Aruba Networks | People Move. Networks Must Follow.

Reply
Topic Options
scottwe
Occasional Contributor II
scottwe
Posts: 19
Registered: ‎11-16-2010

deauth to sta

Options

‎03-20-2012 02:05 PM

I have a client that cannot connect to our production wireless network but can connect to a development network on the same access point. The client is using the same machine and 802.1x authentication for each network. I have debug logs for a successful (dev) and a failed (prd) session but the main difference I see is:

 

//a success

Mar 20 13:24:56 :522035:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx Station UP: BSSID=d8:c7:c8:xx:2f:41 ESSID=dev VLAN=2 AP-name=ab208

Mar 20 13:24:56 :522004:  <DBUG> |authmgr|  MAC=68:a3:c4:c9:xx:xx ingress 0x10f1 (tunnel 145), u_encr 16, m_encr 4112, slotport 0x1000 

Mar 20 13:25:25 :522038:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=ACS-B

//role, IP and other good stuff happen

 

//a failure

Mar 20 13:24:12 :522035:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx Station UP: BSSID=d8:c7:c8:xx:2f:40 ESSID=prd VLAN=2 AP-name=ab208

Mar 20 13:24:12 :522004:  <DBUG> |authmgr|  MAC=68:a3:c4:c9:xx:xx ingress 0x11b6 (tunnel 342), u_encr 16, m_encr 4112, slotport 0x1000 

//repeat the previous message five more times, then

Mar 20 13:24:31 :501106:  <NOTI> |stm|  Deauth to sta: 68:a3:c4:c9:xx:xx: Ageout AP 10.xxx.70.210-d8:c7:xx:xx:2f:40-ab208 handle_sapcp

//followed by similar messages

 

 

Anybody have an idea?

Alert a Moderator
Message 1 of 10 (1,744 Views)
Reply
0 Kudos
Moderator<br /><img src="/html/assets/ArubaGuruRank.png" />
Moderator
cjoseph
Posts: 8,234
Registered: ‎03-29-2007

Re: deauth to sta

Options

‎03-20-2012 03:17 PM

scottwe wrote:

I have a client that cannot connect to our production wireless network but can connect to a development network on the same access point. The client is using the same machine and 802.1x authentication for each network. I have debug logs for a successful (dev) and a failed (prd) session but the main difference I see is:

 

//a success

Mar 20 13:24:56 :522035:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx Station UP: BSSID=d8:c7:c8:xx:2f:41 ESSID=dev VLAN=2 AP-name=ab208

Mar 20 13:24:56 :522004:  <DBUG> |authmgr|  MAC=68:a3:c4:c9:xx:xx ingress 0x10f1 (tunnel 145), u_encr 16, m_encr 4112, slotport 0x1000 

Mar 20 13:25:25 :522038:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=ACS-B

//role, IP and other good stuff happen

 

//a failure

Mar 20 13:24:12 :522035:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx Station UP: BSSID=d8:c7:c8:xx:2f:40 ESSID=prd VLAN=2 AP-name=ab208

Mar 20 13:24:12 :522004:  <DBUG> |authmgr|  MAC=68:a3:c4:c9:xx:xx ingress 0x11b6 (tunnel 342), u_encr 16, m_encr 4112, slotport 0x1000 

//repeat the previous message five more times, then

Mar 20 13:24:31 :501106:  <NOTI> |stm|  Deauth to sta: 68:a3:c4:c9:xx:xx: Ageout AP 10.xxx.70.210-d8:c7:xx:xx:2f:40-ab208 handle_sapcp

//followed by similar messages

 

 

Anybody have an idea?

While the client is failing, type "show auth-tracebuf mac <mac address of client>" to see why.

 

Alert a Moderator
Message 2 of 10 (1,738 Views)
Reply
0 Kudos
scottwe
Occasional Contributor II
scottwe
Posts: 19
Registered: ‎11-16-2010

Re: deauth to sta

Options

‎03-21-2012 02:34 PM

Thank you, neat command!

 

I see:

 

Mar 21 13:32:52  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

Mar 21 13:32:52  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:53  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

Mar 21 13:32:53  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:53  eap-start             ->  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     

Mar 21 13:32:53  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:55  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

Mar 21 13:32:55  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:55  eap-start             ->  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     

Mar 21 13:32:55  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:56  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

 

over and over again, credentials are never passed and authentication servers don't get into the mix, which is different from a successful logon. I don't understand what the command reference guide is telling me about the arrows andif this is on the client or server side. 

 

Alert a Moderator
Message 3 of 10 (1,723 Views)
Reply
0 Kudos
Moderator<br /><img src="/html/assets/ArubaGuruRank.png" />
Moderator
cjoseph
Posts: 8,234
Registered: ‎03-29-2007

Re: deauth to sta

Options

‎03-21-2012 08:35 PM

Are you sure the client is configured with the right encryption?

 

Alert a Moderator
Message 4 of 10 (1,721 Views)
Reply
0 Kudos
scottwe
Occasional Contributor II
scottwe
Posts: 19
Registered: ‎11-16-2010

Re: deauth to sta

Options

‎03-26-2012 01:49 PM

yes. we went through and manually set it for wpa2-enterprise and aes as a test, still could not get it to go. we run in mixed mode, either tkip or aes is valid.

Alert a Moderator
Message 5 of 10 (1,703 Views)
Reply
0 Kudos
Moderator<br /><img src="/html/assets/ArubaGuruRank.png" />
Moderator
cjoseph
Posts: 8,234
Registered: ‎03-29-2007

Re: deauth to sta

Options

‎03-26-2012 02:44 PM

Are these 802.11n access points?  If so, the 802.11n standard only allows cipher types of AES and Open.  TKIP is not allowed.

 

Alert a Moderator
Message 6 of 10 (1,701 Views)
Reply
0 Kudos
scottwe
Occasional Contributor II
scottwe
Posts: 19
Registered: ‎11-16-2010

Re: deauth to sta

Options

‎03-28-2012 03:06 PM

They are N. Good point. When I manually configure the client to use WPA2 and AES (which I can see using the command you gave me, thanks again) they still cannot connect. I'm beginning to think it is the clients system but it is at a remote location and the clientdoes not have other devices available to test with.

Alert a Moderator
Message 7 of 10 (1,693 Views)
Reply
0 Kudos
Moderator<br /><img src="/html/assets/ArubaGuruRank.png" />
Moderator
cjoseph
Posts: 8,234
Registered: ‎03-29-2007

Re: deauth to sta

Options

‎03-28-2012 06:19 PM

You probably want to open a case so that they can see the full picture...  Has this EVER worked?

 

Alert a Moderator
Message 8 of 10 (1,691 Views)
Reply
0 Kudos
scottwe
Occasional Contributor II
scottwe
Posts: 19
Registered: ‎11-16-2010

Re: deauth to sta

Options

‎04-06-2012 08:35 AM

With this device no it has never worked. Other devices, yes.

Alert a Moderator
Message 9 of 10 (1,669 Views)
Reply
0 Kudos
Moderator<br /><img src="/html/assets/ArubaGuruRank.png" />
Moderator
cjoseph
Posts: 8,234
Registered: ‎03-29-2007

Re: deauth to sta

Options

‎04-06-2012 09:32 AM

Have you considered upgrading the client drivers?

 

Alert a Moderator
Message 10 of 10 (1,665 Views)
Reply
0 Kudos