Security

Reply
MVP

After many retries, 802.1x authentication is disabled in profile

My Aruba OS 6.1.2.5
Problem: an ipod touch user tried many times to authenticate PEAP 802.1x  and now probably lock out by the controller (see log: 802.1x authentication is disabled in profile).  And today after more than 12 hours, EAPOL is still dropping
Questions:
1. What is "802.1x authentication is disabled in profile"?
2. Anyway to re-enable authentication?

 

Thanks.

 

(WC02) #show log all | include 00:26:b0:2f:aa:79
Apr  2 16:38:02  authmgr[1641]: <132053> <ERRS> |authmgr|  Dropping the radius packet for Station 00:26:b0:2f:aa:79 00:0b:86:50:f9:e1 doing 802.1x
Apr  2 16:38:02  authmgr[1641]: <132053> <ERRS> |authmgr|  Dropping the radius packet for Station 00:26:b0:2f:aa:79 00:0b:86:50:f9:e1 doing 802.1x
Apr  2 16:38:25  authmgr[1641]: <132053> <ERRS> |authmgr|  Dropping the radius packet for Station 00:26:b0:2f:aa:79 00:0b:86:50:f9:e1 doing 802.1x
Apr  2 16:38:25  authmgr[1641]: <132053> <ERRS> |authmgr|  Dropping the radius packet for Station 00:26:b0:2f:aa:79 00:0b:86:50:f9:e1 doing 802.1x
Apr  2 16:38:25  authmgr[1641]: <132197> <ERRS> |authmgr|  Maximum number of retries was attempted for station ngutri 00:26:b0:2f:aa:79 00:0b:86:50:f9:e1, deauthenticating the station
Apr  2 16:38:25  authmgr[1641]: <132197> <ERRS> |authmgr|  Maximum number of retries was attempted for station ngutri 00:26:b0:2f:aa:79 00:0b:86:50:f9:e1, deauthenticating the station
Apr  2 16:43:51  authmgr[1641]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:26:b0:2f:aa:79 00:0b:86:50:f9:e1
Apr  2 16:43:51  authmgr[1641]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:26:b0:2f:aa:79 00:0b:86:50:f9:e1
Apr  2 16:47:05  authmgr[1641]: <132023> <ERRS> |authmgr|  802.1x authentication is disabled in profile  Station 00:26:b0:2f:aa:79 00:0b:86:50:f9:e0
Apr  2 16:47:05  authmgr[1641]: <132023> <ERRS> |authmgr|  802.1x authentication is disabled in profile  Station 00:26:b0:2f:aa:79 00:0b:86:50:f9:e0
Apr  2 16:47:05  authmgr[1641]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:26:b0:2f:aa:79 00:0b:86:50:f9:e0
Apr  2 16:47:05  authmgr[1641]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:26:b0:2f:aa:79 00:0b:86:50:f9:e0
Apr  3 08:25:13  authmgr[1641]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:26:b0:2f:aa:79 00:0b:86:50:f9:e1
Apr  3 08:25:13  authmgr[1641]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:26:b0:2f:aa:79 00:0b:86:50:f9:e1

(WC02) #

 

~Trinh Nguyen~
Boys Town
Aruba Employee

Re: After many retries, 802.1x authentication is disabled in profile

Would it be possible for you to share some config,

'show aaa profile xyz'

'show aaa auth dot1x abc'

 

 

MVP

Re: After many retries, 802.1x authentication is disabled in profile

Here are the profiles:

Notes: for troubleshooting this problem, I make all roles in these profiles (COMPUTER-ROLE, PDA-ROLE, and EMPLOYEE-ROLE) "allow all"

 

(WC01) #show aaa authentication dot1x DOT1X-PF

802.1X Authentication Profile "DOT1X-PF"
----------------------------------------
Parameter                                                  Value
---------                                                  -----
Max authentication failures                                0
Enforce Machine Authentication                             Disabled
Machine Authentication: Default Machine Role               COMPUTER-ROLE
Machine Authentication Cache Timeout                       12 hr(s)
Blacklist on Machine Authentication Failure                Disabled
Machine Authentication: Default User Role                  PDA-ROLE
Interval between Identity Requests                         30 sec
Quiet Period after Failed Authentication                   30 sec
Reauthentication Interval                                  86400 sec
Use Server provided Reauthentication Interval              Disabled
Multicast Key Rotation Time Interval                       1800 sec
Unicast Key Rotation Time Interval                         900 sec
Authentication Server Retry Interval                       30 sec
Authentication Server Retry Count                          2
Framed MTU                                                 1100 bytes
Number of times ID-Requests are retried                    3
Maximum Number of Reauthentication Attempts                3
Maximum number of times Held State can be bypassed         0
Dynamic WEP Key Message Retry Count                        1
Dynamic WEP Key Size                                       128 bits
Interval between WPA/WPA2 Key Messages                     1000 msec
Delay between EAP-Success and WPA2 Unicast Key Exchange    0 msec
Delay between WPA/WPA2 Unicast Key and Group Key Exchange  0 msec
Time interval after which the PMKSA will be deleted        8 hr(s)
WPA/WPA2 Key Message Retry Count                           3
Multicast Key Rotation                                     Disabled
Unicast Key Rotation                                       Disabled
Reauthentication                                           Enabled
Opportunistic Key Caching                                  Enabled
Validate PMKID                                             Disabled
Use Session Key                                            Disabled
Use Static Key                                             Disabled
xSec MTU                                                   1300 bytes
Termination                                                Disabled
Termination EAP-Type                                       N/A
Termination Inner EAP-Type                                 N/A
Token Caching                                              Disabled
Token Caching Period                                       24 hr(s)
CA-Certificate                                             N/A
Server-Certificate                                         N/A
TLS Guest Access                                           Disabled
TLS Guest Role                                             guest
Ignore EAPOL-START after authentication                    Disabled
Handle EAPOL-Logoff                                        Disabled
Ignore EAP ID during negotiation.                          Disabled
WPA-Fast-Handover                                          Disabled
Disable rekey and reauthentication for clients on call     Disabled
Check certificate common name against AAA server           Enabled

(WC01) #show aaa profile  AAA-PF

AAA Profile "AAA-PF"
-----------------------
Parameter                           Value
---------                           -----
Initial role                        logon
MAC Authentication Profile          N/A
MAC Authentication Default Role     COMPUTER-ROLE
MAC Authentication Server Group     N/A
802.1X Authentication Profile       DOT1X-PF
802.1X Authentication Default Role  EMPLOYEE-ROLE
802.1X Authentication Server Group  BT-RADIUS
L2 Authentication Fail Through      Disabled
RADIUS Accounting Server Group      N/A
RADIUS Interim Accounting           Disabled
XML API server                      N/A
RFC 3576 server                     N/A
User derivation rules               N/A
Wired to Wireless Roaming           Enabled
SIP authentication role             N/A
Device Type Classification          Enabled
Enforce DHCP                        Enabled

 

~Trinh Nguyen~
Boys Town

Re: After many retries, 802.1x authentication is disabled in profile

did you ever figure this one out?

Aruba Employee

Re: After many retries, 802.1x authentication is disabled in profile

I see this is an old thread, but posting response anyway. Note the BSSID's recorded in the log messages. After failing dot1x on f9:e1, client is flipping over to a different SSID (f9:e0).

 

Apr  2 16:43:51  authmgr[1641]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 00:26:b0:2f:aa:79 00:0b:86:50:f9:e1
Apr  2 16:47:05  authmgr[1641]: <132023> <ERRS> |authmgr|  802.1x authentication is disabled in profile Station 00:26:b0:2f:aa:79 00:0b:86:50:f9:e0

 

Best guess is that this second SSID is OPEN, no dot1x profile attached. So controller ignores EAPOL on that SSID and posts this message.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: