Controllerless Networks

 View Only

  • 1.  Debugging Instant DUR issue

    Posted Jul 10, 2020 07:24 AM

    Aruba Instant 8.7.0

    CPPM 6.9.1

     

    3 AP Instant cluster 303Hs

     

    Have already got DUR working on 2930 switch thoguht I'd try Instant b4 looking at mobility controller

     

    Get the following on the Instant master controller

     

    show download-role local

    Downloadable Role from CPPM
    ---------------------------
    Role State Refcount Deprecated
    ---- ----- -------- ----------
    ND_eduroam_user_DUR-3163-6 Error 0 No

     

    Heres some details

     

    authentication server

    wlan ssid-profile eduroam
    auth-server cppmnd.sharaz.info
    ....
    download-role

     

    wlan auth-server cppmnd.sharaz.info
    ip cppmnd.sharaz.info
    port 1812
    acctport 1813
    key <shared key>
    nas-ip 192.168.1.20
    rfc5997 auth-only
    rfc3576
    cppm-rfc3576-port 5999
    service-type-framed-user 1x
    service-type-framed-user mac
    cppm username getcppmroles password <carefully typed password>

    On clearpass create profile eduroam-user-dur

    wlan access-rule eduroam-user-dur
    rule any any match any any any permit

     

    show clearpassca

    gives

     

    Default clearpass CA Certificate:
    Version :2
    Serial Number :44AFB080D6A327BA893039862EF8406B
    Issuer :/O=Digital Signature Trust Co./CN=DST Root CA X3
    Subject :/O=Digital Signature Trust Co./CN=DST Root CA X3
    Issued On :Sep 30 21:12:19 2000 GMT
    Expires On :Sep 30 14:01:15 2021 GMT
    RSA Key size :2048 bits
    Signed Using :RSA-SHA1

     

    which is correct as I'm using LetsEncrypt as clerpass http cert

    NTP time sync is correct, both APs and cppm use same NTP source


    show download-role local

    Downloadable Role from CPPM
    ---------------------------
    Role State Refcount Deprecated
    ---- ----- -------- ----------
    ND_eduroam_user_DUR-3163-6 Error 0 No

     

    show log security gives

    Jul 10 10:59:37 stm[6772]: <199802> <ERRS> |AP Kitchen@192.168.1.12 stm| auth_cppm_fsm.c, ac_afsm_rreq_timer_cb:255: Dldb Role ND_eduroam_user_DUR-3163-5: Role request to CPPM failed, cfg_sz=0
    Jul 10 11:05:42 stm[6772]: <199802> <ERRS> |AP Kitchen@192.168.1.12 stm| auth_cppm_api.c, auth_curl_perform:126: Dldb Role ND_eduroam_user_DUR-3163-6: Curl response with HTTP code: 0
    Jul 10 11:05:42 stm[6772]: <199802> <ERRS> |AP Kitchen@192.168.1.12 stm| auth_cppm_api.c, auth_curl_perform:133: Dldb Role ND_eduroam_user_DUR-3163-6: Curl peer verification fine
    Jul 10 11:06:12 stm[6772]: <199802> <ERRS> |AP Kitchen@192.168.1.12 stm| auth_cppm_api.c, auth_curl_perform:126: Dldb Role ND_eduroam_user_DUR-3163-6: Curl response with HTTP code: 0
    Jul 10 11:06:12 stm[6772]: <199802> <ERRS> |AP Kitchen@192.168.1.12 stm| auth_cppm_api.c, auth_curl_perform:133: Dldb Role ND_eduroam_user_DUR-3163-6: Curl peer verification fine
    Jul 10 11:06:12 stm[6772]: <124830> <ERRS> |AP Kitchen@192.168.1.12 stm| Dldb Role ND_eduroam_user_DUR-3163-6: Users dequeued, role in incomplete state
    Jul 10 11:06:12 stm[6772]: <199802> <ERRS> |AP Kitchen@192.168.1.12 stm| auth_cppm_fsm.c, ac_afsm_rreq_timer_cb:255: Dldb Role ND_eduroam_user_DUR-3163-6: Role request to CPPM failed, cfg_sz=0

     

    CPPM Sends back the following in the Aruba-CPPM-Role attribute in Access-Accept

    Radius:Aruba:Aruba-CPPM-Role ND_eduroam_user_DUR-3163-6
    wlan access-rule eduroam-user-dur
    rule any any match any any any permit
    Radius:IETF:Acct-Interim-Interval 900
    Radius:IETF:Session-Timeout 3600
    Radius:IETF:Termination-Action 1
    Status-Update:Endpoint Known

     

     

    Admin/Users/Admin Users

     

    has

    getcppmroles "User Role Getter" Read-only Administrator Enabled

    password typed in really really carefully

     

     

     

     

    Screenshot 2020-07-10 at 12.21.59.png

     

     

     

     

     



  • 2.  RE: Debugging Instant DUR issue

    Posted Jul 10, 2020 09:07 AM

    Remove the other attributes. You should only be returning the role.



  • 3.  RE: Debugging Instant DUR issue

    Posted Jul 10, 2020 11:08 AM

    Nope, doesn't make a difference. Changed it so that only sent back Aruba-CPPM-Role.

     

    Everything  seems to work till theres a role fetch (?)

     

    Jul 10 16:04:40 stm[6722]: <121031> <DBUG> |AP Spare Room@192.168.1.11 stm| |aaa| [rc_request.c:65] Del Request: id=51, srv=192.168.1.12, fd=21
    Jul 10 16:04:40 stm[6722]: <121050> <DBUG> |AP Spare Room@192.168.1.11 stm| in rc_aal.c(server_cbh),auth result = 0, with user name = 5a:bc:7f:4c:ef:ec
    Jul 10 16:04:40 stm[6722]: <124004> <DBUG> |AP Spare Room@192.168.1.11 stm| SAE pairwise key mesg2 MIC for client 5a:bc:7f:4c:ef:ec : (16): 36 b6 94 9d 64 bd a3 93 4c 2a 95 9a 9b 12 a4 45
    Jul 10 16:04:40 stm[6722]: <124839> <DBUG> |AP Spare Room@192.168.1.11 stm| Dldb Role eduroam_user_dur-3163-15: Timer type 4 expired

    elated pmkcache
    Jul 10 16:04:40 stm[6722]: <124838> <DBUG> |AP Spare Room@192.168.1.11 stm| Dldb Role eduroam_user_dur-3163-15: Start timer type role clean(4) duration 100
    Jul 10 16:04:40 stm[6722]: <124004> <DBUG> |AP Spare Room@192.168.1.11 stm| Dldb Role eduroam_user_dur-3163-15: remove role
    Jul 10 16:04:40 stm[6722]: <124854> <DBUG> |AP Spare Room@192.168.1.11 stm| Dldb Role eduroam_user_dur-3163-15: Role sucessfully destroyed
    Jul 10 16:05:10 stm[6722]: <124839> <DBUG> |AP Spare Room@192.168.1.11 stm| Dldb Role eduroam_user_dur-3163-16: Timer type 1 expired
    Jul 10 16:05:10 stm[6722]: <199802> <ERRS> |AP Spare Room@192.168.1.11 stm| auth_cppm_api.c, auth_curl_perform:126: Dldb Role eduroam_user_dur-3163-16: Curl response with HTTP code: 0
    Jul 10 16:05:10 stm[6722]: <199802> <ERRS> |AP Spare Room@192.168.1.11 stm| auth_cppm_api.c, auth_curl_perform:133: Dldb Role eduroam_user_dur-3163-16: Curl peer verification fine
    Jul 10 16:05:10 stm[6722]: <124850> <DBUG> |AP Spare Room@192.168.1.11 stm| Dldb Role eduroam_user_dur-3163-16: Dequeue pending users, total enqueued 1
    Jul 10 16:05:10 stm[6722]: <124830> <ERRS> |AP Spare Room@192.168.1.11 stm| Dldb Role eduroam_user_dur-3163-16: Users dequeued, role in incomplete state
    Jul 10 16:05:10 stm[6722]: <124837> <DBUG> |AP Spare Room@192.168.1.11 stm| Dldb Role eduroam_user_dur-3163-16: Curl cleanup done for role request
    Jul 10 16:05:10 stm[6722]: <199802> <ERRS> |AP Spare Room@192.168.1.11 stm| auth_cppm_fsm.c, ac_afsm_rreq_timer_cb:255: Dldb Role eduroam_user_dur-3163-16: Role request to CPPM failed, cfg_sz=0
    Spare Room#



  • 4.  RE: Debugging Instant DUR issue

    Posted Jul 13, 2020 09:28 AM

    ... and it works!

     

    although it might have been a case of "Swotc it off and on again :-("

     

    Noticed the Instant AP in my cluster wouldn;t resp[ont to pings and I couldn't log onto it.

    Changed it for another AP and although I  could log on, still exhibited the same issue.

     

    Ran show summary support  and notice that in addition to my ipv4 DNS entry there were two ipv6 addresses that were being handed out by my broadband router.

     

    Disabled ipv6 management  of the instant cluster, disabled advertising of ipv6 dns servers ( one of them had died) and rebooted  the cluster  ... and it all sprang into life!

     

    Next step is to reinstate the IPv6 ( minus the bad DNS server) and check it till works.

     

    The interesting thing was that nowher in the GUI did it  mention it was using the ipv6 DNS servers, everything had ipv4 ones assigned.

     

    A

     



Related Content