ArubaOS and Controllers

Reply
New Contributor
Posts: 1
Registered: ‎02-04-2011

PAP Radius Authentication Issues

Hi

Attempting to authenticate to our current IAS Radius using captive portal aaa profile:

aaa authentication captive-portal "TRFT-STAFF-cp_prof"
default-role "CaptivePortal-Staff-User"
server-group "TRFT-STAFF"
redirect-pause 5
show-acceptable-use-policy

aaa server-group "TRFT-STAFF"
auth-server ccs-ias

aaa authentication-server radius "ccs-ias"
host "192.168.112.100"
key ****

I am of the impression that the secret key is matched correctly between the Aruba and the IAS server due to it successfully authenticating our machines.

By default, the aaa captive-portal profile will use PAP, but can be forced to use CHAP by using the following command in the aaa profile.

use-chap
Use CHAP protocol. You should not use this option
unless instructed to do so by an Aruba
representative.
enabled/
disabled
disabled (PAP
is used)

Testing the authentication from the console:

(CCSWL01) # aaa test-server mschapv2 ccs-ias z1 ****

Authentication Successful

(CCSWL01) # aaa test-server pap ccs-ias z1 ****

Authentication failed

(CCSWL01) #

Feb 24 13:51:36 :124011: |authmgr| Test authenticating user z1:****** using server ccs-ias
Feb 24 13:51:36 :124004: |authmgr| User z1 MAC=00:00:00:00:00:00 not found
Feb 24 13:51:36 :124004: |authmgr| Auth server 'ccs-ias' response=0
Feb 24 13:51:36 :124019: |authmgr| Test server response: Authentication Successful
Feb 24 13:51:39 :124004: |authmgr| Rx message 14001/5221, length 235 from 127.0.0.1:8235
Feb 24 13:51:39 :124011: |authmgr| Test authenticating user z1:****** using server ccs-ias
Feb 24 13:51:39 :124004: |authmgr| Auth server 'ccs-ias' response=1
Feb 24 13:51:39 :124019: |authmgr| Test server response: Authentication failed

Plus in the IAS Event log:

User z1 was denied access.
Fully-Qualified-User-Name = *********/Departments/User Groups/Departmental User Groups/TRFT Users/Generic Accounts/z1
NAS-IP-Address = 192.168.112.250
NAS-Identifier =
Called-Station-Identifier = 000B860BED00
Calling-Station-Identifier = F81EDFE96C5D
Client-Friendly-Name = CCSWL01
Client-IP-Address = 192.168.112.250
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 0
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = Trusted WLAN Users
Authentication-Type = PAP
EAP-Type =
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.


The authentication is set on the IAS policy to PAP. Can we get PAP to work?

Thoughts?

I’ve been banging my head against the wall for a while now! ;-)

Thanks

Nige
Guru Elite
Posts: 20,574
Registered: ‎03-29-2007

Re: PAP Radius Authentication Issues

What options do you have enabled on the Trusted WLAN Users policy? Are you limiting users by group?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: