Hi all,
Got a problem with an aruba mobility controller ( model 800) running 5.0.4.11 firmware talking to either OSC Radiator or Freeradius 2.2 RADIUS servers.
I've configured the controller to offload peap and only perform mschapv2 auths against the radius server.
Initially I used the OSC Radiator RADIUS product but kept getting a Bad or unknown response from server when I tried
aaa test-server mschapv2 ……….
particularly annoying as I was 100% convinced that the config was set up correctly.
I then installed FreeRadius 2.2 on the same server listening on ports 1814 and 1815, tried the aaa test-server…. and everything worked. ……...for a week or so ..... and then it stopped again. Nothing has changed on the radius server and nothing has changed on the aruba controller. The RADIUS server is my OS X Lion home server and runs 24*7 and I fired up the freeradiuss server from a cli. The aruba box sits right next to it on the same switch which also drives a couple of AP125's
Freeradius accepts the auth requests and generates an access accept packet that it sends back to the controller. but the controller still complains.
Logs below are from both the free radius server and the controller along with the free radius config.
Quick summary is that the aruba box is saying
Received invalid reply digest from RADIUS server
I'd double checked the secret keys on both the server and the 800 and they were the same. I've also checked that the clocks are in sync on both devices. The logs below on the controller say
The keys are the same as the radius server is accepting the request from the aruba box.
What's annoying is that things were working and then just stopped. It would be one thing if it never worked, but the test function did and so did connections from an iphone, ipad, and macbook. In fact I'd just logged on with my ipad and it worked and then tried from my iphone and it failed..... and stayed failed
Any help appreciated
Rgds
Alex
Freeradius client config
client 192.168.1.199 {
require_message_authenticator = no
secret = "something"
shortname = "arubamaster"
}
Freeradius logs
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] Looking up realm "sharaz.info" for User-Name = "alex@sharaz.info"
[suffix] No such realm "sharaz.info"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
mschap] No NT-Password configured. Trying OpenDirectory Authentication.
[mschap] OD username_string = alex@sharaz.info, OD shortUserName=alexsharaz (length = 10)
[mschap] stepbuf server challenge:
[mschap] stepbuf peer challenge:
[mschap] stepbuf p24:
[mschap] dsDoDirNodeAuth returns stepbuff: S=72372312161EAD008AB7940F46CC1582C24EFBE7 good"<C3>??qg<D4>B<D3> <BB>a8<D4>^? (len=40)
++[mschap] returns ok
Login OK: [alex@sharaz.info/<via Auth-Type = MSCHAP>] (from client arubamaster port 0 cli 000000000000)
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 1 to 192.168.1.199 port 32822
MS-CHAP2-Success = 0x00533d37323337323331323136314541443030384142373934304634364343313538324332344546424537
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 1 with timestamp +104
Ready to process requests.
on the controller I did
conf t
logging level debugging security process authmgr
aaa test-server ………
and then
show logging security all
which gave :--
Mar 14 11:30:26 :124011: <INFO> |authmgr| Test authenticating user alex@sharaz.info:****** using server Cotw-radius
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:704] Radius authenticate user alex@sharaz.info MS-CHAPv2 using server Cotw-radius
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:903] L2 User lookup failed, setting nas_port_type to wireless
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:938] :L2 User lookup failed, skipping Aruba-Port-ID
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:703] Opened socket 53 (client=0.0.0.0) for server Cotw-radius
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_request.c:37] Add Request: id=1, srv=192.168.1.77, fd=53
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:768] Sending radius request to Cotw-radius:192.168.1.77:1814 id:1,len:202
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:777] NAS-IP-Address: 192.168.1.199
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:777] NAS-Port-Id: 0
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:777] NAS-Port-Type: 19
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:777] User-Name: alex@sharaz.info
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:777] Calling-Station-Id: 000000000000
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:777] Called-Station-Id: 000B86524A20
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:777] Vendor-Specific: Y3T\264\307OW\366\177\360^\274\272|\257h
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:777] Vendor-Specific:
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:777] Service-Type: Login-User
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:777] Aruba-Essid-Name:
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:777] Aruba-Location-Id: N/A
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:777] Aruba-AP-Group: N/A
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_request.c:60] Find Request: id=1, srv=192.168.1.77, fd=53
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_request.c:66] Current entry: srv=192.168.1.77, fd=53
Mar 14 11:30:26 :121014: <ERRS> |authmgr| |aaa| Received invalid reply digest from RADIUS server
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_request.c:22] Del Request: id=1, srv=192.168.1.77, fd=53
Mar 14 11:30:26 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:850] Bad or unknown response from AAA server
Mar 14 11:30:26 :124004: <DBUG> |authmgr| Auth server 'Cotw-radius' response=4
Mar 14 11:30:26 :124019: <INFO> |authmgr| Test server response: Bad or unknown response from AAA server
(cotw-800-1) #