Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

RAP Split-tunnels issues with XP WPA2 Enterprise

This thread has been viewed 0 times

  • 1.  RAP Split-tunnels issues with XP WPA2 Enterprise

    Posted Feb 01, 2012 11:52 AM

    I am having problems with my Windows XP clients that use WPA2 Enterprise. This problem seems to be with the split-tunnel mode more than using a tunnel only mode. I need some adviceconcerning the following:

     

    Is this just a flaky Windows XP issue that I have to live with?

    Is there a way to get the sessions to time out and go way in the RAPs?

     

     

    I am running ArubaOS (MODEL: Aruba3400S), Version 6.0.1.2 

    and the Windows XP systems are patched to the latestupdates.

     

    I am run WPA2 Enterprise AES with EAP type "Smart Card or certificate". We use our own both computer and user certs.

     

     

    This is a more detail explanation of my network and what I know about the problem.

     

    I have several AP-105 running in the RAP mode at 15 remote sites. We use a split-tunnelconfiguration to terminate connections to the LAN at our remote sites which are connected via Cisco routers and an MPLS network. The authentication is WPA2 enterprise. The 3400 controllers are at the Corp data center.  The issues seems to be with Windows XP WPA2 Enterprise. We have a mix of XP and Windows 7 clients. The XP clients have intermittent problems establishing connection. They seem to authenticate and then they hang in trying to get a DHCP address. Sometimes it is necessary to reboot the AP to fix this problem or wait a very until the session data times out in the RAP.  When the problem occurs the RAP has the client with  the  ACL #1 which is the "logon: default ACL. When is works it has the proper ACL that is needed to route the packets.  

     

     

    show datapath user ap-name ATEST-RAP105-01

     

    ******  this is the state when it will not work *******

    Note: ACL 0 is not the ACL that will work for my split-tunnel

     

    IP MAC ACLs Contract Location Age Sessions Flags Vlan FM
    --------------- ----------------- ------- --------- -------- --- --------- ----- ---- --
    0.0.0.0 00:1C:BF:17:13:93 1/00/0000/65535P1S

     

     

    ****** This is the state when it does work  *******

    Note: the ACL 62 is the proper ACL for the split tunnel


    IP MAC ACLs Contract Location Age Sessions Flags Vlan FM
    --------------- ----------------- ------- --------- -------- --- --------- ----- ---- --

    22.1.20.139 00:1C:BF:17:13:93 62/0 0/0 0 47 0/65535 1 S
    0.0.0.0 00:1C:BF:17:13:93 62/00/0002/65535P1S

     

     

    show datapath acl 62 ap-name ATEST-RAP105-01

    ----------------------------------------------------------------
    1: any any any PR4 hits 203
    2: any any any 46

     

     

     

     

     

     


    #3400


  • 2.  RE: RAP Split-tunnels issues with XP WPA2 Enterprise

    Posted Feb 01, 2012 04:42 PM

    I have kind of the same issue with an XP machine --- We have a 620 controller here at HQ and RAP2's at 5 homes -- split tunneling is setup....I use Win 7 with no issues BUT a co-worker has Win XP and can't pull a DHCP without being wired in....we have rebooted the controller and the PC as well as re-provisioned the RAP2.  :smileyfrustrated:



  • 3.  RE: RAP Split-tunnels issues with XP WPA2 Enterprise

    Posted Feb 01, 2012 08:06 PM

    I fixed the issue that I was having by adding DHCP to my Firewall rule in the Split-Tunneling....:smileyhappy:



  • 4.  RE: RAP Split-tunnels issues with XP WPA2 Enterprise

    EMPLOYEE
    Posted Feb 01, 2012 09:08 PM
    @badgdl wrote:

    I am having problems with my Windows XP clients that use WPA2 Enterprise. This problem seems to be with the split-tunnel mode more than using a tunnel only mode. I need some adviceconcerning the following:

     

    Is this just a flaky Windows XP issue that I have to live with?

    Is there a way to get the sessions to time out and go way in the RAPs?

     

     

    I am running ArubaOS (MODEL: Aruba3400S), Version 6.0.1.2 

    and the Windows XP systems are patched to the latestupdates.

     

    I am run WPA2 Enterprise AES with EAP type "Smart Card or certificate". We use our own both computer and user certs.

     

     

    This is a more detail explanation of my network and what I know about the problem.

     

    I have several AP-105 running in the RAP mode at 15 remote sites. We use a split-tunnelconfiguration to terminate connections to the LAN at our remote sites which are connected via Cisco routers and an MPLS network. The authentication is WPA2 enterprise. The 3400 controllers are at the Corp data center.  The issues seems to be with Windows XP WPA2 Enterprise. We have a mix of XP and Windows 7 clients. The XP clients have intermittent problems establishing connection. They seem to authenticate and then they hang in trying to get a DHCP address. Sometimes it is necessary to reboot the AP to fix this problem or wait a very until the session data times out in the RAP.  When the problem occurs the RAP has the client with  the  ACL #1 which is the "logon: default ACL. When is works it has the proper ACL that is needed to route the packets.  

     

     

    show datapath user ap-name ATEST-RAP105-01

     

    ******  this is the state when it will not work *******

    Note: ACL 0 is not the ACL that will work for my split-tunnel

     

    IP MAC ACLs Contract Location Age Sessions Flags Vlan FM
    --------------- ----------------- ------- --------- -------- --- --------- ----- ---- --
    0.0.0.0 00:1C:BF:17:13:93 1/00/0000/65535P1S

     

     

    ****** This is the state when it does work  *******

    Note: the ACL 62 is the proper ACL for the split tunnel


    IP MAC ACLs Contract Location Age Sessions Flags Vlan FM
    --------------- ----------------- ------- --------- -------- --- --------- ----- ---- --

    22.1.20.139 00:1C:BF:17:13:93 62/0 0/0 0 47 0/65535 1 S
    0.0.0.0 00:1C:BF:17:13:93 62/00/0002/65535P1S

     

     

    show datapath acl 62 ap-name ATEST-RAP105-01

    ----------------------------------------------------------------
    1: any any any PR4 hits 203
    2: any any any 46

     

     

     

     

     

     

    If you have APs that are connected via your private WAN at remote offices, the forwarding mode for your clients needs to be Bridged, instead of split tunnel.  Your WAN infrastructure at your remote sites can give out addresses, as well as route traffic back using your existing infrastructure.  No need to split tunnel, when your infrastructure already does that.  That will make your deployment more predictable and allow your clients to leverage what you have already built.