Wireless Access

We're trying to migrate from a Cisco configuration that used static-wep with opensystem authentication for one SSID.  Is this possible in the Aruba 8.3 platform?  So far it seems like the only possibility is opensystem with no encryption, or static-wep which implies shared-key authentication.  

We believed this worked based on the fact that the devices associate and started rolling out APs. It turns out they don't actually work, so we have 175 devices that are going to be stranded.

I understand that WEP is broken, and there is a plan to migrate to WPA2, but the AP rollout is in full swing so if there's any possibily of fixing this I need to find it.

I haven't tested with WEP in a very long time, but using the default-open aaa profile with your WEP VAP (virtual-ap profile) should result in opensystem rather than shared-key. 

This doesn't seem to have the desired effect.  The client still associates, but the user-table shows "No" in the auth column.   Strangely I don't see this user in just "show user-table" output, but it does show up if you use "show user-table mac X:X:X:X" 

---

@jganger wrote:

This doesn't seem to have the desired effect.  The client still associates, but the user-table shows "No" in the auth column.   Strangely I don't see this user in just "show user-table" output, but it does show up if you use "show user-table mac X:X:X:X" 

---

Is the user device able to receive an IP address via DHCP or access the network? 

The device has a static IP, there's no DHCP on this subnet.

It is not able to communicate on the network.  The MAC address doesn't show up on the phsyical switch that the controllers are connected to either.  Other client's MAC addresses do show up on the switch, but not these ones.  I can ping other devices still associated to the Cisco APs from the controller's vlan interface so I know the vlans are configured correctly.

Please share your current VAP and SSID profile configurations:

show wlan virtual-ap
show wlan virtual-ap <wep-profile>
show wlan ssid-profile
show wlan ssid-profile <wep-ssid-profile>

I did attempt to reconfigure a test device for shared-key authentication just now and that also didn't seem to have an effect, so my hypothesis about the cause may be wrong.  So, now I'm not even sure why these clients can associate but don't appear to pass any traffic.

Virtual AP profile "IVPUMP"
-------------------------------
Parameter Value
--------- -----
AAA Profile IVPUMP
802.11K Profile default
Hotspot 2.0 Profile N/A
Virtual AP enable Enabled
VLAN 15
Forward mode tunnel
SSID Profile IVPUMP
Allowed band g
Band Steering Disabled
Cellular handoff assist Disabled
Openflow Enable Enabled
Steering Mode prefer-5ghz
Dynamic Multicast Optimization (DMO) Disabled
Dynamic Multicast Optimization (DMO) Threshold 6
Drop Broadcast and Multicast Disabled
Convert Broadcast ARP requests to unicast Disabled
Authentication Failure Blacklist Time 3600 sec
Blacklist Time 3600 sec
Deny inter user traffic Disabled
Deny time range N/A
DoS Prevention Disabled
HA Discovery on-association Enabled
Mobile IP Enabled
Preserve Client VLAN Disabled
Remote-AP Operation standard
Station Blacklisting Enabled
Strict Compliance Disabled
VLAN Mobility Disabled
WAN Operation mode always
FDB Update on Assoc Enabled
WMM Traffic Management Profile N/A
Anyspot profile N/A

SSID Profile "IVPUMP"
-------------------------
Parameter Value
--------- -----
SSID enable Enabled
ESSID IVPUMP
WPA Passphrase N/A
Encryption static-wep
Enable Management Frame Protection Disabled
Require Management Frame Protection Disabled
DTIM Interval 1 beacon periods
802.11a Basic Rates 6 12 24
802.11a Transmit Rates 6 9 12 18 24 36 48 54
802.11g Basic Rates 1 2
802.11g Transmit Rates 1 2 5 6 9 11 12 18 24 36 48 54
Station Ageout Time 1000 sec
Max Transmit Attempts 8
RTS Threshold 2333 bytes
Short Preamble Enabled
Max Associations 64
Wireless Multimedia (WMM) Disabled
Wireless Multimedia U-APSD (WMM-UAPSD) Powersave Enabled
WMM TSPEC Min Inactivity Interval 0 msec
DSCP mapping for WMM voice AC (0-63) N/A
DSCP mapping for WMM video AC (0-63) N/A
DSCP mapping for WMM best-effort AC (0-63) N/A
DSCP mapping for WMM background AC (0-63) N/A
WMM Access Class of EAP traffic default
Multiple Tx Replay Counters Enabled
Hide SSID Disabled
Deny_Broadcast Probes Disabled
Local Probe Request Threshold (dB) 0
Auth Request Threshold (dB) 0
Disable Probe Retry Enabled
Battery Boost Disabled
WEP Key 1 ***********
WEP Key 2 N/A
WEP Key 3 N/A
WEP Key 4 N/A
WEP Transmit Key Index 1
WPA Hexkey N/A
Maximum Transmit Failures 0
EDCA Parameters Station profile N/A
EDCA Parameters AP profile N/A
BC/MC Rate Optimization Enabled
Rate Optimization for delivering EAPOL frames Enabled
Strict Spectralink Voice Protocol (SVP) Disabled
High-throughput SSID Profile default
802.11g Beacon Rate default
802.11a Beacon Rate default
Video Multicast Rate Optimization default
Advertise QBSS Load IE Disabled
Advertise Location Info Disabled
Advertise AP Name Disabled
Traffic steering from WLAN to cellular Disabled
802.11r Profile N/A
Enforce user vlan for open stations Disabled
Enable OKC Enabled

When you use the command "show profile-errors" on your controller, are there any errors reported?

Likewise, can you post the output from "show aaa profile IVPUMP". With static WEP, the user is not authenticated, so the value for the initial role will determine what traffic a WEP user can pass when connected.

No profile errors reported.

My understanding is that with static wep you can have either opensystem or shared key authentication in addition to WEP encryption.  I set the initial role to authenticated:

AAA Profile "IVPUMP"
------------------------
Parameter Value
--------- -----
Initial role authenticated
MAC Authentication Profile N/A
MAC Authentication Default Role authenticated
MAC Authentication Server Group default
802.1X Authentication Profile N/A
802.1X Authentication Default Role authenticated
802.1X Authentication Server Group N/A
Download Role from CPPM Disabled
Set username from dhcp option 12 Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout N/A
Max IPv4 for wireless user 2
RADIUS Accounting Server Group N/A
RADIUS Roaming Accounting Disabled
RADIUS Interim Accounting Disabled
RADIUS Acct-Session-Id In Access-Request Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
Reauthenticate wired user on VLAN change Disabled
Device Type Classification Enabled
Enforce DHCP Disabled
PAN Firewall Integration Disabled
Open SSID radius accounting Disabled
(Controller-2) #

Interestingly though, TAC just looked at "show datapath crypto counters" which has 1.5 million WEP Decryption Failures and WEP Decryption CRC Failures so we may be on to something!

This doesn't seem to have the desired effect.  The client still associates, but the user-table shows "No" in the auth column.   Strangely I don't see this user in just "show user-table" output, but it does show up if you use "show user-table mac X:X:X:X"