Wireless Access

I'm running AOS 8.4 (although this issue existed with 8.3.x) and I am trying to utilize the WiredAP profile to tunnel users connected to ENET1 to the controller (7005). However, whenever I change the forward mode to tunnel nothing appears to happen. The user-table on the controller still shows the mode as "bridged" for that user and I lose connectivity. The switchport-mode in the profile is set to access native VLAN 2. AAA profile is doing MAC-AUTH via CPPM. CPPM is seeing the request and sending an ACCEPT. However, nothing ever gets tunneled. . 

Am I missing an additional configuration paramenter other than the WiredAP profile? Is this a TAC call?

Thanks

Is there a VLAN2 defined on the controller?

Yes. It's the same VLAN that my wireless users receive. Should I define a VLAN in the 'WiredAP' role? Or, is that not necessary?

Do you see the user in the user table?  If not, you need to plug in a laptop with wireshark on that wired port and see what traffic happens when you plug it in.  There just needs to be a wired AP profile, with a forwarding mode of tunnel assigned to VLAN 2.

Making sure the user on that wired port can associate and obtain an ip address is the main thing.  There is also typically a AAA profile attached to that wired AP profile.  Make sure the initial role is "authenticated" or something with an allowall ACL.

Do not assign a VLAN to any role.

Ok. Just making sure that I had the configuration correct. 

When I plug into the AP with a laptop, the controller says the mode is 'bridged'. I'm using 'show user' to verify. That's the most confusing part. . I can't even tell if the controller is 'taking' my config changes.

192.168.2.64  00:17:88:49:28:0c  00178849280c  wiredAP        00:02:13    MAC             Front LR  Wired(Remote)  192.168.2.75:0/1                  Home-Net  bridge                            WIRED

Home-Net being the AAA profile, and wiredAP being the role assigned via CPPM.

It looks like you still have a bridged configuration on that AP.

Type:  "show ap ap-group ap-name <name of ap> " to see what Ethernet interface 1 port configuration profile is.  Find out the is in that profile by typing "show ap wired-port-profile <that profile from the command above>"

Ok. I think this was a configuration hierarchy issue.

Additionally there was a AAA profile being applied at the MD level that I was not seeing at the folder level. 

It appears that if the MD has a profile applied that does not exist at the folder level, the UI still shows that you're applying the profile that you want--not taking into account that the MD configuration is overriding it. Leaving me to beat my head against the wall for an hour. 

The CLI showed me a profile that I didn't recognize and didn't exist at the folder level. Thanks for the help!

You should be able to click on the MD and see the configuration at that level.

I did once the CLI threw out a profile name that I don't recall ever creating. I 'never' make any config changes at the MD level. So, I didn't think to just drill down and make sure it wasn't being overridden.

Next time that will the first troubleshooting step.

You can SSH into the MD and type :

"show configuration effective detail" to see the resulting configuration and where it was defined.

Alternatively, you can "cd" to the node's folder from the MM and type "MDC" to get into the node and then type "show configuration effective detail"

On the MM you can also type "show audit-trail" to see the history of anything that was configured.