ArubaOS and Controllers

Reply
New Contributor
Posts: 4
Registered: ‎02-02-2011

Aruba 620, Windows 2008 Radius Authentication Failure

Hi all,

We are trying to set up our demo Aruba kit for a customer for an evalution, one of the things they need is Radius authentication. We have followed the guide for setting up the Radius server in windows 2008 and when I try to test the aaa configuration we always get Authentication Failed on any user

I configured the radius configuration with the following:

(config) #aaa authentication‐server radius nps
(RADIUS Server "nps") #host 100.0.100.1
(RADIUS Server "nps") #enable
(RADIUS Server "nps") #key *******
(RADIUS Server "nps") #nas‐identifier Aruba‐Master
(RADIUS Server "nps") #nas‐ip 100.0.7.3


And then used the following to test:



And always receive Authentication Failed.

The log from the test is:

 Radius authenticate user administrator MS-CHAPv2 using server nps

Mar 17 00:23:33 :121031: |authmgr| |aaa| L2 User lookup failed, setting nas_port_type to wireless

Mar 17 00:23:33 :121031: |authmgr| |aaa| :L2 User lookup failed, skipping Aruba-Port-ID

Mar 17 00:23:33 :121031: |authmgr| |aaa| Opened socket 40 (client=0.0.0.0) for server nps

Mar 17 00:23:33 :121031: |authmgr| |aaa| Add Request: id=1, srv=100.0.100.1, fd=40

Mar 17 00:23:33 :121031: |authmgr| |aaa| Sending radius request to nps:100.0.100.1:1812 id:1,len:213

Mar 17 00:23:33 :121031: |authmgr| |aaa| NAS-IP-Address: 100.0.7.3

Mar 17 00:23:33 :121031: |authmgr| |aaa| NAS-Port-Id: 0

Mar 17 00:23:33 :121031: |authmgr| |aaa| NAS-Port-Type: 19

Mar 17 00:23:33 :121031: |authmgr| |aaa| User-Name: administrator

Mar 17 00:23:33 :121031: |authmgr| |aaa| Calling-Station-Id: 000000000000

Mar 17 00:23:33 :121031: |authmgr| |aaa| Called-Station-Id: 000B866274B0

Mar 17 00:23:33 :121031: |authmgr| |aaa| Vendor-Specific: \3234\277\226\012\221\2150\350\033\271`}b\276j

Mar 17 00:23:33 :121031: |authmgr| |aaa| Vendor-Specific:
Mar 17 00:23:33 :121031: |authmgr| |aaa| Service-Type: Login-User

Mar 17 00:23:33 :121031: |authmgr| |aaa| Aruba-Essid-Name:

Mar 17 00:23:33 :121031: |authmgr| |aaa| Aruba-Location-Id: N/A

Mar 17 00:23:33 :121031: |authmgr| |aaa| Aruba-AP-Group: N/A

Mar 17 00:23:33 :121031: |authmgr| |aaa| NAS-Identifier: Aruba-Master

Mar 17 00:23:34 :121031: |authmgr| |aaa| Find Request: id=1, srv=100.0.100.1, fd=40

Mar 17 00:23:34 :121031: |authmgr| |aaa| Current entry: srv=100.0.100.1, fd=40

Mar 17 00:23:34 :121031: |authmgr| |aaa| Del Request: id=1, srv=100.0.100.1, fd=40

Mar 17 00:23:34 :121031: |authmgr| |aaa| Authentication failed

Mar 17 00:23:34 :121031: |authmgr| |aaa| RADIUS RESPONSE ATTRIBUTES:

Mar 17 00:23:34 :121031: |authmgr| |aaa| {Microsoft} MS-CHAP-Error:

Mar 17 00:23:34 :121031: |authmgr| |aaa| PW_RADIUS_ID: \001

Mar 17 00:23:34 :121031: |authmgr| |aaa| Rad-Length: 42

Mar 17 00:23:34 :121031: |authmgr| |aaa| PW_RADIUS_CODE: \003

Mar 17 00:23:34 :121031: |authmgr| |aaa| PW_RAD_AUTHENTICATOR: -\230\026\277G*!\023a@

We have tried unsuccessfully authenticate, any help or pointers where to look is much appreciated.

Many Thanks,
Matthew
Guru Elite
Posts: 19,995
Registered: ‎03-29-2007

Re: Aruba 620, Windows 2008 Radius Authentication Failure

Please look in the Eventviewer on the Windows 2008 server (under security). That will say exactly why authentication is failing.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
New Contributor
Posts: 4
Registered: ‎02-02-2011

Re: Aruba 620, Windows 2008 Radius Authentication Failure

Hi,

Many thanks for your response. I have just been looking at the system in question, when we try using the the aaa test we get Authentication Failed (even tried Radius through Captive Portal but get the same). We have created a copy of a standard user who will access the system as arubatest to make it easier to track within the event viewer.

However we get the following in the Windows Event viewer:

The domain controller attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: arubatest
Source Workstation:
Error Code: 0x0


A logon was attempted using explicit credentials.

Subject:
Security ID: SYSTEM
Account Name: WEASEL$
Account Domain: HHA
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: arubatest
Account Domain: HHA
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x130
Process Name: C:\Windows\System32\svchost.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.


An account was successfully logged on.

Subject:
Security ID: SYSTEM
Account Name: WEASEL$
Account Domain: HHA
Logon ID: 0x3e7

Logon Type: 3

New Logon:
Security ID: HHA\arubatest
Account Name: arubatest
Account Domain: HHA
Logon ID: 0xa286c31
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x130
Process Name: C:\Windows\System32\svchost.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: IAS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.


Special privileges assigned to new logon.

Subject:
Security ID: HHA\arubatest
Account Name: arubatest
Account Domain: HHA
Logon ID: 0xa286c31

Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeEnableDelegationPrivilege
SeImpersonatePrivilege


An account was logged off.

Subject:
Security ID: HHA\arubatest
Account Name: arubatest
Account Domain: HHA
Logon ID: 0xa286c31

Logon Type: 3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.


To me it looks like Radius has authorised the user but the Aruba fails? I am wrong from these logs? The logs from trying through the Captive Portal were also the same.

Any ideas where to look?

Your help is much appreciated.

Many Thanks,
Matthew
Guru Elite
Posts: 19,995
Registered: ‎03-29-2007

Re: Aruba 620, Windows 2008 Radius Authentication Failure

You need to look in the correct logs. In the eventviewer, go under Custom Views> Network Policy and Access. Your "access reject" message should look like the picture below. Go all the way to the bottom of the message to find out why it is rejected.



In addition, please see the attached file on how to setup NPS. You probably have already done the majority of it right; just skim through the document to see if anything needs to be corrected.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
New Contributor
Posts: 4
Registered: ‎02-02-2011

Re: Aruba 620, Windows 2008 Radius Authentication Failure

Hi,

Many thanks for your help, the attached file was how the server was configured (from half way as NPS and Radius settings are already in use - so it was started from opening up the mmc).

However with regard to the event viewer, we are unable to find any reference like that of your attached picture for Network Policy and Access Services, does this mean something was not fully installed originally - or does something need to be activated? Unfortunately this is a clients server so I have little access or knowledge to prior installation.

Your continued help is much appreciated.

Many Thanks,
Matthew
Guru Elite
Posts: 19,995
Registered: ‎03-29-2007

Re: Aruba 620, Windows 2008 Radius Authentication Failure

Look in the security log. The task category would be Network Policy Server
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
New Contributor
Posts: 4
Registered: ‎02-02-2011

Re: Aruba 620, Windows 2008 Radius Authentication Failure

Hi,

Finally located alog entry, the only thing I can find is the following:



The Aruba is the client mentioned, the Radius configuration was configured as listed in the documentation you provided earlier from the point finishing Radius installation as Radius is already configured and being used.

Many Thanks
Guru Elite
Posts: 19,995
Registered: ‎03-29-2007

Re: Aruba 620, Windows 2008 Radius Authentication Failure

That message normally means that the client does not trust the certificate that is on the radius server.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor I
Posts: 65
Registered: ‎09-29-2010

Re: Aruba 620, Windows 2008 Radius Authentication Failure

Just to make sure we are on the same page under the "802.1X Authentication Profile" part of the AAA profile you have the Termination box checked? And you are using eap-MSCHAPv2?
Search Airheads
Showing results for 
Search instead for 
Did you mean: