Wireless Access

Hello,

We are testing out our wi-fi services in New Central prior to migration from AOS8. Our model is Cloud (New) Central and a cluster of gateways in our DC which will serve all of our APs. Running 10.8.0.1.

I set up a single AP in Central, it is in a group and a site, all seems well. We have two gateways currently in a cluster which also seem to be happy. I configured an MPSK WLAN which uses CentralNAC for auth (this is to replace our personal, device registration MPSK currently on ClearPass). The new SSID broadcasts on the test AP fine, but when I try to connect using my user-managed MPSK it says 'authenticating' for a while but then gives up. When I troubleshoot my device on Central it shows as failing MAC auth. But MAC auth shouldn't be part of MPSK auth, should it?

Also when I run 'show ap database' directly on the gateways there are no APs showing, I'm not sure if that is normal? From the gateway I can see an ipsec tunnel that appears to be formed between the AP and the gateway:

(uws-gw-a1) *#show crypto ipsec sa 

 
Tunnel Service SA Information
-----------------------------------
Initiator IP                              Responder IP                              SPI(IN/OUT)        Flags   Start Time        Tunnel Type   Inner IP
------------                              ------------                              ----------------   ------  ---------------   ------------  ----------
<AP IP>                               <GW IP>                              9596d000/87cb3000  UTlt    May 22 08:10:00   AP              <AP IP>

I'm not really sure what I should expect to see in the new AOS 10 world so I don't know if the absence of the AP from 'show ap database' is relevant or not.

Does anyone have any ideas about this? Or what the issue with the MPSK network might be?

Thank you,

Guy

A quick follow up on this - we have a test version of the MPSK wlan set up in our dev workspace and strangely that does have an AAA profile which looks like it has been auto-generated as the name has a long seemingly random number suffixed, that profile has MAC auth server set to be CentralNAC. But there's no equivalent AAA profile for the MPSK wlan that I set up in our 'live' workspace. Seems like there should be?

Hello,

We are testing out our wi-fi services in New Central prior to migration from AOS8. Our model is Cloud (New) Central and a cluster of gateways in our DC which will serve all of our APs. Running 10.8.0.1.

I set up a single AP in Central, it is in a group and a site, all seems well. We have two gateways currently in a cluster which also seem to be happy. I configured an MPSK WLAN which uses CentralNAC for auth (this is to replace our personal, device registration MPSK currently on ClearPass). The new SSID broadcasts on the test AP fine, but when I try to connect using my user-managed MPSK it says 'authenticating' for a while but then gives up. When I troubleshoot my device on Central it shows as failing MAC auth. But MAC auth shouldn't be part of MPSK auth, should it?

Also when I run 'show ap database' directly on the gateways there are no APs showing, I'm not sure if that is normal? From the gateway I can see an ipsec tunnel that appears to be formed between the AP and the gateway:

(uws-gw-a1) *#show crypto ipsec sa 

 
Tunnel Service SA Information
-----------------------------------
Initiator IP                              Responder IP                              SPI(IN/OUT)        Flags   Start Time        Tunnel Type   Inner IP
------------                              ------------                              ----------------   ------  ---------------   ------------  ----------
<AP IP>                               <GW IP>                              9596d000/87cb3000  UTlt    May 22 08:10:00   AP              <AP IP>

I'm not really sure what I should expect to see in the new AOS 10 world so I don't know if the absence of the AP from 'show ap database' is relevant or not.

Does anyone have any ideas about this? Or what the issue with the MPSK network might be?

Thank you,

Guy

It's correct that 'show ap database' doesn't show any AP. With AOS10 the Gateways are 'just' used for traffic termination. The APs are controlled by Central.

Did you create the WLAN profile at library level and assigned the WLAN profile to the Group? At this moment the group most contain both the Gateways and APs.

You are correct. An AAA profile should be auto created during the WLAN profile creation. That is probably the reason why you see MAC auth failures. There is always (also for an open SSID) MAC auth between the AP and Gateway.

Can you try to create a new SSID and see if the AAA profile is created? If not, I suggest to open a TAC case

A quick follow up on this - we have a test version of the MPSK wlan set up in our dev workspace and strangely that does have an AAA profile which looks like it has been auto-generated as the name has a long seemingly random number suffixed, that profile has MAC auth server set to be CentralNAC. But there's no equivalent AAA profile for the MPSK wlan that I set up in our 'live' workspace. Seems like there should be?

Hello,

We are testing out our wi-fi services in New Central prior to migration from AOS8. Our model is Cloud (New) Central and a cluster of gateways in our DC which will serve all of our APs. Running 10.8.0.1.

I set up a single AP in Central, it is in a group and a site, all seems well. We have two gateways currently in a cluster which also seem to be happy. I configured an MPSK WLAN which uses CentralNAC for auth (this is to replace our personal, device registration MPSK currently on ClearPass). The new SSID broadcasts on the test AP fine, but when I try to connect using my user-managed MPSK it says 'authenticating' for a while but then gives up. When I troubleshoot my device on Central it shows as failing MAC auth. But MAC auth shouldn't be part of MPSK auth, should it?

Also when I run 'show ap database' directly on the gateways there are no APs showing, I'm not sure if that is normal? From the gateway I can see an ipsec tunnel that appears to be formed between the AP and the gateway:

(uws-gw-a1) *#show crypto ipsec sa 

 
Tunnel Service SA Information
-----------------------------------
Initiator IP                              Responder IP                              SPI(IN/OUT)        Flags   Start Time        Tunnel Type   Inner IP
------------                              ------------                              ----------------   ------  ---------------   ------------  ----------
<AP IP>                               <GW IP>                              9596d000/87cb3000  UTlt    May 22 08:10:00   AP              <AP IP>

I'm not really sure what I should expect to see in the new AOS 10 world so I don't know if the absence of the AP from 'show ap database' is relevant or not.

Does anyone have any ideas about this? Or what the issue with the MPSK network might be?

Thank you,

Guy

Thanks for the info Willem.

I recreated the wlan and this time there is an AAA profile, so that's an improvement. When I went through the process again I realised that I may have left it in bridged mode instead of tunnel, so that might explain the AAA profile anomaly I guess?

So now I have the wlan and I created an auth profile in CentralNAC that references it.

The wlan is scoped to Global at the moment - this would be our ideal as we want to have our 4 basic wlans inherited everywhere below. However the SSID is now not broadcasting! I have a feeling my colleague had an issue like this some time ago (unfortunately he is on holiday) and the issue was something to do with the client VLAN referenced in the wlan. I can't remember exactly but I guess if the gateways test that VLAN and it isn't reachable then the SSID doesn't get broadcast? Does that ring any bells with you?

Guy

It's correct that 'show ap database' doesn't show any AP. With AOS10 the Gateways are 'just' used for traffic termination. The APs are controlled by Central.

Did you create the WLAN profile at library level and assigned the WLAN profile to the Group? At this moment the group most contain both the Gateways and APs.

You are correct. An AAA profile should be auto created during the WLAN profile creation. That is probably the reason why you see MAC auth failures. There is always (also for an open SSID) MAC auth between the AP and Gateway.

Can you try to create a new SSID and see if the AAA profile is created? If not, I suggest to open a TAC case

A quick follow up on this - we have a test version of the MPSK wlan set up in our dev workspace and strangely that does have an AAA profile which looks like it has been auto-generated as the name has a long seemingly random number suffixed, that profile has MAC auth server set to be CentralNAC. But there's no equivalent AAA profile for the MPSK wlan that I set up in our 'live' workspace. Seems like there should be?

Hello,

We are testing out our wi-fi services in New Central prior to migration from AOS8. Our model is Cloud (New) Central and a cluster of gateways in our DC which will serve all of our APs. Running 10.8.0.1.

I set up a single AP in Central, it is in a group and a site, all seems well. We have two gateways currently in a cluster which also seem to be happy. I configured an MPSK WLAN which uses CentralNAC for auth (this is to replace our personal, device registration MPSK currently on ClearPass). The new SSID broadcasts on the test AP fine, but when I try to connect using my user-managed MPSK it says 'authenticating' for a while but then gives up. When I troubleshoot my device on Central it shows as failing MAC auth. But MAC auth shouldn't be part of MPSK auth, should it?

Also when I run 'show ap database' directly on the gateways there are no APs showing, I'm not sure if that is normal? From the gateway I can see an ipsec tunnel that appears to be formed between the AP and the gateway:

(uws-gw-a1) *#show crypto ipsec sa 

 
Tunnel Service SA Information
-----------------------------------
Initiator IP                              Responder IP                              SPI(IN/OUT)        Flags   Start Time        Tunnel Type   Inner IP
------------                              ------------                              ----------------   ------  ---------------   ------------  ----------
<AP IP>                               <GW IP>                              9596d000/87cb3000  UTlt    May 22 08:10:00   AP              <AP IP>

I'm not really sure what I should expect to see in the new AOS 10 world so I don't know if the absence of the AP from 'show ap database' is relevant or not.

Does anyone have any ideas about this? Or what the issue with the MPSK network might be?

Thank you,

Guy

For Bridge mode SSID's there is no AAA profile created. This is only for tunneled SSID's.

Regarding the assignment. That is the most important and confusing part at this moment. 

Make sure the gateways and APs are assigned to the same group at this moment. If you assign the profile Global the SSID is not broadcasted. Also make sure the VLAN is assigned to the scope or higher level (global).

There is an option to use auto-site and that will give the possibility to assign tunneled WLAN profiles globally. However, this is correctly an allow-listed feature. I think is good to discuss this with your HPE Networking SE.

Thanks for the info Willem.

I recreated the wlan and this time there is an AAA profile, so that's an improvement. When I went through the process again I realised that I may have left it in bridged mode instead of tunnel, so that might explain the AAA profile anomaly I guess?

So now I have the wlan and I created an auth profile in CentralNAC that references it.

The wlan is scoped to Global at the moment - this would be our ideal as we want to have our 4 basic wlans inherited everywhere below. However the SSID is now not broadcasting! I have a feeling my colleague had an issue like this some time ago (unfortunately he is on holiday) and the issue was something to do with the client VLAN referenced in the wlan. I can't remember exactly but I guess if the gateways test that VLAN and it isn't reachable then the SSID doesn't get broadcast? Does that ring any bells with you?

Guy

It's correct that 'show ap database' doesn't show any AP. With AOS10 the Gateways are 'just' used for traffic termination. The APs are controlled by Central.

Did you create the WLAN profile at library level and assigned the WLAN profile to the Group? At this moment the group most contain both the Gateways and APs.

You are correct. An AAA profile should be auto created during the WLAN profile creation. That is probably the reason why you see MAC auth failures. There is always (also for an open SSID) MAC auth between the AP and Gateway.

Can you try to create a new SSID and see if the AAA profile is created? If not, I suggest to open a TAC case

A quick follow up on this - we have a test version of the MPSK wlan set up in our dev workspace and strangely that does have an AAA profile which looks like it has been auto-generated as the name has a long seemingly random number suffixed, that profile has MAC auth server set to be CentralNAC. But there's no equivalent AAA profile for the MPSK wlan that I set up in our 'live' workspace. Seems like there should be?

Hello,

We are testing out our wi-fi services in New Central prior to migration from AOS8. Our model is Cloud (New) Central and a cluster of gateways in our DC which will serve all of our APs. Running 10.8.0.1.

I set up a single AP in Central, it is in a group and a site, all seems well. We have two gateways currently in a cluster which also seem to be happy. I configured an MPSK WLAN which uses CentralNAC for auth (this is to replace our personal, device registration MPSK currently on ClearPass). The new SSID broadcasts on the test AP fine, but when I try to connect using my user-managed MPSK it says 'authenticating' for a while but then gives up. When I troubleshoot my device on Central it shows as failing MAC auth. But MAC auth shouldn't be part of MPSK auth, should it?

Also when I run 'show ap database' directly on the gateways there are no APs showing, I'm not sure if that is normal? From the gateway I can see an ipsec tunnel that appears to be formed between the AP and the gateway:

(uws-gw-a1) *#show crypto ipsec sa 

 
Tunnel Service SA Information
-----------------------------------
Initiator IP                              Responder IP                              SPI(IN/OUT)        Flags   Start Time        Tunnel Type   Inner IP
------------                              ------------                              ----------------   ------  ---------------   ------------  ----------
<AP IP>                               <GW IP>                              9596d000/87cb3000  UTlt    May 22 08:10:00   AP              <AP IP>

I'm not really sure what I should expect to see in the new AOS 10 world so I don't know if the absence of the AP from 'show ap database' is relevant or not.

Does anyone have any ideas about this? Or what the issue with the MPSK network might be?

Thank you,

Guy