Security, WIDS/WIPS and Aruba ECS

Reply
Occasional Contributor I
Posts: 9
Registered: ‎11-18-2010

RADIUS IAS Machine Authenticates but User doesn't

We have a strange problem with our aruba and IAS wireless setup. Basically the machine authenticates fine in IAS which means a user can begin to log onto windows.

Once logged on about 3 mins later the user is kicked off wireless. Looking in the IAS logs it shows Event 2, Reason 262 which points to certificate errors, but only ever for the user and never the computer name. I have checked the certs and they are all valid and in date and even created a new CA and it still has the same problem. Does the computer authentication not use certificates in the same way? The certificates have been installed both manually and through GPO and the same result is seen for both.

Strangely if you connect VIA a wire then repair the wireless connection it will connect with no issues and stay connected, looking in the IAS logs the user is validated in IAS as well as the computer. Rather strange!

Has anyone come across this error, and is there any debugging that I could run on the Aruba to see the communication to get a bit more info on the situation?

Clients are all XPsp3 and server is 2k3 with IAS and CA installed.

Hope someone can shed more light on the situation!

James
Guru Elite
Posts: 20,960
Registered: ‎03-29-2007

Re: RADIUS IAS Machine Authenticates but User doesn't

Can you print the eventviewer message for the machine pass as well as the user failure?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎11-18-2010

Re: RADIUS IAS Machine Authenticates but User doesn't

Yeah sure from our IAS server:

User:
User CSE2K\jpsuper was denied access.
Fully-Qualified-User-Name = Test.Local/CSE/Supervisors/JPsuper
NAS-IP-Address = 10.14.68.53
NAS-Identifier = 10.14.68.53
Called-Station-Identifier = 000B8661F0C8
Calling-Station-Identifier = 0026B6FEA7AA
Client-Friendly-Name = Aruba3400
Client-IP-Address = 10.14.68.(Aruba Controller IP)
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = SMRT Wireless Supervisors Authentication
Authentication-Type = PEAP
EAP-Type =
Reason-Code = 262
Reason = The supplied message is incomplete. The signature was not verified.

Computer:
User host/P530HUM-15.Test.Local was granted access.
Fully-Qualified-User-Name = Test.Local/XP Stations/CSE Managed Stations/NetAdmin/Certificate testing/P530HUM-15
NAS-IP-Address = 10.14.68.53
NAS-Identifier = 10.14.68.53
Client-Friendly-Name = Aruba3400
Client-IP-Address = 10.14.68.(Aruba controller IP)
Calling-Station-Identifier = 0026B6FEA7AA
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = SMRT Wireless Computers Authentication
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)
Guru Elite
Posts: 20,960
Registered: ‎03-29-2007

Re: RADIUS IAS Machine Authenticates but User doesn't

On the face of it, your computers are hitting one policy and your users are hitting another. The message signature is not complete usually means that the certificate in your remote access policy on IAS (SMRT Wireless Supervisors Authentication) is not trusted by the device. Please check to make sure that the certificate in that remote access policy (SMRT Wireless Supervisors Authentication) is trusted by your computer. Open the policy and navigate just like pic below and click on edit to check the status of the certificate. It could be either old or erroneous:



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎11-18-2010

Re: RADIUS IAS Machine Authenticates but User doesn't

These are the screenshots from our setup. The computer cert being used is the same as the user cert which is what is confusing me. I assumed they would have both used the same root trusted certificates on the client end as well so would have either both been denied or both allowed but not one of each!!

Rather strange it seems, I am not great on certificates btw, is there a way of testing validation of the certificates and seeing if one would be trusted? I have manually exported the CA root certificate from the server and installed it in the local computer trusted root certificate store of the client but we get the same result. I would have assumed this would have ensured validation as both certificates are in date and not part of a CRL.

Thanks for your help :)
Guru Elite
Posts: 20,960
Registered: ‎03-29-2007

Re: RADIUS IAS Machine Authenticates but User doesn't

Why is MSCHAPv2 NOT checked? That is essential.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎11-18-2010

Re: RADIUS IAS Machine Authenticates but User doesn't

I have enabled MS-CHAPv2 and now get an Event 2 reason 16

User CSE2K\jpsuper was denied access.
Fully-Qualified-User-Name = Test.Local/CSE/Supervisors/JPsuper
NAS-IP-Address = 10.14.68.53
NAS-Identifier = 10.14.68.53
Called-Station-Identifier = 000B8661F0C8
Calling-Station-Identifier = 0026B6FEA7AA
Client-Friendly-Name = Aruba3400
Client-IP-Address = 10.14.68.138
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = SMRT Wireless Supervisors Authentication
Authentication-Type = PEAP
EAP-Type =
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.

It is definitely the correct password as im currently logged on to the PC :)
Guru Elite
Posts: 20,960
Registered: ‎03-29-2007

Re: RADIUS IAS Machine Authenticates but User doesn't

Please do a line-by-line comparison of both policies.

You don't have EAP termination on in the 802.1x profile of the Aruba Controller, do you?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎11-18-2010

Re: RADIUS IAS Machine Authenticates but User doesn't

Just to confirm:

Security > Authentication > Profiles > > AAA Profile > 802.1x Profile

Termination is off currently as per screenshot.

The two policies are also shown in screenshots, they are very simple both use the same certificate and now have ms-chapv2 enabled.
Guru Elite
Posts: 20,960
Registered: ‎03-29-2007

Re: RADIUS IAS Machine Authenticates but User doesn't

Can you temporarily drop the "Windows Groups" condition from both remote access policies and move the Wireless Supervisors remote access policy down in the list and try again?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: