ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 19
Registered: ‎04-03-2007

Determining EAP inner type?!?

Does anyone know of a command to view the EAP inner type of a connected user?

With:

show user mac
I can see this info:

Name: arubatest, IP: , MAC: , Role:authenticated, ACL:47/0, Age: 00:00:29
Authentication: Yes, status: started, method: 802.1x, protocol: EAP-PEAP, server:

So, I can tell that they're using 802.1x and PEAP - but, I can't determine if they're using GTC or MS-CHAPv2 for the inner type...?!?

The short story is, I've got an SBR server that I'm trying to authenticate against for 802.1x. I thought it was set up correctly, but Win7 users are not able to authenticate. However, I can with an iPhone and a MacBook. It's hard to tell from the phone, but the MB looks like it's using PEAP-GTC from the supplicant side...
Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: Determining EAP inner type?!?

Please use the command here: http://airheads.arubanetworks.com/vBulletin/showthread.php?t=160

Please note that this will only show for clients that have successfully connected.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 19
Registered: ‎04-03-2007

Re: Determining EAP inner type?!?

...but it still doesn't show the inner-type...
Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: Determining EAP inner type?!?

You are correct. It does not. Try "show auth-tracebuf" on the commandline.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 19
Registered: ‎04-03-2007

Re: Determining EAP inner type?!?

Ok...so here's one EAP session, it looks like everything is groovy, it even gives an EAP success and station-data-ready - but, the client doesn't get on - everything on the RADIUS log side looks good, too...any ideas?!?

Jul 1 03:23:29 station-up * 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 - - wpa2 aes
Jul 1 03:23:29 eap-id-req <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 1 5
Jul 1 03:23:29 eap-start -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 - -
Jul 1 03:23:29 eap-id-req <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 1 5
Jul 1 03:23:29 eap-id-resp -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 1 14 arubatest
Jul 1 03:23:29 rad-req -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 65512 191
Jul 1 03:23:29 eap-id-resp -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 1 14 arubatest
Jul 1 03:23:29 rad-resp <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73/NOC5 65512 67
Jul 1 03:23:29 eap-req <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 2 6
Jul 1 03:23:29 eap-resp -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 2 105
Jul 1 03:23:29 rad-req -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73/NOC5 65513 297
Jul 1 03:23:29 rad-resp <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73/NOC5 65513 1129
Jul 1 03:23:29 eap-req <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 3 1060
Jul 1 03:23:29 eap-resp -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 3 6
Jul 1 03:23:29 rad-req -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73/NOC5 65514 198
Jul 1 03:23:29 rad-resp <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73/NOC5 65514 601
Jul 1 03:23:29 eap-req <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 4 536
Jul 1 03:23:29 eap-resp -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 4 208
Jul 1 03:23:29 rad-req -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73/NOC5 65515 400
Jul 1 03:23:29 rad-resp <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73/NOC5 65515 130
Jul 1 03:23:29 eap-req <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 5 69
Jul 1 03:23:29 eap-resp -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 5 6
Jul 1 03:23:29 rad-req -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73/NOC5 65516 198
Jul 1 03:23:29 rad-resp <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73/NOC5 65516 104
Jul 1 03:23:29 eap-req <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 6 43
Jul 1 03:23:29 eap-resp -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 6 43
Jul 1 03:23:29 rad-req -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73/NOC5 65517 235
Jul 1 03:23:29 rad-resp <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73/NOC5 65517 136
Jul 1 03:23:29 eap-req <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 7 75
Jul 1 03:23:29 eap-resp -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 7 107
Jul 1 03:23:29 rad-req -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73/NOC5 65518 299
Jul 1 03:23:29 rad-resp <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73/NOC5 65518 152
Jul 1 03:23:29 eap-req <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 8 91
Jul 1 03:23:29 eap-resp -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 8 43
Jul 1 03:23:29 rad-req -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73/NOC5 65519 235
Jul 1 03:23:29 rad-resp <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73/NOC5 65519 104
Jul 1 03:23:29 eap-req <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 9 43
Jul 1 03:23:29 eap-resp -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 9 43
Jul 1 03:23:29 rad-req -> 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73/NOC5 65520 235
Jul 1 03:23:29 rad-accept <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73/NOC5 65520 166
Jul 1 03:23:29 eap-success <- 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 9 4
Jul 1 03:23:29 station-data-ready * 48:5d:60:ad:b4:0c 00:00:00:00:00:00 152 -
Jul 1 03:23:29 station-down * 48:5d:60:ad:b4:0c 00:24:6c:31:9a:73 - -
Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: Determining EAP inner type?!?

You are missing the 4-way handshake at the end. MacBook pros and iPhones will allow you to associate and give you the choice to accept the certificate. Try unchecking "Validate Server Certificate" in the Windows PEAP profile on the Windows 7 machine. Maybe that Windows machine does not trust the server certificate


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 19
Registered: ‎04-03-2007

Re: Determining EAP inner type?!?

yeah...sorry...should've said that before - that one was actually from one of the win7 machines (with validate server cert unchecked)
Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: Determining EAP inner type?!?

Hate to say it, but the logs on the radius server is the best way to figure out what is going on....


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: