ArubaOS and Controllers

Reply
Occasional Contributor I

Can't get computers to authenticate

I'am having problems to get the Aruba 6000 controller to authenticate computers against our NPS server with 802.1x. The Computer I'am testing with has no problem to authenticate while connected with wire to a 3com switch. But while I'am trying to authenticate though the aruba it fails.

GPO
The gpo setting for wired and wireless authentication is nearly identical.

Events from NPS Server

Wired Computer
Network Policy Server granted access to a user.

User:
Security ID: mydomain\CLIENT10$
Account Name: host/CLIENT10. mydomain.se
Account Domain: mydomain
Fully Qualified Account Name: mydomain\CLIENT10$

Client Machine:
Security ID: NULL SID
Account Name: CLIENT10. mydomain.se
Fully Qualified Account Name: mydomain\CLIENT10$
OS-Version: 6.1.7601 1.0 x86 Workstation
Called Station Identifier: -
Calling Station Identifier: 0021-70cb-4a2e

NAS:
NAS IPv4 Address: 10.10.100.68
NAS IPv6 Address: -
NAS Identifier: IT-NAP-MB
NAS Port-Type: Ethernet
NAS Port: 16794200

RADIUS Client:
Client Friendly Name: IT-NAP-MB
Client IP Address: 10.10.100.68

Authentication Details:
Connection Request Policy Name: NAP 802.1X (Wired)
Network Policy Name: mgt
Authentication Provider: Windows
Authentication Server: NAP. mydomain.se
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.

Quarantine Information:
Result: Full Access
Session Identifier: {794434F1-584F-49A2-87EE-0CC3F1AFD0B2} - 2011-09-23 06:57:31.927Z


Wireless Computer
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: NULL SID
Account Name: host/CLIENT10. mydomain.se
Account Domain: mydomain
Fully Qualified Account Name: mydomain\CLIENT10$

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 000B8611CF00
Calling Station Identifier: 0019D24E96CD

NAS:
NAS IPv4 Address: 10.10.100.85
NAS IPv6 Address: -
NAS Identifier: ARUBA
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0

RADIUS Client:
Client Friendly Name: ARUBA
Client IP Address: 10.10.100.85

Authentication Details:
Connection Request Policy Name: Wireless
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NAP. mydomain.se
Authentication Type: MS-CHAPv2
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.


I have been testing a lot now and don't seem to get anywhere. Please help me
Aruba Employee

Re: Can't get computers to authenticate

Double check the RADIUS shared secret. You can tell what it is set to on the controller by doing the commands "encrypt disable", then "show run | begin ". Look for the "key" parameter.
Guru Elite

Re: Can't get computers to authenticate


I'am having problems to get the Aruba 6000 controller to authenticate computers against our NPS server with 802.1x. The Computer I'am testing with has no problem to authenticate while connected with wire to a 3com switch. But while I'am trying to authenticate though the aruba it fails.

GPO
The gpo setting for wired and wireless authentication is nearly identical.

Events from NPS Server

Wired Computer
Network Policy Server granted access to a user.

User:
Security ID: mydomain\CLIENT10$
Account Name: host/CLIENT10. mydomain.se
Account Domain: mydomain
Fully Qualified Account Name: mydomain\CLIENT10$

Client Machine:
Security ID: NULL SID
Account Name: CLIENT10. mydomain.se
Fully Qualified Account Name: mydomain\CLIENT10$
OS-Version: 6.1.7601 1.0 x86 Workstation
Called Station Identifier: -
Calling Station Identifier: 0021-70cb-4a2e

NAS:
NAS IPv4 Address: 10.10.100.68
NAS IPv6 Address: -
NAS Identifier: IT-NAP-MB
NAS Port-Type: Ethernet
NAS Port: 16794200

RADIUS Client:
Client Friendly Name: IT-NAP-MB
Client IP Address: 10.10.100.68

Authentication Details:
Connection Request Policy Name: NAP 802.1X (Wired)
Network Policy Name: mgt
Authentication Provider: Windows
Authentication Server: NAP. mydomain.se
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.

