ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 45
Registered: ‎04-06-2010

Authentication Mechanism and failed authentication?

So we have our Aruba RAP's setup to use machine and user authentication. Some users fail and fall into our failed authentication role and this is what I see in the log:
---------------------------------------------------------------------------
2010-06-21 08:54:25 User 10.50.31.209 with MAC address XX:XX:XX:XX:XX:XX and name Domain\username is authenticated with authentication mechanism 11 and the Role given is Failed_Auth_Role
2010-06-21 08:54:25 User 10.50.31.209 with MAC address XX:XX:XX:XX:XX:XX and name Domain\username was authenticated with authentication mechanism 11 and the role assigned was Failed_Auth_Role
2010-06-21 08:54:25 User with MAC address XX:XX:XX:XX:XX:XX and IP address 10.50.31.209 has changed: Change type is 3
2010-06-21 08:54:25 User 169.254.250.172 with MAC address XX:XX:XX:XX:XX:XX and name Domain\username is authenticated with authentication mechanism 11 and the Role given is Failed_Auth_Role
2010-06-21 08:54:25 User 169.254.250.172 with MAC address XX:XX:XX:XX:XX:XX and name Domain\username was authenticated with authentication mechanism 11 and the role assigned was Failed_Auth_Role
2010-06-21 08:54:25 User with MAC address XX:XX:XX:XX:XX:XX and IP address 169.254.250.172 has changed: Change type is 3
2010-06-21 08:54:25 User with MAC address XX:XX:XX:XX:XX:XX and IP address 0.0.0.0 has changed: Change type is 3
2010-06-21 08:54:25 User 10.50.31.209 with MAC address XX:XX:XX:XX:XX:XX and name Domain\username is authenticated with authentication mechanism 4 and the Role given is Intranet
2010-06-21 08:54:25 User 10.50.31.209 with MAC address XX:XX:XX:XX:XX:XX and name Domain\username was authenticated with authentication mechanism 4 and the role assigned was Intranet
2010-06-21 08:54:25 User with MAC address XX:XX:XX:XX:XX:XX and IP address 10.50.31.209 has changed: Change type is 3
2010-06-21 08:54:26 User 169.254.250.172 with MAC address XX:XX:XX:XX:XX:XX and name Domain\username is authenticated with authentication mechanism 4 and the Role given is Intranet
2010-06-21 08:54:26 User 169.254.250.172 with MAC address XX:XX:XX:XX:XX:XX and name Domain\username was authenticated with authentication mechanism 4 and the role assigned was Intranet
-----------------------------------------------------------------
What is Authentication Mechanism 11? Is there some easier way to troubleshoot why some users may be failing whatever this is?

Some more details on our config:
PEAP is used for authentication with a Cisco ACS server as the Radius server.

Thank you!
Guru Elite
Posts: 20,416
Registered: ‎03-29-2007

Don't know what Authentication mechanism 11 is


So we have our Aruba RAP's setup to use machine and user authentication. Some users fail and fall into our failed authentication role and this is what I see in the log:
---------------------------------------------------------------------------
2010-06-21 08:54:25 User 10.50.31.209 with MAC address XX:XX:XX:XX:XX:XX and name Domain\username is authenticated with authentication mechanism 11 and the Role given is Failed_Auth_Role
2010-06-21 08:54:25 User 10.50.31.209 with MAC address XX:XX:XX:XX:XX:XX and name Domain\username was authenticated with authentication mechanism 11 and the role assigned was Failed_Auth_Role
2010-06-21 08:54:25 User with MAC address XX:XX:XX:XX:XX:XX and IP address 10.50.31.209 has changed: Change type is 3
2010-06-21 08:54:25 User 169.254.250.172 with MAC address XX:XX:XX:XX:XX:XX and name Domain\username is authenticated with authentication mechanism 11 and the Role given is Failed_Auth_Role
2010-06-21 08:54:25 User 169.254.250.172 with MAC address XX:XX:XX:XX:XX:XX and name Domain\username was authenticated with authentication mechanism 11 and the role assigned was Failed_Auth_Role
2010-06-21 08:54:25 User with MAC address XX:XX:XX:XX:XX:XX and IP address 169.254.250.172 has changed: Change type is 3
2010-06-21 08:54:25 User with MAC address XX:XX:XX:XX:XX:XX and IP address 0.0.0.0 has changed: Change type is 3
2010-06-21 08:54:25 User 10.50.31.209 with MAC address XX:XX:XX:XX:XX:XX and name Domain\username is authenticated with authentication mechanism 4 and the Role given is Intranet
2010-06-21 08:54:25 User 10.50.31.209 with MAC address XX:XX:XX:XX:XX:XX and name Domain\username was authenticated with authentication mechanism 4 and the role assigned was Intranet
2010-06-21 08:54:25 User with MAC address XX:XX:XX:XX:XX:XX and IP address 10.50.31.209 has changed: Change type is 3
2010-06-21 08:54:26 User 169.254.250.172 with MAC address XX:XX:XX:XX:XX:XX and name Domain\username is authenticated with authentication mechanism 4 and the Role given is Intranet
2010-06-21 08:54:26 User 169.254.250.172 with MAC address XX:XX:XX:XX:XX:XX and name Domain\username was authenticated with authentication mechanism 4 and the role assigned was Intranet
-----------------------------------------------------------------
What is Authentication Mechanism 11? Is there some easier way to troubleshoot why some users may be failing whatever this is?

Some more details on our config:
PEAP is used for authentication with a Cisco ACS server as the Radius server.

Thank you!



Three questions...

- What version of ARubaOS is this
- Are you doing "enforce machine authentication"
- Did this ever work?

Sincerely,


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 45
Registered: ‎04-06-2010

Re: Authentication Mechanism and failed authentication?


Three questions...

- What version of ARubaOS is this
- Are you doing "enforce machine authentication"
- Did this ever work?

Sincerely,




It is 3.3.2
Yes Enforce Machine Authentication is enabled
Yes it works for most users reliably but some have issues.

Thank you!
Occasional Contributor II
Posts: 45
Registered: ‎04-06-2010

Re: Authentication Mechanism and failed authentication?

Interesting I also see this in the user.log:

Jun 21 07:48:03 stm: <501074> |stm| wifi_deauth_sta: bad data, dropping. mac: XX:XX:XX:XX:XX:XX bssid: 01:80:c2:00:00:03

I actually think this is the real reason, I did some more digging and this is the error I can correlate when we have the issue and I matched it to a couple of users having this issue right now.
Guru Elite
Posts: 20,416
Registered: ‎03-29-2007

Failed Auth Role

Under what circumstances does the user get into a failed auth role? With 802.1x a user is disconnected when they do not pass authentication, period. How is this being handled currently?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 45
Registered: ‎04-06-2010

Re: Authentication Mechanism and failed authentication?

I should be more specific, I apologize what seems to happen is that User or Computer auth fails but the other succeeds.

What I seem to be seeing is that the computer authentication passes but then user authentication fails with:Jun 21 07:48:03 stm: <501074> |stm| wifi_deauth_sta: bad data, dropping. mac: XX:XX:XX:XX:XX:XX bssid: 01:80:c2:00:00:03

Thank you!
Guru Elite
Posts: 20,416
Registered: ‎03-29-2007

Uncheck "Enforce Machine Authentication"

Please uncheck "Enforce Machine Authentication" and let it simmer. When you uncheck that, all of your authentication should go through. Do users get a "Failed Auth Role" when they only pass machine authentication or when they only pass user authentication? In addition, you should extend your machine authentication cache timeout to a week, because machine authentication only occurs when a user is at the ctrl alt delete screen. The machine authentication cache keeps that authentication only for 24 hours by default, which means a decent number of users will fall into that Failed Auth Role if they don't logoff their machines daily. Turn "Enforce" back on after you have extended the machine authentication timeout cache and see if you are having the same issues.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 45
Registered: ‎04-06-2010

Re: Authentication Mechanism and failed authentication?

We already have the machine timeout set to 7 days, I actually am beginning to think that this is an issue with SP2. We have a few systems remaining on SP2 and so far the ones with the issue all seem to still be at SP2 so I have pushed them to get those systems updated first to see if the issues go away.

I hate to disable machine authentication since these RAP's are in untrusted areas so I will have to leave that as a last resort for troubleshooting. What strikes me as odd is the Bad Data log entry and causes the machine authentication to be reset since the MAC is now missing from the internal database. I wish I could figure out what causes that issue.
Guru Elite
Posts: 20,416
Registered: ‎03-29-2007

Removal

The only thing that will remove the mac from the database is NOT an authentication failure, but when it expires. If you turn off enforce machine authentication, devices and users will STILL need valid credentials to get on the network. Bad wifi data sometimes is a function of drivers that need to be updated. Open a case if you want it pursued in depth.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 45
Registered: ‎04-06-2010

Re: Authentication Mechanism and failed authentication?

Thank you Colin! So when I remove a MAC from the internal database that doesn't reset the machine authentication?

My fear is that while they will still need credentials they will no longer need to use a PC that is a member of our domain. We operate in some very remote areas and our access is often the ONLY internet access in close to a hundred miles so we see people try to plug in their personal devices in at the office and they are technical enough to get it working without machine auth. I actually expect them to figure out MAC spoofing soon as well but you can only do so much!

I may try that on some isolated AP's with users known to have issues to minimize any impact. I wasn't trying to dismiss your guidance at all.

I am also going to open a case tomorrow as well. That you again for all the help!
Search Airheads
Showing results for 
Search instead for 
Did you mean: