Controller-less WLANs

Guest user unable to authenticate when secondary Radius server is selected as internal server on IAP

by ‎11-25-2015 12:59 PM - edited ‎11-25-2015 12:59 PM
Q:

Why Guest users associated to IAP 92/93 are unable to authenticate when secondary Radius server is selected as internal server on IAP?



A:

​IAP-92/93 will not support any authentication with internal server mapped from 4.1.1.x due to hardware limitations. Hence IAP 92/93 will not forward the Radius request send by the client when the backup radius-server is mapped as internal DB for guest ssid.

 

Upon selecting the primary server as external Radius1 server and the secondary server as none or another Radius server, the guest users would be able to authenticate.

However, if the secondary radius-server is mapped to internal DB for guest ssid, the radius request will be dropped on the IAP itself due to hardware limitations.

 

No secondary servers:

18:64:72:c1:ce:90# show radius-servers 
RADIUS Servers
--------------
Name            IP Address     Port  Acctport  Key                                                                                                                               Timeout  Retry Count  NAS IP Address  NAS Identifier  In Use  RFC3576  Airgroup RFC3576-ONLY  Airgroup RFC3576 port  Deadtime  DRP IP  DRP IP Mask  DRP VLAN  DRP Gateway  Radsec    Radsec port
----            ----------     ----  --------  ---                                                                                                                               -------  -----------  --------------  --------------  ------  -------  ---------------------  ---------------------  --------  ------  -----------  --------  -----------  ------    -----------
InternalServer  127.0.0.1      1616  1813      dc04bf78f79b4f312989be4ddb1a349851c88a680e2ab0a0978eea4ac58ec77f6c6c34367a0ef896157f9c16872dbe4285aa1101e347422afe583cd847fcff04  5        3                                            Yes                                     0                      5                                                     Disabled  Disabled
Clearpass       10.30.156.166  1812  1813      e72883e1acdfbdb1496094df87a071652c66d9efacd79a57                                                                                  5        3                                            Yes     Y                               5999                   5                                                     Disabled  Disabled

18:64:72:c1:ce:90# show clock  
Current Time     :2015-07-21 13:45:52        ----------------------- Time stamp before connecting the client.

18:64:72:c1:ce:90# show clients | include Arubatest                              
Aruba@Aruba.com               172.31.99.224  7c:e9:d3:2d:3c:55  Linux    Arubatest     18:64:72:c1:ce:90  11       GN    test         50(good)  144(good)     

18:64:72:c1:ce:90# show log security | include radius 
Jul 21 13:47:51  stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1699] Sending radius request to Clearpass:10.30.156.166:1812 id:29,len:185 

Jul 21 13:47:51  stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_api.c:464] Radius authenticate user (Aruba@Aruba.com) PAP using server Clearpass
Jul 21 13:47:51  stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_request.c:52] Add Request: id=29, srv=10.30.156.166, fd=18
Jul 21 13:47:51  stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1699] Sending radius request to Clearpass:10.30.156.166:1812 id:29,len:185 
Jul 21 13:47:51  stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1709]  NAS-IP-Address: 10.30.56.22 
Jul 21 13:47:51  stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1709]  NAS-Port-Id: 0 
Jul 21 13:47:51  stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1709]  NAS-Port-Type: 19 
Jul 21 13:47:51  stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1709]  User-Name: Aruba@Aruba.com 
Jul 21 13:47:51  stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1713]  Password: ***** 
Jul 21 13:47:51  stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1709]  Service-Type: Login-User 
Jul 21 13:47:51  stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1709]  Calling-Station-Id: 7ce9d32d3c55

 

When there is no secondary Radius server the radius request is sent by the IAP to the clearpass server at 13:47:51 timestamp.


The below output is with secondary server as internal and primary server as CPPM:


18:64:72:c1:ce:90# show clock
Current Time     :2015-07-21 14:02:53         ------ Time stamp before executing the below command

Now connecting the client having secondary server as internal
    
18:64:72:c1:ce:90# show clock
Current Time     :2015-07-21 14:04:29         --------Time stamp while connecting the client 

18:64:72:c1:ce:90# show clients | include Arubatest
css-Latitude-E5420        172.31.99.224  7c:e9:d3:2d:3c:55           Arubatest     18:64:72:c1:ce:90  11       GN    Preauth      0(poor)   0(poor)

18:64:72:c1:ce:90# show log security | include radius
Jul 21 13:47:51  stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1699] Sending radius request to Clearpass:10.30.156.166:1812 id:29,len:185
18:64:72:c1:ce:90# Now entering the user name and password on captive portal page

 

We could see that the client associated at 14:04:29 and there there is no radius request sent by the IAP at that time even though the client enters the credentials for authentication. 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.