Network Management

We have 2 controllers as Master and Slave with different locations.

We have bought Certificate Authority for windows connection using domain which is client connect automatically without type username and password, just thick box and domain username will be appear.

We have upload Certificate Authority and implement on Master it's successful. We have upload Certificate Authority and implement on Salve also but no successful. Client cannot connected. We need your help to solve this case.

Are you using the Captive Portal for Authentication or 802.1x for authentication?

Are you using termination?

Hi Colin,

I am using 802.1x for authentication and termination.

Did you upload your own server certificate, or are you using the one built into the controller?

Hi Colin,

We have created using openssl from digicert and uploaded to Master Controller. It was successful and not working in Slave Controller.

How is the slave controller configured?  Is it a local, backup master or standalone master?

Try to authenticate a client to the second controller and then type "show auth-tracebuf" on the commandline to see what the problem could be.

Hi Colin,

It is Master-Master local.

(Smart-Fren_Sabang) #show auth-tracebuf

Auth Trace Buffer
-----------------
                                                                                                         
                                                                                                         
Sep 25 14:23:36  station-tls-alert   *     e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  48   2    failure
Sep 25 14:23:36  station-term-end       *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  1    -    failure
Sep 25 14:23:36  eap-failure           <-  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  -    4    
Sep 25 14:23:36  station-down           *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                -    -    
Sep 25 14:23:36  server-finish         <-  c8:21:58:26:f8:3b  04:bd:88:39:f6:50/NewIAS-802.1X  -    61   
Sep 25 14:23:38  server-finish         <-  d8:5d:e2:58:72:3b  04:bd:88:3a:04:c0/NewIAS-802.1X  -    61   
Sep 25 14:23:38  station-up             *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                -    -    wpa2 aes
Sep 25 14:23:38  station-term-start     *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                408  -    
Sep 25 14:23:38  eap-term-start        ->  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  -    -    
Sep 25 14:23:38  station-term-start     *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                408  -    
Sep 25 14:23:38  client-finish         ->  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/NewIAS-802.1X  -    -    
Sep 25 14:23:38  server-finish         <-  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/NewIAS-802.1X  -    61   
Sep 25 14:23:38  station-tls-alert   *     e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  48   2    failure
Sep 25 14:23:38  station-term-end       *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  1    -    failure
Sep 25 14:23:38  eap-failure           <-  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  -    4    
Sep 25 14:23:38  station-down           *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                -    -    
Sep 25 14:23:38  station-up             *  68:a3:c4:83:dd:90  04:bd:88:3a:05:c0                -    -    wpa2 aes
Sep 25 14:23:38  station-term-start     *  68:a3:c4:83:dd:90  04:bd:88:3a:05:c0                408  -    
Sep 25 14:23:38  eap-term-start        ->  68:a3:c4:83:dd:90  04:bd:88:3a:05:c0/NewIAS-802.1X  -    -    
Sep 25 14:23:38  station-term-start     *  68:a3:c4:83:dd:90  04:bd:88:3a:05:c0                408  -    
Sep 25 14:23:38  server-finish         <-  c8:21:58:a0:5d:cf  04:bd:88:3a:0a:f0/NewIAS-802.1X  -    61   
Sep 25 14:23:38  server-finish-ack     ->  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/NewIAS-802.1X  -    -    
Sep 25 14:23:38  inner-eap-id-req      <-  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/NewIAS-802.1X  -    35   
Sep 25 14:23:38  inner-eap-id-resp     ->  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/NewIAS-802.1X  -    -    WIRELESS\indry.nugraha
Sep 25 14:23:38  eap-mschap-chlg       <-  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/NewIAS-802.1X  -    67   
Sep 25 14:23:39  eap-mschap-response   ->  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/NewIAS-802.1X  7    49   
Sep 25 14:23:39  mschap-request        ->  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/NewIAS-802.1X  7    -    WIRELESS\indry.nugraha
Sep 25 14:23:39  mschap-response       <-  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/IAS-SVR        -    -    WIRELESS\indry.nugraha
Sep 25 14:23:39  eap-mschap-success    <-  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/NewIAS-802.1X  -    83   
Sep 25 14:23:39  station-down           *  00:28:f8:21:2a:50  04:bd:88:3a:04:d2                -    -    
Sep 25 14:23:39  station-up             *  00:28:f8:21:2a:50  04:bd:88:3a:04:c2                -    -    wpa2 psk aes
Sep 25 14:23:39  wpa2-key1             <-  00:28:f8:21:2a:50  04:bd:88:3a:04:c2                -    117  
Sep 25 14:23:39  wpa2-key2             ->  00:28:f8:21:2a:50  04:bd:88:3a:04:c2                -    119  
Sep 25 14:23:39  wpa2-key3             <-  00:28:f8:21:2a:50  04:bd:88:3a:04:c2                -    151  
Sep 25 14:23:39  wpa2-key4             ->  00:28:f8:21:2a:50  04:bd:88:3a:04:c2                -    95   
Sep 25 14:23:39  server-finish         <-  84:4b:f5:4d:b8:4f  04:bd:88:3a:03:a0/NewIAS-802.1X  -    61   
Sep 25 14:23:39  server-finish         <-  84:4b:f5:15:35:d6  04:bd:88:3a:08:a0/NewIAS-802.1X  -    61   
Sep 25 14:23:40  station-up             *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                -    -    wpa2 aes
Sep 25 14:23:40  station-term-start     *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                408  -    
Sep 25 14:23:40  eap-term-start        ->  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  -    -    
Sep 25 14:23:40  station-term-start     *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                408  -    
Sep 25 14:23:40  station-tls-alert   *     e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  48   2    failure
Sep 25 14:23:40  station-term-end       *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  1    -    failure
Sep 25 14:23:40  eap-failure           <-  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  -    4    
Sep 25 14:23:40  station-down           *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                -    -    
Sep 25 14:23:40  eap-failure           <-  1c:65:9d:de:d6:14  04:bd:88:3a:03:a0/NewIAS-802.1X  -    4    
Sep 25 14:23:40  station-down           *  1c:65:9d:de:d6:14  04:bd:88:3a:03:a0                -    -    
Sep 25 14:23:40  server-finish         <-  e4:a4:71:f3:44:ea  70:3a:0e:3b:0d:b0/NewIAS-802.1X  -    61   
Sep 25 14:23:40  eap-failure           <-  c8:21:58:16:17:46  04:bd:88:3a:05:c0/NewIAS-802.1X  -    4    
Sep 25 14:23:41  station-down           *  c8:21:58:16:17:46  04:bd:88:3a:05:c0                -    -    
Sep 25 14:23:41  station-up             *  c8:21:58:16:17:46  04:bd:88:3a:05:d0                -    -    wpa2 aes
Sep 25 14:23:41  station-term-start     *  c8:21:58:16:17:46  04:bd:88:3a:05:d0                408  -    
Sep 25 14:23:41  eap-term-start        ->  c8:21:58:16:17:46  04:bd:88:3a:05:d0/NewIAS-802.1X  -    -    
Sep 25 14:23:41  station-term-start     *  c8:21:58:16:17:46  04:bd:88:3a:05:d0                408  -    
Sep 25 14:23:41  client-finish         ->  c8:21:58:16:17:46  04:bd:88:3a:05:d0/NewIAS-802.1X  -    -    
Sep 25 14:23:41  server-finish         <-  c8:21:58:16:17:46  04:bd:88:3a:05:d0/NewIAS-802.1X  -    61   
Sep 25 14:23:41  server-finish         <-  84:4b:f5:b0:ff:c3  70:3a:0e:3b:06:80/NewIAS-802.1X  -    61   
Sep 25 14:23:41  station-term-end       *  c8:21:58:9e:0a:70  04:bd:88:3a:04:50/NewIAS-802.1X  43   -    failure
Sep 25 14:23:41  station-down           *  c8:21:58:9e:0a:70  04:bd:88:3a:04:50                -    -    
Sep 25 14:23:41  server-finish         <-  d0:57:7b:07:cc:0e  04:bd:88:3a:04:90/NewIAS-802.1X  -    61   
Sep 25 14:23:41  station-up             *  c8:21:58:9e:0a:70  04:bd:88:3a:04:50                -    -    wpa2 aes
Sep 25 14:23:41  station-term-start     *  c8:21:58:9e:0a:70  04:bd:88:3a:04:50                408  -    
Sep 25 14:23:41  eap-term-start        ->  c8:21:58:9e:0a:70  04:bd:88:3a:04:50/NewIAS-802.1X  -    -    
Sep 25 14:23:41  station-term-start     *  c8:21:58:9e:0a:70  04:bd:88:3a:04:50                408  -    
Sep 25 14:23:41  station-up             *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                -    -    wpa2 aes
Sep 25 14:23:41  station-term-start     *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                408  -    
Sep 25 14:23:41  eap-term-start        ->  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  -    -    
Sep 25 14:23:41  station-term-start     *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                408  -    
Sep 25 14:23:41  server-finish         <-  c8:21:58:26:f8:3b  04:bd:88:39:f6:50/NewIAS-802.1X  -    61   
Sep 25 14:23:42  station-tls-alert   *     e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  48   2    failure
Sep 25 14:23:42  station-term-end       *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  1    -    failure
Sep 25 14:23:42  eap-failure           <-  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  -    4   

Is this a Windows client that you are having problems with?  Did you try a mobile client?  If it is Windows, the client would have to be configured manually.  Windows does not easily automatically connect to a 802.1x SSID the first time unless it is preconfigured.

Again, we would have to see details on how you installed that Certificate onto the controller and how you installed the CA to the client to understand what could be going wrong.

Hi Colin,

We have got problem only on Windows client. Mobile and linux client no problem.

Herewith how to upload certifcate on controller.

Configuration > Management > Certificates > Upload:

Upload the root, intermediate and server certificate, selecting the type under "Certificate Type".

We do not installed any CA on client.

The only thing I can think of is that you should have uploaded the certificate as the same "Name" on the master and local, otherwise the controller will not reference it in the configuration.  In the 802.1x profile, you can determine which certificate is used.  That name should have been the same when you uploaded it to the local controller, otherwise it might be using the built-in certificate.

Hi Colin,

We have created and uploaded the same name of certifcate. Also same configuration in Master.  In 802.1x profile determine to certificate in used. But still not working in Slave Controller.

1. Use a RADIUS server
2. Use either an EAP server certificate issued from your internal CA or an EAP server certificate issued from a public CA and configure the clients appropriately.

Tim C is absolutely correct.

I have been answering questions from users who are loading radius server certificates onto controllers in order to do 802.1x, enabling termination and connecting it to an LDAP server.  The proper way is to get a radius server (if you have Windows NPS is free) and put a server certificate on that device and authenticate your controller to that.  Using termination with LDAP was only used in the past for 802.1x when you did not have a radius server and it was considered a workaround due to its drawbacks.  With an external radius server, you just point your controllers at the radius server that has a server certificate and you are done.  Details on how to do that is here:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

Please note that this is separate from loading a public server certificate onto controllers for captive portal, which is necessary to avoid invalid certificate errors...

Already solved, using new certificate and termination in Controller.