ArubaOS and Controllers

Reply
Contributor II
Posts: 40
Registered: ‎03-05-2010

Machine Authentication and Auth problems

Running OS 5.0.3.0, but this issue has been ongoing for a long time on older code as well.

I'm seeing issues where users are "randomly" unable to authenticate to our RADIUS server (Windows Server 2003, 802.1x, PEAP). On our controllers we have Machine Authentication enabled, and our policies on the RADIUS server state that the computer must be a domain member in order to pass authentication.

Our local Internal Database is filled with around 3000 entries, comprised mostly of domain computers and guest accounts. Do most people have Machine Auth enabled on their controllers, or just let the RADIUS server handle it?

Another weird part is, looking in the IAS logs on the server, a computer auth could be okay one minute, then fail days later. I'm suspecting it may have something to do with computer account passwords changing, thus affecting the auth between the client and what the server thinks it's new password should be, but I believe that timeout is 30 days by default, and this issue seems to occur withing days.

Any advice or tips are greatly appreciated, thanks!
Guru Elite
Posts: 20,332
Registered: ‎03-29-2007

Re: Machine Authentication and Auth problems

Please look at this thread starting here: http://airheads.arubanetworks.com/vBulletin/showpost.php?p=4976&postcount=62 for a possible solution.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 40
Registered: ‎03-05-2010

Re: Machine Authentication and Auth problems

I've gone through that thread and haven't been able to find a solution and that 30 day machine timeout doesn't appear to be the issue in my case.

The main issue now is that I'm getting machine auth failures in my IAS logs on the RADIUS server, but the problem is they're not very detailed, just a vague "failed auth" message.

Does anyone know how to turn on more detailed logging or debugging on Win 2003 Server for RADIUS/IAS?
Guru Elite
Posts: 20,332
Registered: ‎03-29-2007

Re: Machine Authentication and Auth problems

The event number as well as the very bottom of the event viewer message says in detail what the problem is.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 40
Registered: ‎03-05-2010

Re: Machine Authentication and Auth problems

Event code 16, wrong user name & password. Which doesn't help much since it's authenticating as its Computer Name only.

Out of curiosity, for those using W2K3 as their RADIUS server, what do your attributes looks like? I'm using "Class", as described in the Aruba user guide, but am wondering if people have had luck or better success with others?

Guru Elite
Posts: 20,332
Registered: ‎03-29-2007

Re: Machine Authentication and Auth problems

If you are asking about the returned radius attribute and authentication, they are not really related. The returned attribute would not effect anything. At the bottom of the eventviewer message is more germane to what your problem is. Please paste that output.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 40
Registered: ‎03-05-2010

Re: Machine Authentication and Auth problems

The reason I'm asking about the RADIUS attribute, is because previously we were using "Service-type" instead of "Class", and "Standard" instead of "computer", ever since I've made that change I haven't seen the same authentication problem with users (although it may have just not happened yet, but my fingers are crossed). You're saying that has nothing to do with authentication? Doesn't it matter what attributes are passed back to the server, or does it care at all?

Like I mentioned earlier, the bottom of the Event Viewer logs just reported "Error Code 16, invalid username or password". That isn't detailed enough, I was hoping for some sort of lower-level debugging directly on the server. I tried turned on debugging on the controller as well, but I basically just get the same error spit back from the server, saying RADIUS failed.
Guru Elite
Posts: 20,332
Registered: ‎03-29-2007

Re: Machine Authentication and Auth problems

The radius attribute is returned after a successful authentication, so it does not come into play. If you can, please paste in the full text of the eventviewer. Also make sure you don't have Termination on the Aruba Controller enabled.

There is tracing that Microsoft can do on the server, as well as the supplicant side to see why it is failing and you probably have to contact them to configure it, as well as interpret the logs.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: