Wireless Access

Hello all,

Lately I've been trying to set up a network through Aruba Instant with a RADIUS authentication server. I have tried various means of getting it to work but without any luck. The problems I am facing is that no matter what IP I give the authentication server, I receive an error telling me that the authentication server is down. Looking in the event viewer on the windows 2012 server I get the following error. Any help from here would be appreaciated. I hope I just overlooked something :) 

Change your radius client ip address on the NPS server to 192.168.20.5

EDIT  Set a Virtual IP on your instant cluster and enable dynamic radius proxy on your IAP and set the radius client ip address on the NPS server to that ip address.

http://community.arubanetworks.com/t5/Controller-less-WLANs/IAP-Dynamic-radius-proxy-ip-configuration-and-troubleshooting/ta-p/175248

That would be the same as changing the IP on the NPS for the RADIUS Client right? I am getting the following error in Instant as usual: "Authentication Server SaxoAD with ip 192.168.20.5 is down"

No.  We are talking about two different things.

1- The ip address of the radius server will not change and needs to be configured in the radius server configuration for the IAP.

2-The Virtual ip address is an available high availability ip address on the Instant AP subnet that is chosen that will be the source of all radius traffic leaving the instant cluster, when you enable dynamic radius proxy.  If you don't choose a Virtual IP address and enable DRP, the radius server will see the source ip address as the ip address of the AP is currently on.  You would have to enter all ip addresses of your Instant APs as radius clients on the NPS server.  (1) Setting a Virtual ip address and (2) Enable Dynamic Radius Proxy will allow you to enter the Virtual IP address of the instant cluster as the radius client ip address on your NPS server and have all radius traffic come from a single ip address.  That Virtual ip address needs to be an unused ip address on the same subnet as your instant aps.

I hope that makes sense...

So the virtual controller IP is not the same as the virtual ip address? Could you possibly tell me exactly what I would have to do solve this problem? Thanks

You have things configured correctly in your screenshots.  Is there a firewall between the IAPs and the radius server?

Colin, as far as I can tell, the Firewall rules of my Windows Server doesn't seem to be in the way. Do you by any chance have an idea of what or which rules would be obstructing the connection?

Thanks

Sorry for maybe asking some stupid questions, but after reading I don't get the full overview.

What is the IP of your Instant AP?

What is the IAP virtual controller IP? 192.168.20.5?

What is the IP address of your NPS server?

Did you put in that IP address as the RADIUS server in your Instant AP?

Have you reloaded/restarted the NPS service after you added the IAP VC address as RADIUS client?

Can you screenshot the message: "Authentication Server SaxoAD with ip 192.168.20.5 is down"? Where is that displayed? I would expect the IP address of your NPS server.

Hey again, I have a total of 5 AP's in Instant. Their IP's are 192.168.20.71, 192.168.20.83, 192.168.20.66, 192.168.20.180 and 192.168.20.63
The IP of the IAP VC is 192.168.20.5
The IP of the NPS server is 192.168.20.100 and yes, I did enter that as the IP adress of the RADIUS server in Instant as the authentication server. Should I do anything about my AP's and the NPS server IP? I attached a screenshot of the configuration of the AP. 
I have also attached a screenshot of the errors I receive. They are shown in the alert bar of the AP's in Instant. Lastly, the only thing I have done with the NPS Server except adding a RADIUS server is shown in the last screenshot.I both registered the server in my AD and stopped and started it, as far as restarting goes.

Colin, as far as I can tell, the Firewall rules of my Windows Server doesn't seem to be in the way. Do you by any chance have an idea of what or which rules would be obstructing the connection?

Thanks

Hey again, I have a total of 5 AP's in Instant. Their IP's are 192.168.20.71, 192.168.20.83, 192.168.20.66, 192.168.20.180 and 192.168.20.63
The IP of the IAP VC is 192.168.20.5
The IP of the NPS server is 192.168.20.100 and yes, I did enter that as the IP adress of the RADIUS server in Instant as the authentication server. Should I do anything about my AP's and the NPS server IP? I attached a screenshot of the configuration of the AP. 
I have also attached a screenshot of the errors I receive. They are shown in the alert bar of the AP's in Instant. Lastly, the only thing I have done with the NPS Server except adding a RADIUS server is shown in the last screenshot.I both registered the server in my AD and stopped and started it, as far as restarting goes.

Thanks

Hey again, I have a total of 5 AP's in Instant. Their IP's are 192.168.20.71, 192.168.20.83, 192.168.20.66, 192.168.20.180 and 192.168.20.63
The IP of the IAP VC is 192.168.20.5
The IP of the NPS server is 192.168.20.100 and yes, I did enter that as the IP adress of the RADIUS server in Instant as the authentication server. Should I do anything about my AP's and the NPS server IP? I attached a screenshot of the configuration of the AP. 
I have also attached a screenshot of the errors I receive. They are shown in the alert bar of the AP's in Instant. Lastly, the only thing I have done with the NPS Server except adding a RADIUS server is shown in the last screenshot.I both registered the server in my AD and stopped and started it, as far as restarting goes.

Thanks

Hey again, I have a total of 5 AP's in Instant. Their IP's are 192.168.20.71, 192.168.20.83, 192.168.20.66, 192.168.20.180 and 192.168.20.63
The IP of the IAP VC is 192.168.20.5
The IP of the NPS server is 192.168.20.100 and yes, I did enter that as the IP adress of the RADIUS server in Instant as the authentication server. Should I do anything about my AP's and the NPS server IP? I attached a screenshot of the configuration of the AP. 
I have also attached a screenshot of the errors I receive. They are shown in the alert bar of the AP's in Instant. Lastly, the only thing I have done with the NPS Server except adding a RADIUS server is shown in the last screenshot.I both registered the server in my AD and stopped and started it, as far as restarting goes.

Herman,
I have a total of 5 AP's in Instant. Their IP's are 192.168.20.71, 192.168.20.83, 192.168.20.66, 192.168.20.180 and 192.168.20.63
The IP of the IAP VC is 192.168.20.5
The IP of the NPS server is 192.168.20.100 and yes, I did enter that as the IP adress of the RADIUS server in Instant as the authentication server. Should I do anything about my AP's and the NPS server IP? I attached a screenshot of the configuration of the AP. 
I have also attached a screenshot of the errors I receive. They are shown in the alert bar of the AP's in Instant. Lastly, the only thing I have done with the NPS Server except adding a RADIUS server is shown in the last screenshot.I both registered the server in my AD and stopped and started it, as far as restarting goes.

From the information you provided, it looks to me that it should work. In my lab testing, I was only able to replicate the 'Authentication server is down' alert if the IP was not reachable at all (not even pinging).

If your firmware is up to date, and time is set correctly on the AP, I would run a packet capture on the NPS server to see if RADIUS packets are arriving and what the response of your NPS server is. If you need help with further troubleshooting, please contact your Aruba partner or Aruba TAC.