ArubaOS and Controllers

Reply
New Contributor
Posts: 3
Registered: ‎02-13-2008

Can't logon to Controller from a wireless connection using Radius

Has anyone else seen this?

We have a Juniper SBR environment, with AD creds to use to login to Controller. When using a wired connection, I can sign onto the controller just fine using my AD login. If I switch to a wireless connection, I can't sign onto the controller using AD. I can sign in fine with a local account to the controller.

Running ArubaOS 3.3.2.10. Seems very weird to me. Seeing that I can sign in correctly with a wired connection, that tells me the SBR/Aruba/AD environment is totally set up correctly... What am I missing?

Thanks,
George
Guru Elite
Posts: 20,574
Registered: ‎03-29-2007

Cannot login...

gleung,

You need to start authentication debugging and see what the problem is. Do this:

config t
logging level debug security process authmgr



Go back into the GUI and do a "show log security 20" and see what the controller says about your failures.

Does the SBR say anything about your failures?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎02-13-2008

Re: Can't logon to Controller from a wireless connection using Radius

Thanks, I will turn on debugging and see what I can see...

SBR just says this:
06/25/2009 16:51:54 Unable to find user gleung with matching password
06/25/2009 16:51:54 Sent reject response

The logging level for SBR is set to 0. I know I can set to 4 to enable ALOT more logging, but doing that requires a restart of SBR, so I need to schedule a change to make that happen.

Thanks,
george
MVP
Posts: 496
Registered: ‎04-03-2007

Test auth?

What is the result of:
aaa test-server mschapv2   
aaa test-server pap
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
New Contributor
Posts: 3
Registered: ‎02-13-2008

Re: Can't logon to Controller from a wireless connection using Radius

Sorry for the late response...

The issue is intermittent, so I had to wait again for it to happen...

Ryan, both those commands came back successful.

cjoseph, I configured the debug and tried it, here are the contents (IPs and such changed):

Aug 6 10:17:55 :124004: |authmgr| RX (sock) message of type 1, len 608
Aug 6 10:17:55 :124004: |authmgr| Setting auth subtype 'PAP' for user 192.168.1.1, client Management
Aug 6 10:17:55 :124004: |authmgr| Setting auth type 'Management' for user 192.168.1.1, client Management
Aug 6 10:17:55 :124004: |authmgr| Setting authstate 'started' for user 192.168.1.1, client Management
Aug 6 10:17:55 :124004: |authmgr| Select server for method=Management, user=gleung, essid=MYESSID, server-group=MYRadius, last_srv <>
Aug 6 10:17:55 :124004: |authmgr| server=RADIUSSrv, ena=1, ins=1 (1)
Aug 6 10:17:55 :124038: |authmgr| Selected server RADIUSSrv for method=Management; user=gleung, essid=MYESSID, domain=<>, server-group=MYRadius
Aug 6 10:17:55 :124003: |authmgr| Authentication result=Authentication failed(1), method=Management, server=RADIUSSrv, user=MYMAC
Aug 6 10:17:55 :124004: |authmgr| Auth server 'RADIUSSrv' response=1
Aug 6 10:17:55 :124004: |authmgr| Setting authserver 'RADIUSSrv' for user 192.168.1.1, client Management
Aug 6 10:17:55 :199802: |authmgr| ncfg_auth.c, ncfg_get_max_auth_failures:497: Unknown authentication type 9
Aug 6 10:17:55 :125020: |aaa| Server Authentication Failed, Checking mgmt-user config-db. State=0
Aug 6 10:17:55 :125022: |aaa| Authentication failed for User gleung, Logged in from 192.168.1.1 port 62290, Connecting to 192.168.1.254 port 4343 connection type HTTPS

It looks like the controller is sending the data, but SBR doesn't like something?
Guru Elite
Posts: 20,574
Registered: ‎03-29-2007

The Answer

Gleung,

Unfortunately, the controller is just repeating what the radius server's rejection.

If you are using AD credentials to login to the controller to manage it, it sends your credentials with a different nas-port-type (VPN) than if it would when you are logging in wirelessly (802.11). It is possible that the Juniper is ONLY looking for authentication that uses the NAS-Port-Type (VPN) and Not the one you need for wireless authentication (802.11). If you enable more debugging, you can see what the NAS-Port Type of your test authentications are on the Juniper. You could of course call Juniper to set this up properly, unless there are Juniper experts in the audience....


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: