ArubaOS and Controllers

Reply
Occasional Contributor I

Controller 802.1x Termination error message

I've configured a wlan that uses 802.1x termination on the controller for testing. All appears to be working fine, until I change the reauthentication interval. That being said the default is longer than any test client would stay associated to the wlan. I'd like to bring the reauthentication interval down to 5 minutes for testing.

We have some users that use active SSL VPNs while connected to one of our wlans that uses 802.1.x PEAP/MSCHAPv2. We are seeing the SSL tunnel bounce when the client initiates the reauthentication attempt at the set interval from the RADIUS server. At this time I don't believe it has anything to do with the wireless infrastructure, but I'd like to be able to replicate it on a test wlan every 5 minutes.

When I change the reauthentication interval to 300 seconds I see the following error on my syslog server.

authmgr: <132155> |authmgr| Station 00:18:de:d4:9e:85 00:0b:86:ae:62:f0 sent inner EAP type 1 that is not supported

I have double checked the inner EAP method configuration and it is set to eap-mschapv2.

When this happens the client loses connectivity and doesn't seem to reauthenticate gracefully, it's hit and miss. I hope I'm not missing something obvious but I will admit I've never had to tweak the reauthentication intervals.

Thanks.
kirk.
Guru Elite

Reauthentication Interval


I've configured a wlan that uses 802.1x termination on the controller for testing. All appears to be working fine, until I change the reauthentication interval. That being said the default is longer than any test client would stay associated to the wlan. I'd like to bring the reauthentication interval down to 5 minutes for testing.

We have some users that use active SSL VPNs while connected to one of our wlans that uses 802.1.x PEAP/MSCHAPv2. We are seeing the SSL tunnel bounce when the client initiates the reauthentication attempt at the set interval from the RADIUS server. At this time I don't believe it has anything to do with the wireless infrastructure, but I'd like to be able to replicate it on a test wlan every 5 minutes.

When I change the reauthentication interval to 300 seconds I see the following error on my syslog server.

authmgr: <132155> |authmgr| Station 00:18:de:d4:9e:85 00:0b:86:ae:62:f0 sent inner EAP type 1 that is not supported

I have double checked the inner EAP method configuration and it is set to eap-mschapv2.

When this happens the client loses connectivity and doesn't seem to reauthenticate gracefully, it's hit and miss. I hope I'm not missing something obvious but I will admit I've never had to tweak the reauthentication intervals.

Thanks.
kirk.




Questions:

What kind of clients are these?
Did you try this without termination?
Are you using active directory?
What is the encryption on these wireless networks and are you using "Validate PMKID" to ensure that the client supports OKC properly?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Controller 802.1x Termination error message

What kind of clients are these? Vista
Did you try this without termination? No I haven't, I don't have a RADIUS server to test with.
Are you using active directory? No, local DB on controller.
What is the encryption on these wireless networks and are you using "Validate PMKID" to ensure that the client supports OKC properly? WPA2, I have configured the "Validate PMKID" option under the Layer2/802.1x Auth profile.

I hope I'm not misunderstanding that I should be able to terminate 802.1x authentication local on the controller with the local DB, and bring the reauthentication interval down so I can test a short window for reauthentications.

Thanks.
Kirk.
Guru Elite

Reauthentication Interval

Are you talking about the reauthentication interval on the user-role (default disabled) or the reauthentication interval on the dot1x profile (by default 86400)?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Controller 802.1x Termination error message

The reauthentication interval I've been adjusting is the 802.1x profile. Would this interval be similar to a RADIUS rekeying interval? That's what I'm trying to replicate in a lab without having all the production equipment available to me in the lab. Since you are able to terminate 802.1x on the controller I was hoping the reauthentication interval in the profile would have the same affect.

If I understand the user-role reauthentication correctly, wouldn't that be equal to a session timeout that would force the user to reauthenticate when the timer expires. As long as the user supplicant is not caching credentials?

Thanks.
Guru Elite

Reauthentication Interval

Kirk Kirk, this is what I see in the ArubaOS 3.4.1 user guide:

"Reauthentication with Unicast Key Rotation
When enabled, unicast and multicast keys are updated after each reauthorization. It is a best practice to configure the time intervals for reauthentication, multicast key rotation, and unicast key rotation to be at least 15 minutes. Make sure these intervals are mutually prime, and the factor of the unicast key rotation interval and the multicast key rotation interval is less than the reauthentication interval.

Unicast key rotation depends upon both the AP/controller and wireless client behavior. It is known that some wireless NICs have issues with unicast key rotation."


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Controller 802.1x Termination error message

Thanks for the info, when in doubt take a closer look at the user manual. ;-)

Now I hope my wireless cards will function with Unicast key rotation. Not to take this thread in a different direction but could you provide me more information about some wireless cards not working with Unicast rotation?

I've never heard of that before and I would think that could be a pretty big issue even if a RADIUS server was doing the key rotation. I can't imagine going to the extent of using 802.1x with a RADIUS server and not rotating the keys. Seems to be a bit of a security issue to me.

Thanks!
don
Contributor I

Unicast Key rotation

If I've followed this thread correctly, the only time you would enable "unicast key rotation" is when you're terminating the 1x locally on the controller. The keys are normally rotated between the client and the radius server, correct?
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: