Question : Why do we see repeated authentication failures for users on the Master Controller?
Environment Information : Master-Local Setup,Any Aruba Controller,Any Aruba OS
Symptoms : Multiple login failures were seen on Master Controller and it seems like a DoS attack against Controller.
Cause : Usage of "Internal dB" in server-groups.
Resolution : The issue is seen in cases where we use "Internal database" in the server-group mapped to some VAP profiles. This causes issues if we are not actually using the "Internal database". We could either use Master Controller's Internal database for user authentication so that we do not see failures or we can configure the knob "Use Local Switch's database for authentication" on the local's Internal database.
Answer :
Symptoms of the issue are as follows:
Since the authentication failure is against the Internal dB, we should use the following steps to proceed:
1) Look for server groups individually to find which of the groups have "Internal" server mapped and in what position.
2) Verify references of the server groups using the command "show references aaa server-group <group-name>". With the above errors indicating MSChapv2, it is likely that some 802.1x profiles VAPs have the "Internal" Server added.
3) To resolve the issue, we could modify the position of "Internal" Server in the server-group to best suite the requirement so that we don't see authentication failures against Internal dB. Another option is to enable "Use Local Switch's Database..." knob on Internal DB of the local Controller that depends on the Internal dB for authentication.
# config term
# aaa authentication-server internal use-local-switch
# write mem