the change and reloaded. I will see if this resolves the issue.

Any way of getting you the current config, as the one that I was able to post here is an old, but working config.

So, now I am gettign reports that the SSID can connect, but it DHCP is not happening.

Still in a real bind on this. Any help would be great.

do you have a flashbackup from when it was working before?

I don't, unfortunatly. The only backup I have is in the form of that original Notepad I provided. I know that config was operational.

Not really have a lot of experience with the Aruba controllers, is it common practice to blow out the config and push a copy & paste for the config?

Typically, no.  It is possible if you have no choice, but fraught with difficulties and will give some (or lots) of errors that need to be manually fixed after.  It won't also restore the local-userdb and other things like that.

What role are your users in at the moment?  Can you get details about a specific user from 'show user mac <mac>'.

Have you engaged with Aruba TAC for assistance on this as well?