Quarantine Information:
Result: Full Access
Session Identifier: {794434F1-584F-49A2-87EE-0CC3F1AFD0B2} - 2011-09-23 06:57:31.927Z


Wireless Computer
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: NULL SID
Account Name: host/CLIENT10. mydomain.se
Account Domain: mydomain
Fully Qualified Account Name: mydomain\CLIENT10$

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 000B8611CF00
Calling Station Identifier: 0019D24E96CD

NAS:
NAS IPv4 Address: 10.10.100.85
NAS IPv6 Address: -
NAS Identifier: ARUBA
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0

RADIUS Client:
Client Friendly Name: ARUBA
Client IP Address: 10.10.100.85

Authentication Details:
Connection Request Policy Name: Wireless
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NAP. mydomain.se
Authentication Type: MS-CHAPv2
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.


I have been testing a lot now and don't seem to get anywhere. Please help me




Your eventviewer message is inconclusive, because you omitted information. Please take a look at the NPS configuration guide here http://airheads.arubanetworks.com/vBulletin/showthread.php?t=4209 and work backwards.

If I had to guess, I would say that you should make sure that termination is NOT enabled on the Aruba controller: Go to configuration>security> Authentication> L2 Authentication> Click on 802.1x authentication profile. Find the profile that corresponds to your WLAN and click on it. In the right pane, I would make sure that Termination is Unchecked.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Can't get computers to authenticate

Thanks for your quick reply

I've double check the key and it's right.

When I uncheck the termination there is no events at all at the NPS server.
Guru Elite

Re: Can't get computers to authenticate

After you uncheck termination, try to connect a client. There should be a message in the Eventviewer.
In your NPS server, go to Event viewer> Custom Views> Server Roles> Network Policy and Access Services to see the events.

In addition, on the Controller, please go to Diagnostics Tab> AAA Test server. Change the dropdown to your test server and test your AD username and password.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Can't get computers to authenticate

I checked again and there are no new message.

It works when I run the diagnostic test.

It feels like the Aruba just tries to authenticate users and not computers.
Guru Elite

Re: Can't get computers to authenticate


I checked again and there are no new message.

It works when I run the diagnostic test.

It feels like the Aruba just tries to authenticate users and not computers.




Computer Authentication does NOT work with Termination Enabled. Disable the laptop adapter and then enable it and then connect again. Go on the controller's commandline and type "show auth-tracebuf"


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Can't get computers to authenticate

Nothing happens when restarting the laptop. I'am not sure how to read the info from the command.


173 -
Sep 23 13:59:57 wpa2-key1 <- 00:13:e8:d9:4b:55 d8:c7:c8:a8:e7:91 - 117
Sep 23 13:59:57 wpa2-key2 -> 00:13:e8:d9:4b:55 d8:c7:c8:a8:e7:91 - 119
Sep 23 13:59:57 wpa2-key3 <- 00:13:e8:d9:4b:55 d8:c7:c8:a8:e7:91 - 151
Sep 23 13:59:57 wpa2-key4 -> 00:13:e8:d9:4b:55 d8:c7:c8:a8:e7:91 - 95
Sep 23 13:59:57 station-up * 90:21:55:da:9a:e9 d8:c7:c8:a8:e2:81 - - wpa2 psk aes
Sep 23 13:59:57 station-data-ready * 90:21:55:da:9a:e9 00:00:00:00:00:00 230 -
Sep 23 13:59:57 wpa2-key1 <- 90:21:55:da:9a:e9 d8:c7:c8:a8:e2:81 - 117
Sep 23 13:59:57 station-down * 90:21:55:da:9a:e9 d8:c7:c8:a8:e2:81
Guru Elite

Re: Can't get computers to authenticate

What kind of laptop is this? What OS, What WLAN adapter and what is the driver date?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Can't get computers to authenticate

I'am off for the weekend now but i get back to you on monday. Thank you for the help this far
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: