ArubaOS and Controllers

Reply
Contributor I
Posts: 22
Registered: ‎01-20-2011

Users stuck at attempting to authenticate

This is pretty long so thanks for reading...

I have a server group comprised of the internal database and a radius/nps server with fail through from the internal database to the radius/nps server. We just got this up and going in the past two weeks and it's been working great--until this morning.

Now users see and connect to the WLAN, but are not able to authenticate. I can run the following successfully:

aaa test-server mschapv2 sbusd_nps mwagnon ####

I can manually connect and authenticate with my phone and other devices using various credentials that exist either in the internal database or AD, and I can connect via captive portal (user for this is in internal db).

and when I turn on debugging the following is found in the user log (sorry for the mess):

---------------

Jun 30 12:40:03 :501102: |stm| Disassoc from sta: cc:08:e0:45:4a:fb: AP 10.200.50.251-00:1a:1e:85:57:40-EC-BS_55:74 Reason STA has left and is disassocisted
Jun 30 12:40:03 :501102: |AP EC-BS_55:74@10.200.50.251 stm| Disassoc from sta: cc:08:e0:45:4a:fb: AP 10.200.50.251-00:1a:1e:85:57:40-EC-BS_55:74 Reason STA has left and is disassocisted
Jun 30 12:40:03 :501065: |stm| Sending STA cc:08:e0:45:4a:fb message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr Dynamic WPA,WPA2 8021X TKIP VLAN 0x1, wmm:0, rsn_cap:0
Jun 30 12:40:03 :501000: |AP EC-BS_55:74@10.200.50.251 stm| Station cc:08:e0:45:4a:fb: Clearing state
Jun 30 12:40:03 :500511: |mobileip| Station cc:08:e0:45:4a:fb, 0.0.0.0: Received disassociation on ESSID: SBUSD Mobility service Off, HA Discovery on Association Off, Fastroaming Disabled, AP: Name EC-BS_55:74 Group Ed_Center_AP_Group BSSID 00:1a:1e:85:57:40, phy g, VLAN 1
Jun 30 12:40:03 :522036: |authmgr| MAC=cc:08:e0:45:4a:fb Station DN: BSSID=00:1a:1e:85:57:40 ESSID=SBUSD VLAN=1 AP-name=EC-BS_55:74
Jun 30 12:40:03 :522004: |authmgr| MAC=cc:08:e0:45:4a:fb ingress 0x10b5 (tunnel 53), u_encr 64, m_encr 4112, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Jun 30 12:40:03 :522004: |authmgr| station free: bssid=00:1a:1e:85:57:40, valid=1, @=0x107e59ec
Jun 30 12:40:03 :501000: |stm| Station cc:08:e0:45:4a:fb: Clearing state
Jun 30 12:40:05 :501095: |stm| Assoc request @ 12:40:05.406650: cc:08:e0:45:4a:fb (SN 407): AP 10.200.50.251-00:1a:1e:85:57:40-EC-BS_55:74
Jun 30 12:40:05 :501095: |AP EC-BS_55:74@10.200.50.251 stm| Assoc request @ 12:40:05.763319: cc:08:e0:45:4a:fb (SN 407): AP 10.200.50.251-00:1a:1e:85:57:40-EC-BS_55:74
Jun 30 12:40:05 :501100: |AP EC-BS_55:74@10.200.50.251 stm| Assoc success @ 12:40:05.764284: cc:08:e0:45:4a:fb: AP 10.200.50.251-00:1a:1e:85:57:40-EC-BS_55:74
Jun 30 12:40:05 :501100: |stm| Assoc success @ 12:40:05.410435: cc:08:e0:45:4a:fb: AP 10.200.50.251-00:1a:1e:85:57:40-EC-BS_55:74
Jun 30 12:40:05 :501065: |stm| Sending STA cc:08:e0:45:4a:fb message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr Dynamic WPA,WPA2 8021X TKIP VLAN 0x1, wmm:0, rsn_cap:0
Jun 30 12:40:05 :500511: |mobileip| Station cc:08:e0:45:4a:fb, 0.0.0.0: Received association on ESSID: SBUSD Mobility service Off, HA Discovery on Association Off, Fastroaming Disabled, AP: Name EC-BS_55:74 Group Ed_Center_AP_Group BSSID 00:1a:1e:85:57:40, phy g, VLAN 1
Jun 30 12:40:05 :522035: |authmgr| MAC=cc:08:e0:45:4a:fb Station UP: BSSID=00:1a:1e:85:57:40 ESSID=SBUSD VLAN=1 AP-name=EC-BS_55:74
Jun 30 12:40:05 :522004: |authmgr| MAC=cc:08:e0:45:4a:fb ingress 0x10b5 (tunnel 53), u_encr 64, m_encr 4112, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Jun 30 12:40:05 :522004: |authmgr| MS-CHAPv2 authenticate user mwagnon
Jun 30 12:40:05 :522038: |authmgr| MAC=cc:08:e0:45:4a:fb IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=SBUSD_NPS
Jun 30 12:40:05 :522004: |authmgr| {L2} authenticated from profile "SBUSD_EE_aaa-prof"
Jun 30 12:40:05 :522004: |authmgr| {L2} Update role from logon to authenticated for IP=0.0.0.0
Jun 30 12:40:05 :522004: |authmgr| download: ip=0.0.0.0 acl=48/0 role=authenticated, Ubwm=0, Dbwm=0 tunl=0x10b5, PA=0, HA=1, RO=0, VPN=0
Jun 30 12:40:05 :522004: |authmgr| MAC=cc:08:e0:45:4a:fb def_vlan 1 derive vlan: 0 auth_type 4 auth_subtype 4
Jun 30 12:40:05 :522029: |authmgr| MAC=cc:08:e0:45:4a:fb Station authenticated: method=802.1x, role=authenticated, VLAN=1/1/0
Jun 30 12:40:05 :522008: |authmgr| User authenticated: Name=mwagnon MAC=cc:08:e0:45:4a:fb IP=172.31.5.81 method=802.1x server=SBUSD_NPS role=authenticated
Jun 30 12:40:05 :522004: |authmgr| {172.31.5.81} autTable ("mwagnon Authenticated 802.1x authenticated ")
Jun 30 12:40:05 :522004: |authmgr| {0.0.0.0} autTable ("mwagnon Authenticated 802.1x authenticated ")
Jun 30 12:40:05 :522025: |authmgr| MAC=cc:08:e0:45:4a:fb IP=192.168.1.102 MAC spoof from MAC=cc:08:e0:45:4a:fb
Jun 30 12:40:05 :522025: |authmgr| MAC=cc:08:e0:45:4a:fb IP=172.24.5.201 MAC spoof from MAC=cc:08:e0:45:4a:fb
Jun 30 12:40:46 :522004: |authmgr| icmp request sent for user 192.168.99.72
Jun 30 12:40:46 :522004: |authmgr| MAC=00:26:bb:c4:45:82 IP=192.168.99.72 Sending ping 1 of 3 (id=8214, seq=88)
Jun 30 12:40:51 :522004: |authmgr| icmp request sent for user 192.168.99.72
Jun 30 12:40:51 :522004: |authmgr| MAC=00:26:bb:c4:45:82 IP=192.168.99.72 Sending ping 2 of 3 (id=8214, seq=89)
Jun 30 12:40:51 :522004: |authmgr| MAC=00:26:bb:c4:45:82 IP=192.168.99.72 Got ping response (seq=89, user-ingress=0x10c6 ingress=0x10c6, type=idle)

--------------

and the radius server's event log shows a successful authentication:

Network Policy Server granted full access to a user because the host met the defined health policy.

User:
Security ID: SOUTHBAY\MWAGNON
Account Name: mwagnon
Account Domain: SOUTHBAY
Fully Qualified Account Name: SOUTHBAY\mwagnon

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 000B86617480
Calling Station Identifier: CC08E0454AFB

NAS:
NAS IPv4 Address: 10.200.50.10
NAS IPv6 Address: -
NAS Identifier: EC Aruba Controller
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0

RADIUS Client:
Client Friendly Name: EC Aruba Controller
Client IP Address: 10.200.50.10

Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Secure Wireless Connections
Authentication Provider: Windows
Authentication Server: DC3.ad.sbusd.org
Authentication Type: MS-CHAPv2
EAP Type: -
Account Session Identifier: -

Quarantine Information:
Result: Full Access
Extended-Result: -
Session Identifier: -
Help URL: -
System Health Validator Result(s): -

I'm scratching my head. Any ideas?

Thanks!
Mark
Guru Elite
Posts: 21,272
Registered: ‎03-29-2007

Re: Users stuck at attempting to authenticate

Does this have anything to do with Aruba's certificate expiring yesterday? http://airheads.arubanetworks.com/vBulletin/showthread.php?t=3264

If you are using the internal database, that means you are using termination, which means you are using the Aruba built-in certificate. Upgrade to the latest version in your train of code to renew the cert.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 22
Registered: ‎01-20-2011

Re: Users stuck at attempting to authenticate

Heh, wow. The consequences described in the documentation are a 100% match for what I'm seeing. At least now I know I'm not going insane (don't ask for proof). Thanks a ton Colin, you're always a great help.

Mark
Search Airheads
Showing results for 
Search instead for 
Did you mean: