Controllerless Networks

Hello Everyone,
I would really appreciate if you can help me on this.

We have 2 different locations (main office and branch office). Main office is connected to branch office via P2P.
At main office we have -

• Aruba 515 Ap'
• Aruba controller
• Aruba ClearPass
• Here all the guest users are working (Android 12 and lower as well as all IoS users)

At Branch office we have -

1. Aruba 515 Ap's
2. IAP virtual controller (AP's built in virtual controller)
3. We have configured guest SSID and for authentication given path of Main branch ClearPass and for guest portal also given path of main office.
4. Here only android 12 users are not getting connected, after entering OTP the page is getting refreshed again and again (failing to connect)
5. We have checked on ClearPass logs
6. Error code - 204
7. Error Category - Authentication failure
8. Error Msg - failed to classify request to service.
9. Alerts for this request -
10. Radius - Service categorization filed.
11. Radius:Aruba:Aruba-ESSID-Name = is different which is configured in Guest SSID (This is showing for android 12 users only, for lower version it is showing perfect) Ex. SSID is - Test_Guest. In android 12 it is showing - _owetm_Test_Guest1039747924.

Your Android 12 clients are trying to connect with OWE (part of the WPA3 security standard). Easiest fix probably would be to change your service classification rule:
Aruba-ESSID-Name EQUALS Test_Guest
into:
Aruba-ESSID-Name CONTAINS Test_Guest

Or change the encryption on the Test_Guest SSID from OWE to Open.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 22, 2022 03:23 AM
From: Sandesh Zade
Subject: Android 12 users are not authenticating via guest portal in branch office.

Hello Everyone,
I would really appreciate if you can help me on this.

We have 2 different locations (main office and branch office). Main office is connected to branch office via P2P.
At main office we have -

• Aruba 515 Ap'
• Aruba controller
• Aruba ClearPass
• Here all the guest users are working (Android 12 and lower as well as all IoS users)

At Branch office we have -

1. Aruba 515 Ap's
2. IAP virtual controller (AP's built in virtual controller)
3. We have configured guest SSID and for authentication given path of Main branch ClearPass and for guest portal also given path of main office.
4. Here only android 12 users are not getting connected, after entering OTP the page is getting refreshed again and again (failing to connect)
5. We have checked on ClearPass logs
6. Error code - 204
7. Error Category - Authentication failure
8. Error Msg - failed to classify request to service.
9. Alerts for this request -
10. Radius - Service categorization filed.
11. Radius:Aruba:Aruba-ESSID-Name = is different which is configured in Guest SSID (This is showing for android 12 users only, for lower version it is showing perfect) Ex. SSID is - Test_Guest. In android 12 it is showing - _owetm_Test_Guest1039747924.

Hello Herman,
Thank you for your quick response with the solution.
After making suggest changes in ClearPass, Android 12 users are able to join the network, But as this might be a vulnerability.

• We are trying to find out the issue related to OWE.
• As this is the Guest SSID and it is kept encryption Open already.
• I will keep posted for further activities.

Original Message:
Sent: Jul 22, 2022 05:49 AM
From: Herman Robers
Subject: Android 12 users are not authenticating via guest portal in branch office.

Your Android 12 clients are trying to connect with OWE (part of the WPA3 security standard). Easiest fix probably would be to change your service classification rule:
Aruba-ESSID-Name EQUALS Test_Guest
into:
Aruba-ESSID-Name CONTAINS Test_Guest

Or change the encryption on the Test_Guest SSID from OWE to Open.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 22, 2022 03:23 AM
From: Sandesh Zade
Subject: Android 12 users are not authenticating via guest portal in branch office.

Hello Everyone,
I would really appreciate if you can help me on this.

We have 2 different locations (main office and branch office). Main office is connected to branch office via P2P.
At main office we have -

• Aruba 515 Ap'
• Aruba controller
• Aruba ClearPass
• Here all the guest users are working (Android 12 and lower as well as all IoS users)

At Branch office we have -

1. Aruba 515 Ap's
2. IAP virtual controller (AP's built in virtual controller)
3. We have configured guest SSID and for authentication given path of Main branch ClearPass and for guest portal also given path of main office.
4. Here only android 12 users are not getting connected, after entering OTP the page is getting refreshed again and again (failing to connect)
5. We have checked on ClearPass logs
6. Error code - 204
7. Error Category - Authentication failure
8. Error Msg - failed to classify request to service.
9. Alerts for this request -
10. Radius - Service categorization filed.
11. Radius:Aruba:Aruba-ESSID-Name = is different which is configured in Guest SSID (This is showing for android 12 users only, for lower version it is showing perfect) Ex. SSID is - Test_Guest. In android 12 it is showing - _owetm_Test_Guest1039747924.

I found that guest setting for "enhanced open" works well for us for both android and Iphone, it also remove the "this is not encrypted" warning on the phones
Original Message:
Sent: Jul 26, 2022 12:46 AM
From: Sandesh Zade
Subject: Android 12 users are not authenticating via guest portal in branch office.

Hello Herman,
Thank you for your quick response with the solution.
After making suggest changes in ClearPass, Android 12 users are able to join the network, But as this might be a vulnerability.

• We are trying to find out the issue related to OWE.
• As this is the Guest SSID and it is kept encryption Open already.
• I will keep posted for further activities.

Original Message:
Sent: Jul 22, 2022 05:49 AM
From: Herman Robers
Subject: Android 12 users are not authenticating via guest portal in branch office.

Your Android 12 clients are trying to connect with OWE (part of the WPA3 security standard). Easiest fix probably would be to change your service classification rule:
Aruba-ESSID-Name EQUALS Test_Guest
into:
Aruba-ESSID-Name CONTAINS Test_Guest

Or change the encryption on the Test_Guest SSID from OWE to Open.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 22, 2022 03:23 AM
From: Sandesh Zade
Subject: Android 12 users are not authenticating via guest portal in branch office.

Hello Everyone,
I would really appreciate if you can help me on this.

We have 2 different locations (main office and branch office). Main office is connected to branch office via P2P.
At main office we have -

• Aruba 515 Ap'
• Aruba controller
• Aruba ClearPass
• Here all the guest users are working (Android 12 and lower as well as all IoS users)

At Branch office we have -

1. Aruba 515 Ap's
2. IAP virtual controller (AP's built in virtual controller)
3. We have configured guest SSID and for authentication given path of Main branch ClearPass and for guest portal also given path of main office.
4. Here only android 12 users are not getting connected, after entering OTP the page is getting refreshed again and again (failing to connect)
5. We have checked on ClearPass logs
6. Error code - 204
7. Error Category - Authentication failure
8. Error Msg - failed to classify request to service.
9. Alerts for this request -
10. Radius - Service categorization filed.
11. Radius:Aruba:Aruba-ESSID-Name = is different which is configured in Guest SSID (This is showing for android 12 users only, for lower version it is showing perfect) Ex. SSID is - Test_Guest. In android 12 it is showing - _owetm_Test_Guest1039747924.

Good Morning Herman and Andrew,
Issue has been solved after disabling "Enhanced Open" option.

• We were using IAP virtual controller and ClearPass.
• Only android 12 users were effected with this.
• After making the changes in ClearPass - Aruba-ESSID-Name EQUALS Test_Guest into: Aruba-ESSID-Name CONTAINS Test_Guest
• It started working, but it may be vulnerable for longer duration so we tried to disable "Enhanced Open" and reverted back the changes in ClearPass - Aruba-ESSID-Name CONTAINS Test_Guest into Aruba-ESSID-Name EQUALS Test_Guest.
• Now all the users (android 12 also) are getting connected and ESSID is showing the same as SSID.

Thank you so much for the support.

Thanks and regards
Sandesh Shivhsankar Zade
Original Message:
Sent: Aug 04, 2022 01:38 PM
From: Andrew Miller
Subject: Android 12 users are not authenticating via guest portal in branch office.

I found that guest setting for "enhanced open" works well for us for both android and Iphone, it also remove the "this is not encrypted" warning on the phones
Original Message:
Sent: Jul 26, 2022 12:46 AM
From: Sandesh Zade
Subject: Android 12 users are not authenticating via guest portal in branch office.

Hello Herman,
Thank you for your quick response with the solution.
After making suggest changes in ClearPass, Android 12 users are able to join the network, But as this might be a vulnerability.

• We are trying to find out the issue related to OWE.
• As this is the Guest SSID and it is kept encryption Open already.
• I will keep posted for further activities.

Original Message:
Sent: Jul 22, 2022 05:49 AM
From: Herman Robers
Subject: Android 12 users are not authenticating via guest portal in branch office.

Your Android 12 clients are trying to connect with OWE (part of the WPA3 security standard). Easiest fix probably would be to change your service classification rule:
Aruba-ESSID-Name EQUALS Test_Guest
into:
Aruba-ESSID-Name CONTAINS Test_Guest

Or change the encryption on the Test_Guest SSID from OWE to Open.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 22, 2022 03:23 AM
From: Sandesh Zade
Subject: Android 12 users are not authenticating via guest portal in branch office.

Hello Everyone,
I would really appreciate if you can help me on this.

We have 2 different locations (main office and branch office). Main office is connected to branch office via P2P.
At main office we have -

• Aruba 515 Ap'
• Aruba controller
• Aruba ClearPass
• Here all the guest users are working (Android 12 and lower as well as all IoS users)

At Branch office we have -

1. Aruba 515 Ap's
2. IAP virtual controller (AP's built in virtual controller)
3. We have configured guest SSID and for authentication given path of Main branch ClearPass and for guest portal also given path of main office.
4. Here only android 12 users are not getting connected, after entering OTP the page is getting refreshed again and again (failing to connect)
5. We have checked on ClearPass logs
6. Error code - 204
7. Error Category - Authentication failure
8. Error Msg - failed to classify request to service.
9. Alerts for this request -
10. Radius - Service categorization filed.
11. Radius:Aruba:Aruba-ESSID-Name = is different which is configured in Guest SSID (This is showing for android 12 users only, for lower version it is showing perfect) Ex. SSID is - Test_Guest. In android 12 it is showing - _owetm_Test_Guest1039747924.