Aruba Instant & Cloud Wi-Fi

Reply
Contributor II
Posts: 50
Registered: ‎09-12-2013

Aruba instant environment is showing failed auth attempts on radius server

I have a user account that keeps getting locked out in our domain and I am finding the failed logon attemps from our aruba instant environment (this is at a location where the user does not work) within the domain controller for the site. I see the following messages in event viewer:

 

Event IDs: 6273; 4625; 4776  ( I will attach screen shots of content )

 

All these events happen at the same moment and the only source I see is the ip address of our virtual controller. Aruba IAP environment consist of IAP-225's running 6.4.0.3-4.1.0.1_45063.  I noticed in the event id 6273 it references a "called station" and "calling station". The called station is showing the mac address of one of my AP's but the calling station is just showing as a samsung device. I have blacklisted this mac address but I can still see this event happening in the logs. 

 

Any help would be appreciated in hunting down this device. The lack of reporting on the instant environment is proving dificult but I am sure there is a trick I am missing to hunt this down.

Guru Elite
Posts: 8,457
Registered: ‎09-08-2010

Re: Aruba instant environment is showing failed auth attempts on radius server

Do you have AirWave?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 50
Registered: ‎09-12-2013

Re: Aruba instant environment is showing failed auth attempts on radius server

I wish but I do not.

Guru Elite
Posts: 21,018
Registered: ‎03-29-2007

Re: Aruba instant environment is showing failed auth attempts on radius server

AGarner,

 

The output of "show ap bss-table" on the commandline of the Virtual Controller should show you the list of called-station-ids that are in a virtual controller.  You should be able to compare that to the called-station-id in the radius authentication request to figure out what AP is being authenticated to:

 

http://www.arubanetworks.com/techdocs/Instant_41_WebHelp/InstantWebHelp.htm#CLI_commands/show_ap_bss_table.htm



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 50
Registered: ‎09-12-2013

Re: Aruba instant environment is showing failed auth attempts on radius server

So I have blacklisted the mac address of the device causing the lockouts within the aruba configuration but the lockout is still occuring. How is this possible?

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: