Security

I have set up an WPA2-EAP ssid and after installing the appropriate certificates on the controller and a test device (an iPhone), I am having trouble connecting the device to the SSID. Here's what I see in the logs:

 

iPhone MAC Address: 12:34:56:78:90:12

SSID: TEST-SSID

 

 

(Controller) #show log user-debug all | include 12:34:56:78:90:12
Feb 7 14:05:04 :501095:  <NOTI> |stm|  Assoc request @ 14:05:04.996208: 12:34:56:78:90:12 (SN 3563): AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:05:04 :501095:  <NOTI> |AP TESTAP@20.2.54.15 stm|  Assoc request @ 14:05:04.893320: 12:34:56:78:90:12 (SN 3563): AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:05:04 :501100:  <NOTI> |stm|  Assoc success @ 14:05:04.997018: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:05:04 :501100:  <NOTI> |AP TESTAP@20.2.54.15 stm|  Assoc success @ 14:05:04.894158: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:05:04 :501065:  <DBUG> |stm|  Sending STA 12:34:56:78:90:12 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0x32, wmm:1, rsn_cap:0
Feb 7 14:05:04 :500511:  <DBUG> |mobileip|  Station 12:34:56:78:90:12, 0.0.0.0: Received association on ESSID: TEST-SSID Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name TESTAP Group  BSSID d8:c7:c8:11:b1:23, phy g, VLAN 50
Feb 7 14:05:04 :522035:  <INFO> |authmgr|  MAC=12:34:56:78:90:12 Station UP: BSSID=d8:c7:c8:11:b1:23 ESSID=TEST-SSID VLAN=50 AP-name=TESTAP
Feb 7 14:05:05 :522004:  <DBUG> |authmgr|  MAC=12:34:56:78:90:12 ingress 0x114c (tunnel 204), u_encr 64, m_encr 64, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Feb 7 14:05:05 :501102:  <NOTI> |stm|  Disassoc from sta: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP Reason STA has left and is disassocisted
Feb 7 14:05:05 :501102:  <NOTI> |AP TESTAP@20.2.54.15 stm|  Disassoc from sta: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP Reason STA has left and is disassocisted
Feb 7 14:05:05 :501065:  <DBUG> |stm|  Sending STA 12:34:56:78:90:12 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0x32, wmm:1, rsn_cap:0
Feb 7 14:05:05 :501000:  <DBUG> |AP TESTAP@20.2.54.15 stm|  Station 12:34:56:78:90:12: Clearing state
Feb 7 14:05:05 :500511:  <DBUG> |mobileip|  Station 12:34:56:78:90:12, 0.0.0.0: Received disassociation on ESSID: TEST-SSID Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name TESTAP Group  BSSID d8:c7:c8:11:b1:23, phy g, VLAN 50
Feb 7 14:05:05 :501000:  <DBUG> |stm|  Station 12:34:56:78:90:12: Clearing state
Feb 7 14:05:05 :522036:  <INFO> |authmgr|  MAC=12:34:56:78:90:12 Station DN: BSSID=d8:c7:c8:11:b1:23 ESSID=TEST-SSID VLAN=50 AP-name=TESTAP
Feb 7 14:05:05 :522004:  <DBUG> |authmgr|  MAC=12:34:56:78:90:12 ingress 0x114c (tunnel 204), u_encr 64, m_encr 64, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Feb 7 14:05:05 :522004:  <DBUG> |authmgr|  MAC=12:34:56:78:90:12 Send Station delete message to mobility

Feb 7 14:09:48 :501095:  <NOTI> |stm|  Assoc request @ 14:09:48.888345: 12:34:56:78:90:12 (SN 1171): AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:09:48 :501100:  <NOTI> |stm|  Assoc success @ 14:09:48.889623: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:09:48 :501095:  <NOTI> |AP TESTAP@20.2.54.15 stm|  Assoc request @ 14:09:48.825938: 12:34:56:78:90:12 (SN 1171): AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:09:48 :501065:  <DBUG> |stm|  Sending STA 12:34:56:78:90:12 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0x32, wmm:1, rsn_cap:0
Feb 7 14:09:48 :501100:  <NOTI> |AP TESTAP@20.2.54.15 stm|  Assoc success @ 14:09:48.826869: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:09:48 :500511:  <DBUG> |mobileip|  Station 12:34:56:78:90:12, 0.0.0.0: Received association on ESSID: TEST-SSID Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name TESTAP Group  BSSID d8:c7:c8:11:b1:23, phy g, VLAN 50
Feb 7 14:09:48 :522035:  <INFO> |authmgr|  MAC=12:34:56:78:90:12 Station UP: BSSID=d8:c7:c8:11:b1:23 ESSID=TEST-SSID VLAN=50 AP-name=TESTAP
Feb 7 14:09:48 :522004:  <DBUG> |authmgr|  MAC=12:34:56:78:90:12 ingress 0x114c (tunnel 204), u_encr 64, m_encr 64, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Feb 7 14:09:49 :501102:  <NOTI> |AP TESTAP@20.2.54.15 stm|  Disassoc from sta: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP Reason STA has left and is disassocisted
Feb 7 14:09:49 :501000:  <DBUG> |AP TESTAP@20.2.54.15 stm|  Station 12:34:56:78:90:12: Clearing state
Feb 7 14:09:49 :501102:  <NOTI> |stm|  Disassoc from sta: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP Reason STA has left and is disassocisted
Feb 7 14:09:49 :501065:  <DBUG> |stm|  Sending STA 12:34:56:78:90:12 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0x32, wmm:1, rsn_cap:0
Feb 7 14:09:49 :500511:  <DBUG> |mobileip|  Station 12:34:56:78:90:12, 0.0.0.0: Received disassociation on ESSID: TEST-SSID Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name TESTAP Group  BSSID d8:c7:c8:11:b1:23, phy g, VLAN 50
Feb 7 14:09:49 :501000:  <DBUG> |stm|  Station 12:34:56:78:90:12: Clearing state
Feb 7 14:09:49 :522036:  <INFO> |authmgr|  MAC=12:34:56:78:90:12 Station DN: BSSID=d8:c7:c8:11:b1:23 ESSID=TEST-SSID VLAN=50 AP-name=TESTAP
Feb 7 14:09:49 :522004:  <DBUG> |authmgr|  MAC=12:34:56:78:90:12 ingress 0x114c (tunnel 204), u_encr 64, m_encr 64, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Feb 7 14:09:49 :522004:  <DBUG> |authmgr|  MAC=12:34:56:78:90:12 Send Station delete message to mobility



(Controller) #     show auth-tracebuf mac 12:34:56:78:90:12      

Warning: user-debug is enabled on one or more specific MAC addresses;
                                                                     only those MAC addresses appear in the trace buffer.

Auth Trace Buffer
-----------------

Feb  7 14:05:04  station-up             *  12:34:56:78:90:12  d8:c7:c8:11:b1:23  -   -  wpa2 aes
Feb  7 14:05:04  station-term-start     *  12:34:56:78:90:12  d8:c7:c8:11:b1:23  50  -  
Feb  7 14:05:04  station-down           *  12:34:56:78:90:12  d8:c7:c8:11:b1:23  -   -  
Feb  7 14:09:47  station-up             *  12:34:56:78:90:12  d8:c7:c8:11:b1:23  -   -  wpa2 aes
Feb  7 14:09:47  station-term-start     *  12:34:56:78:90:12  d8:c7:c8:11:b1:23  50  -  
Feb  7 14:09:48  station-down           *  12:34:56:78:90:12  d8:c7:c8:11:b1:23  -   -  

 

Any idea what could be going wrong?

when you try to connect, what happens on the iphone?

 

It just says “unable to join network”.

Hummm. Based on your initial post, does this mean you're using a certificate on the controller with local EAP termination yes?

 

If so, who published your certificate and does the iphone trust it? That would be where I'd be looking first.

 

Might be that the iphone doesn't like the look of the cert, and is disconnecting? Just a guess.

 

Yes, the controlelr is configured to terminate EAP. The certificat was published by the corporate CA and installed on the controller as well as the phone.

Did you already get this working without termination? That is an initial step before trying termination. You should get that working first.

I haven't tried this without termination. Help me understand this though. Without 802.1x being terminated on the controller or anywhere else for that matter, is anyone going to be able to connect to the SSID, i.e. even those without certs?

All you need is a certificate on the radius server, period.  The document http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113 states explicitly how to do it; and that is the way it should be done 99 out of 100 times, without termination or importing certificates into the controller.

 

Please follow all the instructions and don't make any exceptions, and you will be successful.

 

I mentioned this in the other thread but I'm doing this without a RADIUS server. All certificates and EAP termination is on the controller. Wanted to test it out first before asking our server team to configure the RADIUS servers.

 

As mentioned by "the racking monkey" the certificates might be a root cause.

Did you create 2048-bits ? Try 1024-bits.

Did you export CA Root or signing-cert? Use signing-cert where applicable.

Is OCSP an issue here? Try to set up Controller as OCSP Responder using the signing-cert imported as OCSP Responder cert.

 

Might also want to check out my MDPS thread in the Amigopod forum for some pointers.

 

..John

Turns out the user wasn't using "WPA2 Enterprise" on the iPhone! It connects fine and we're good to go! Thanks everyone for taking a look.