Controllerless Networks

Reply
Occasional Contributor II
Posts: 15
Registered: ‎10-22-2013

IAP 135 - Radius authentication problem / server down message

HI there.

 

I have two IAP 135, running version 6.3.1.4

The IAPs have been configured with the following static ip address:

  - IAP 1: 192.168.10.4

  - IAP 2: 192.168.10.5

  - Virtual Controller IP: 192.168.10.3

 

Every thing works great, except for the radius authentication.

Our radius servers are two windows 2008r2 running NPS. It also works very fine and it has been used for lot a authentications on other devices.

 

The problem is: The IAPs GUI keeps alerting that the radius servers are down ( messages attached ): "Authentication Server Radius1-ServerSync is down", but they are not, they are up and responding very well.

Because of that, a lot of authentications fail without even hit the radius servers.

To make it work, I have to wait ( for the radius dead time ), and try again a lot of times.

When the authentication request hits the radius servers, it works. But the a lot of those auth requests doesnt even reach the NPS server. And again, the radius servers are up and working great.

 

The IAPs logs shows the message: ( attached )

 

Hope you guys can help me again.

 

Thanks a lot

 

 

 

Occasional Contributor II
Posts: 15
Registered: ‎10-22-2013

Re: IAP 135 - Radius authentication problem / server down message

searching on this community, found release note with the message I am getting

http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/Recent-IAP-Firmware-Releases/td-p/81774/page/2

 

Is my problem a known bug ?

MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: IAP 135 - Radius authentication problem / server down message

What do you have setup as the radius client IP address in NPS ?

Do you have enabled dynamic radius proxy ?

Make sure that key matches on both sides ? And you are able to ping from the IAP to NPS and viceversa ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 15
Registered: ‎10-22-2013

Re: IAP 135 - Radius authentication problem / server down message

Hello Victor,

 

 

thanks for the quick reply.

At NPS server I have created 3 clients:

 - AP1 -> 192.168.10.4

 - AP2 -> 192.168.10.5

 - APVC -> 192.168.10.3

 

I've created those 3 because I tried with and without dynamic radius proxy.

From the NPS servers I can ping IAP and vice versa, with no packet drop.

 

The radius key are correct because, as told before, if wait for the dead time, and try several times, than the packet hits the NPS server and the authentication completes.

 

To make sure that the NPS server are ok and responding fine, I installed a radius client tester (NTRadPing - free tool ) on a computer ( at the same network of the IAP ).

 

As shown at the attached picture, all request complets ok.

That proves that the radius service are ok.

 

Any other ideas ?

 

Thanks again

MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: IAP 135 - Radius authentication problem / server down message

Enabled dynamic radius proxy and use as you radius client IP address the VC ip address

 

2014-08-02 16_19_42-Instant.png

 

2014-08-02 16_22_21-Instant.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 15
Registered: ‎10-22-2013

Re: IAP 135 - Radius authentication problem / server down message

I was already done.

 

I started a packet capture at NPS server, with wireshark.

Notice that even even no log is generated at event viewer, I could see some communication between the NPS and the IAP.

 

i saw that the IAP send the access-request

and the NPS answers with an access-challange

 

this proccess starts over, and over again.

 

I fill tries later, the IAP replied the challang and than the NPS server sends the access-accept.

 

Does this information help ?

MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: IAP 135 - Radius authentication problem / server down message

If you are using it to do a 802.1X session you need a cert install on the NPS server or do the termination on the VC
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 15
Registered: ‎10-22-2013

Re: IAP 135 - Radius authentication problem / server down message

Hello Victor,

 

I current server certificate was requested from NPSs servers to the local domain CA.

 

I tried to enable termination, but got the following error ( image 1 ).

I also checked that when termination is enabled, I`m able to choose only one radius server ( image 2)

 

 

MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: IAP 135 - Radius authentication problem / server down message

That's normal to get that message , just click on conectar. 

 

This is the process in 802.1X/PEAP where you validate the radius certificate , one thing you could do to avoid is install the certificate ahead of time through a GPO or manually in the laptop(s)

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 15
Registered: ‎10-22-2013

Re: IAP 135 - Radius authentication problem / server down message

Hello Victor.

 

The problem was solved updating to 6.4.0.3

I think it was a bug.

 

dot1x working great now

 

Thanks

Search Airheads
Showing results for 
Search instead for 
Did you mean: