Amigopod

Reply
MVP
Posts: 992
Registered: ‎04-13-2009

RADIUS Auth failing

Hi All,

I've got a demo Aruba controller and Amigopod. I've setup a DEMO-PEAP SSID and configure it to use the Amigopod as the RADIUS server.

I've configured a test guest account on the Amigopod and have verified that the RADIUS communication between the controller and Amigopod is working. Using "AAA test server" on the controller I'm getting authentication successful.

The problem is when I attempt to authenticate using my iPad or android phone on this PEAP SSID, authentication fails every time. I'm getting incorrect username or password errors however I am entering the correct credentials (I guarantee this!).

I can see the authentication attempts getting to the Amigopod.. Here's what the RADIUS log looks like:

Tue Oct 18 09:39:01 2011 : Auth: Login incorrect: (from client aruba-master port 0 cli 0446655CDED1)
2011-10-18 09:39:21+01 amigopod debug Access-Reject authentication failure trace
Client: 127.0.0.1:60655
Server: 127.0.0.1:80
Script: /radius_extautz.php
Function: NwaRadiusAuthAccessReject
Arguments: (
'username' => 'jrw',
'request' => (
'user-name' => 'jrw',
'nas-ip-address' => '192.168.7.254',
'nas-port' => '0',
'nas-identifier' => 'aruba3200',
'nas-port-type' => 'Wireless-802.11',
'calling-station-id' => '0446655CDED1',
'called-station-id' => '000B8661C174',
'service-type' => 'Login-User',
'framed-mtu' => '1100',
'eap-message' => '0x02030008016a7277',
'aruba-essid-name' => 'DEMO-PEAP',
'aruba-location-id' => 'AP02-40:f2',
'aruba-ap-group' => 'DEMO-Roadshow',
'message-authenticator' => '0x4037bfaf958a0f9fb9229091b6fd0155',
'client-ip-address' => '192.168.7.254',
'sql-user-name' => 'jrw',
),
'response' => (
),
)

Below is the RADUID Debug showing a single authentication failure:

Ready to process requests.
rad_recv: Access-Request packet from host 192.168.7.254 port 32794, id=61, length=184
User-Name = "jrw"
NAS-IP-Address = 192.168.7.254
NAS-Port = 0
NAS-Identifier = "aruba3200"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "0446655CDED1"
Called-Station-Id = "000B8661C174"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x02010008016a7277
Aruba-Essid-Name = "DEMO-PEAP"
Aruba-Location-Id = "AP02-40:f2"
Aruba-AP-Group = "DEMO-Roadshow"
Message-Authenticator = 0xd99aa7eeb24ecb2b8804b0accc80dacb
# Executing section authorize from file /etc/raddb/radiusd.conf
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_postgresql: query: SELECT id, UserName, CASE WHEN Attribute = 'password' THEN 'Cleartext-Password' ELSE Attribute END, Value, CASE WHEN Attribute = 'password' THEN ':=' ELSE Op END FROM radcheck WHERE Username=E'jrw' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 2 , fields = 5
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username=E'jrw' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
rlm_sql_postgresql: query: SELECT GroupName FROM usergroup WHERE UserName=E'jrw'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = E'jrw' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op FROM radgroupreply,usergroup WHERE usergroup.Username = E'jrw' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
rlm_sql (sql): Released sql socket id: 3
Login incorrect: (from client aruba-master port 0 cli 0446655CDED1)
# Executing group from file /etc/raddb/radiusd.conf
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_postgresql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES (E'jrw', E'Chap-Password', E'Access-Reject', NOW())
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
rlm_sql (sql): Released sql socket id: 2
rlm_extautz: In postauth
rlm_extautz: extautz_postauth: time-to-connect: |0.000318|
rlm_extautz: extautz_postauth: content-length-time: |0.000059|
rlm_extautz: extautz_postauth: content-send-time: |0.000150|
rlm_extautz: extautz_postauth: Received response with extautz status: 200 OK includes|0.006696| action|0.004176| total|0.010872|
rlm_extautz: extautz_postauth: round-trip-time: |0.015894|
rlm_extautz: extautz_postauth: time-to-process: |0.016320|
Waking up in 0.9 seconds.
Sending Access-Reject of id 61 to 192.168.7.254 port 32794
Waking up in 4.9 seconds.
Ready to process requests.
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 992
Registered: ‎04-13-2009

Re: RADIUS Auth failing

Answer:

Create a CA and server cert for the amigopod then set the EAP configuration to PEAP.

RADIUS> Authentication > EAP & 802.1x > Create server certificate

Once that's done..

RADIUS> Authentication > EAP Configuration >

Supported types EAP-MSCHAPv2, EAP-TLS, PEAP
Default EAP Type: PEAP
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Guru Elite
Posts: 21,281
Registered: ‎03-29-2007

Re: RADIUS Auth failing

Thanks for the follow-up.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: