Security

Reply
Contributor II
Posts: 56
Registered: ‎12-17-2011

Debugging WPA2-EAP

[ Edited ]

I have set up an WPA2-EAP ssid and after installing the appropriate certificates on the controller and a test device (an iPhone), I am having trouble connecting the device to the SSID. Here's what I see in the logs:

 

iPhone MAC Address: 12:34:56:78:90:12

SSID: TEST-SSID

 

 

(Controller) #show log user-debug all | include 12:34:56:78:90:12
Feb 7 14:05:04 :501095:  <NOTI> |stm|  Assoc request @ 14:05:04.996208: 12:34:56:78:90:12 (SN 3563): AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:05:04 :501095:  <NOTI> |AP TESTAP@20.2.54.15 stm|  Assoc request @ 14:05:04.893320: 12:34:56:78:90:12 (SN 3563): AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:05:04 :501100:  <NOTI> |stm|  Assoc success @ 14:05:04.997018: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:05:04 :501100:  <NOTI> |AP TESTAP@20.2.54.15 stm|  Assoc success @ 14:05:04.894158: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:05:04 :501065:  <DBUG> |stm|  Sending STA 12:34:56:78:90:12 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0x32, wmm:1, rsn_cap:0
Feb 7 14:05:04 :500511:  <DBUG> |mobileip|  Station 12:34:56:78:90:12, 0.0.0.0: Received association on ESSID: TEST-SSID Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name TESTAP Group  BSSID d8:c7:c8:11:b1:23, phy g, VLAN 50
Feb 7 14:05:04 :522035:  <INFO> |authmgr|  MAC=12:34:56:78:90:12 Station UP: BSSID=d8:c7:c8:11:b1:23 ESSID=TEST-SSID VLAN=50 AP-name=TESTAP
Feb 7 14:05:05 :522004:  <DBUG> |authmgr|  MAC=12:34:56:78:90:12 ingress 0x114c (tunnel 204), u_encr 64, m_encr 64, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Feb 7 14:05:05 :501102:  <NOTI> |stm|  Disassoc from sta: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP Reason STA has left and is disassocisted
Feb 7 14:05:05 :501102:  <NOTI> |AP TESTAP@20.2.54.15 stm|  Disassoc from sta: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP Reason STA has left and is disassocisted
Feb 7 14:05:05 :501065:  <DBUG> |stm|  Sending STA 12:34:56:78:90:12 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0x32, wmm:1, rsn_cap:0
Feb 7 14:05:05 :501000:  <DBUG> |AP TESTAP@20.2.54.15 stm|  Station 12:34:56:78:90:12: Clearing state
Feb 7 14:05:05 :500511:  <DBUG> |mobileip|  Station 12:34:56:78:90:12, 0.0.0.0: Received disassociation on ESSID: TEST-SSID Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name TESTAP Group  BSSID d8:c7:c8:11:b1:23, phy g, VLAN 50
Feb 7 14:05:05 :501000:  <DBUG> |stm|  Station 12:34:56:78:90:12: Clearing state
Feb 7 14:05:05 :522036:  <INFO> |authmgr|  MAC=12:34:56:78:90:12 Station DN: BSSID=d8:c7:c8:11:b1:23 ESSID=TEST-SSID VLAN=50 AP-name=TESTAP
Feb 7 14:05:05 :522004:  <DBUG> |authmgr|  MAC=12:34:56:78:90:12 ingress 0x114c (tunnel 204), u_encr 64, m_encr 64, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Feb 7 14:05:05 :522004:  <DBUG> |authmgr|  MAC=12:34:56:78:90:12 Send Station delete message to mobility

Feb 7 14:09:48 :501095:  <NOTI> |stm|  Assoc request @ 14:09:48.888345: 12:34:56:78:90:12 (SN 1171): AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:09:48 :501100:  <NOTI> |stm|  Assoc success @ 14:09:48.889623: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:09:48 :501095:  <NOTI> |AP TESTAP@20.2.54.15 stm|  Assoc request @ 14:09:48.825938: 12:34:56:78:90:12 (SN 1171): AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:09:48 :501065:  <DBUG> |stm|  Sending STA 12:34:56:78:90:12 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0x32, wmm:1, rsn_cap:0
Feb 7 14:09:48 :501100:  <NOTI> |AP TESTAP@20.2.54.15 stm|  Assoc success @ 14:09:48.826869: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:09:48 :500511:  <DBUG> |mobileip|  Station 12:34:56:78:90:12, 0.0.0.0: Received association on ESSID: TEST-SSID Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name TESTAP Group  BSSID d8:c7:c8:11:b1:23, phy g, VLAN 50
Feb 7 14:09:48 :522035:  <INFO> |authmgr|  MAC=12:34:56:78:90:12 Station UP: BSSID=d8:c7:c8:11:b1:23 ESSID=TEST-SSID VLAN=50 AP-name=TESTAP
Feb 7 14:09:48 :522004:  <DBUG> |authmgr|  MAC=12:34:56:78:90:12 ingress 0x114c (tunnel 204), u_encr 64, m_encr 64, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Feb 7 14:09:49 :501102:  <NOTI> |AP TESTAP@20.2.54.15 stm|  Disassoc from sta: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP Reason STA has left and is disassocisted
Feb 7 14:09:49 :501000:  <DBUG> |AP TESTAP@20.2.54.15 stm|  Station 12:34:56:78:90:12: Clearing state
Feb 7 14:09:49 :501102:  <NOTI> |stm|  Disassoc from sta: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP Reason STA has left and is disassocisted
Feb 7 14:09:49 :501065:  <DBUG> |stm|  Sending STA 12:34:56:78:90:12 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0x32, wmm:1, rsn_cap:0
Feb 7 14:09:49 :500511:  <DBUG> |mobileip|  Station 12:34:56:78:90:12, 0.0.0.0: Received disassociation on ESSID: TEST-SSID Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name TESTAP Group  BSSID d8:c7:c8:11:b1:23, phy g, VLAN 50
Feb 7 14:09:49 :501000:  <DBUG> |stm|  Station 12:34:56:78:90:12: Clearing state
Feb 7 14:09:49 :522036:  <INFO> |authmgr|  MAC=12:34:56:78:90:12 Station DN: BSSID=d8:c7:c8:11:b1:23 ESSID=TEST-SSID VLAN=50 AP-name=TESTAP
Feb 7 14:09:49 :522004:  <DBUG> |authmgr|  MAC=12:34:56:78:90:12 ingress 0x114c (tunnel 204), u_encr 64, m_encr 64, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Feb 7 14:09:49 :522004:  <DBUG> |authmgr|  MAC=12:34:56:78:90:12 Send Station delete message to mobility



(Controller) #     show auth-tracebuf mac 12:34:56:78:90:12      

Warning: user-debug is enabled on one or more specific MAC addresses;
                                                                     only those MAC addresses appear in the trace buffer.

Auth Trace Buffer
-----------------

Feb  7 14:05:04  station-up             *  12:34:56:78:90:12  d8:c7:c8:11:b1:23  -   -  wpa2 aes
Feb  7 14:05:04  station-term-start     *  12:34:56:78:90:12  d8:c7:c8:11:b1:23  50  -  
Feb  7 14:05:04  station-down           *  12:34:56:78:90:12  d8:c7:c8:11:b1:23  -   -  
Feb  7 14:09:47  station-up             *  12:34:56:78:90:12  d8:c7:c8:11:b1:23  -   -  wpa2 aes
Feb  7 14:09:47  station-term-start     *  12:34:56:78:90:12  d8:c7:c8:11:b1:23  50  -  
Feb  7 14:09:48  station-down           *  12:34:56:78:90:12  d8:c7:c8:11:b1:23  -   -  

 

Any idea what could be going wrong?

Guru Elite
Posts: 21,259
Registered: ‎03-29-2007

Re: Debugging WPA2-EAP

when you try to connect, what happens on the iphone?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 56
Registered: ‎12-17-2011

Re: Debugging WPA2-EAP

It just says “unable to join network”.

MVP
Posts: 562
Registered: ‎11-28-2011

Re: Debugging WPA2-EAP

Hummm. Based on your initial post, does this mean you're using a certificate on the controller with local EAP termination yes?

 

If so, who published your certificate and does the iphone trust it? That would be where I'd be looking first.

 

Might be that the iphone doesn't like the look of the cert, and is disconnecting? Just a guess.

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Guru Elite
Posts: 21,259
Registered: ‎03-29-2007

Re: Debugging WPA2-EAP

Did you already get this working without termination? That is an initial step before trying termination. You should get that working first.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 56
Registered: ‎12-17-2011

Re: Debugging WPA2-EAP

Yes, the controlelr is configured to terminate EAP. The certificat was published by the corporate CA and installed on the controller as well as the phone.

Contributor II
Posts: 56
Registered: ‎12-17-2011

Re: Debugging WPA2-EAP

[ Edited ]

I haven't tried this without termination. Help me understand this though. Without 802.1x being terminated on the controller or anywhere else for that matter, is anyone going to be able to connect to the SSID, i.e. even those without certs?

Guru Elite
Posts: 21,259
Registered: ‎03-29-2007

Re: Debugging WPA2-EAP

All you need is a certificate on the radius server, period.  The document http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113 states explicitly how to do it; and that is the way it should be done 99 out of 100 times, without termination or importing certificates into the controller.

 

Please follow all the instructions and don't make any exceptions, and you will be successful.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 56
Registered: ‎12-17-2011

Re: Debugging WPA2-EAP

I mentioned this in the other thread but I'm doing this without a RADIUS server. All certificates and EAP termination is on the controller. Wanted to test it out first before asking our server team to configure the RADIUS servers.

MVP
Posts: 520
Registered: ‎05-11-2011

Re: Debugging WPA2-EAP

 

As mentioned by "the racking monkey" the certificates might be a root cause.

Did you create 2048-bits ? Try 1024-bits.

Did you export CA Root or signing-cert? Use signing-cert where applicable.

Is OCSP an issue here? Try to set up Controller as OCSP Responder using the signing-cert imported as OCSP Responder cert.

 

Might also want to check out my MDPS thread in the Amigopod forum for some pointers.

 

..John


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
Showing results for 
Search instead for 
Did you mean: