Thanks for the prompt reply. I'm running IMC and the MSM does indeed talk to IMC through that interface. When enabled it shows the service running. There are a number of items that interface through this, one example down further
unchecked no data or host name
I have a very simpel short question:
What POE do you need to use in order to power the AP? (MSM460)
I just got a J9407A. But when i plug it in, no lights are on the AP, there is just one brief green blink on the backside of the AP where the reset button is...
The AP is new and has never been used before.
I just need to know, do i have the correct POE or what am i doing wrong?
Hi
Thanks Parnassus, however....
New certs installed as per instructions DO NOT WORK with imc.
I tested on a spare controller and would not connect. to IMC (unfortunately deleted the certs as per instructions - DOH! - you can leave them installed until everything looks good. Also a password protected configuration backup will inlcude the certs so you can recover)
I tested again on primary controller (w/o deleting) and switching between certs old vs new has same result. for new
New certs - stuck connecting - see below
Old Certs - connect right away on port 7668
New cert in MSM - stuck like this?
View In IMC
Hello,
Sorry for the delayed answers, I am currenlty OOO.
The first thing I can think of is - maybe iMC doesnt trust the new CA root certificate and thats why an error is displayed. The advisory provides 2 certificates - new_mgmt_console_ca.crt which is the CA root certificate and new_mgmt_console_client.pfx which is the client certificate for the MSM controller. Maybe it is necessary to install the CA certificate on iMC as trusted CA. Because they are not signed by any public CA and wont be trusted by default.
It would be good to see what exactly report iMC and MSM in the logs. A wired trace can also be helpful in identifying where the communication is breaking.
This is just a guess. I am not iMC specialist. Maybe it is better to open a separate question in the iMC section and even much better open a support case if you are entitled to support.
Thx. Only just started looking into - this was FYI for anyone else. CA trust could be an issue - yes. Certs on imc are not something I've worked w. Time to learn I guess. i will check the logs and do a capture. I do have IMC support so I can work with them.
UPDATE: Wireshark capture shows unknown CA error so looks like I need to figure out how to install that CA cert
Trying to set up some sort of prefferred network for staff vs. guest wifi. I have an MSR20-10 enterprise router and 3 of these M220 AP's clustered. I'm running two SSID's on a single VLAN. I need one of the SSID's to have prefferred throughput vs guest wifi connections. Should I do this at the router with setting up an additional VLAN? I was hoping I could just set a bandwidth limit on the guest SSID at the AP like some other brands allow. What is my best option here?
I have the same issue , all Ap's disconnect the clients for about 4 sec every 10, 15 minutes :
Client (mac='6C:88:14:EC:59:18') has successfully authenticated using 802.11 authentication on interface (value='r2v2') using SSID (value='TV') 2020-05-29 08:49:18,086 AP received a deauthenticate request from client (mac='6C:88:14:EC:59:18') on interface (value='r2v2') using SSID (value='TV'). Reason code: (value='Unspecified'). Total number of clients: (value='0') 2020-05-29 08:49:14,747 AP sent a deauthentication request to client (mac='6C:88:14:EC:59:18') on interface (value='r2v2') using SSID (value='TV') with a reason code (value='Previous authentication no longer valid') 2020-05-29 08:49:14,484
My configuration is a MSM760 (6.6.8.1-23399) Enterprise Licenses, with 5 MSM560 (6.6.8.1-23399)
Please join us for the Online Expert Day on June 16-17 , 2020. Our Experts will be Live for 24 hours.
More detailed information is available here
Hello,
M220 is an entry level AP and misses a lot of the advanced bandwidth management and traffic prioritization features other models and brands have. I reviewed the documentation once again and couldnt find any option to achieve what you intend.
I can think of one workaround however it is very specific and the implementation may not match your needs. The AP supports 802.11n as the highest WLAN standard with 2 spacial steams, this means 300Mbps as the highest data rate (real data throughput about the half). The 802.11n standard has some requirements regarding the wireless security features. It can only be used with WPA2 with AES. If you enabled WPA with TKIP or WEP on a wireless community, 802.11n is disabled and the AP will support 802.11g or 802.11a only with the highest data rate of 54Mbps. This is mentioned in the manual
https://internal.support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=c04483535
WPA with TKIP encryption. Note: If this version is selected and the chosen wireless mode supports 802.11n, then wireless clients that support 802.11n cannot connect at 802.11n transmission rates. They will be connected at legacy rates. If the chosen wireless mode is one of the 802.11n-only modes, then you cannot select this option alone (that is, WPA2 must also be selected)
So if you plan to implement preshared key authentication for both SSIDs, you can configure the radio mode as 802.11b/g/n or 802.11a/n, in the wireless community settings you can then specify different security methods and WPA versions for both SSIDs. The guest SSID can be using WPA-Personal with TKIP while the employee SSID WPA2-Personal with AES.
If you cannot implement wireless authentication for the guest SSID (for example you cannot distribute the password to guests) this restriction cannot be enforced and I cannot think of another way to do it on the AP.
Running employee and guest SSID on a single VLAN is not recommended because this opens the door for wireless peer to peer attacks, thus the utrusted guests are able to attack employees, distribute malware and viruses and so on. If you cannot change it then you need some additional security on the wired side which blocks the comminication between stations in the same VLAN and allows it only to a gateway. It is better to have separate VLANs for both SSIDs, this can possibly also allow you to implement more granular QoS or bandwidth restriction on the wired side.
Hello All,
Don't miss out on the upcoming online Expert Day for HPE Products. You can be an expert on this day or post all your product-related queries to be responded by our finest and brightest technical experts in the industry
Thank you so much Emil. I believe this was a good workaround. However, using WPA/TKIP only limits throughput to 54Mbps. I need to limit it to about 5Mbps.
So, I've decided to create another VLAN to achieve a more secure setup and to have a class B subnet to allow more guests to sign on. I have completed the VLAN within the router and created the class B interface. If I understand correctly, I need to go into the HPE switch and set up VLAN tagging for that specific LAN port as well?
Also, I tried to get some preliminary work done at the AP level for the new subnet. However, the M220 AP's only have one ethernet port. So, I'm going to have to make it accept two VLAN's on a single port. I think this will work fine. But, the GUI isn't very intuitive on the M220. I'm having a hard time deciphering which settings to change. I need the AP's to stay on my original secure subnet in order to manage them, but I also need to assign an additional VLAN and subnet to each one as well so they can operate wireless on both SSID's. I have three AP's that are clustered or in a community. Any tips?
This has been resolved. IMC needs the certs as well. These should be in the next patch to IMC/WSM
Good day
When i upload the cert under certificate and prvate key store i get the following error "Certificate found to have inappropriate starting or ending dates in regard to the product's system time." how can i resolve this,
Good day,
I downloaded the zip file and followed the instruction but i got an error when uploading the cert under certificate and prvate key store i get the following error "Certificate found to have inappropriate starting or ending dates in regard to the product's system time." how can i resolve this,
Good morning,
What is the current system time of your MSM controller? You can see it in the webUI in the lower left corner. Under Contoller ->Management ->System Time you can check how exactly the system time is configured and from which sources it is taken.
Keep in mind that the MSM765 and MSM775 use the time settings of the zl switch in which they are installed. If the switch has wrong time the MSM controller will also have wrong time. The time has to be fixed on the switch and not on the System TIme menu of the controller.
Good morning,
What is the current system time of your MSM controller? Is it correct?
You can see it in the webUI in the lower left corner. Under Contoller ->Management ->System Time you can check how exactly the system time is configured and from which sources it is taken.
Keep in mind that the MSM765 and MSM775 use the time settings of the zl switch in which they are installed. If the switch has wrong time the MSM controller will also have wrong time. The time has to be fixed on the switch and not on the System TIme menu of the controller.
I just did a short test with a controller having wrong system time (1 year behind) and I could reproduce exactly the same error message.
Hello,
Yes, I agree this workaround is not very flexible.
If you have a switch between the AP and the router, you have to configure the VLANs to match between the AP and the switch on the one hand and also between the switch and the router on the other hand.
The AP M220 can support multiple VLANs on its single port. One VLAN is untagged (also called native VLAN or PVID on some switches) the rest of the VLANs are tagged.
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=c04483535
on page 75 you can find which options do you have for the Ethernet configuration (Network ->IP ->Ethernet Configuration). You can specify the Management VLAN of the AP and the untagged VLAN. By default the management and the untagged VLAN is VLAN 1. You can change them or you can disable the untagged VLAN which will make the AP send all the frames with a VLAN tag.
On page 34 you have all the options in the menu Wireless ->Communities. Here you can assign the VLAN to the SSID ( specify the VLAN ID to which the AP is mapping the wireless traffic when it is forwarded to the LAN). You can specify different VLAN IDs for different communities (SSIDs). All the VLANs expect the VLAN that you specified as untagged in (Network ->IP ->Ethernet Configuration) will be sent out with a VLAN tag. Or if you disabled the untagged VLAN all the VLANs will be send with a VLAN tag. The port of the switch has to be configured accordingly.
Assigning a subnet to a SSID is not done at the AP level. The AP is a Layer 2 device which has an IP address only for management access, no separate IP is assigned to every single SSIDs or VLAN. The IP subnet is assigned at the router.
Thank you so much this resolved my issue.
How to install firmware on the access point msm460 without access to the equipment settings? after clicking on the option "switch to autonomous mode" it resets and locks access. Thank you
