Security

Reply
Frequent Contributor I
Posts: 89
Registered: ‎10-27-2013

Having some 802.1x Authentication issues

Hi All

 

Been pulling my hair out with this one. Implementing Radius and 802.1x auth is not succeeding.

Aruba Controller version 6.4.2.3

MS 2003 Server  for Radius/IAS (I know its old...)

 

Signing in from my android device it just never connects - from the radius server I can see it is granting access (confirmed with performing AAA test from controller.

 

I have tried the following from googling around the web:

PMKID disabled and enabled with no difference.

Prohibit-IP-SPoofing enabled and disabled with no difference.

Set Interval between WPA/WPA2 Key Messages fromm 1000 to 3000 with no difference.

 

I see the following from the Logs on the controller for my Androids MAC address.  Seeing  messages for "MIC failed in WPA key Message 2".

 

Nov 25 16:00:32  authmgr[2056]: <524124> <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:ec:1f:72:eb:ea:d3, pmkid_present:False, pmkid:N/A
Nov 25 16:00:32  authmgr[2056]: <522308> <DBUG> |authmgr|  Device Type index derivation for ec:1f:72:eb:ea:d3 : dhcp (0,0,0) oui (0,0) ua (5,1,1) derived Android(1)
Nov 25 16:00:32  authmgr[2056]: <522299> <DBUG> |authmgr|  Auth GSM : DEV_ID_CACHE publish for mac ec:1f:72:eb:ea:d3 dev-id Android index 1
Nov 25 16:00:32  authmgr[2056]: <522050> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3,IP=N/A User data downloaded to datapath, new Role=logon/2, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300
Nov 25 16:00:32  authmgr[2056]: <522242> <DBUG> |authmgr|  MAC=ec:1f:72:eb:ea:d3 Station Created Update MMS: BSSID=9c:1c:12:0f:7d:d4 ESSID=Test-SSID VLAN=2 AP-name=B-Block_GndFlr_Networks
Nov 25 16:00:32  authmgr[2056]: <522301> <DBUG> |authmgr|  Auth GSM : USER publish for uuid 332 mac ec:1f:72:eb:ea:d3 name  role logon devtype Android wired 0 authtype 0 subtype 0  encrypt-type 10 conn-port 8448 fwd-mode 0
Nov 25 16:00:32  authmgr[1719]: <522038> <INFO> |authmgr|  username=hendrik MAC=ec:1f:72:eb:ea:d3 IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=2003-Radius
Nov 25 16:00:32  authmgr[1719]: <124003> <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=802.1x, server=2003-Radius, user=ec:1f:72:eb:ea:d3 
Nov 25 16:00:32  authmgr[1719]: <522044> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3 Station authenticate(start): method=802.1x, role=logon///logon, VLAN=2/2, Derivation=0/0, Value Pair=1, flags=0x8 
Nov 25 16:00:32  authmgr[1719]: <522049> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3,IP=N/A User role updated, existing Role=logon/none, new Role=authenticated/none, reason=Station Authenticated with auth type: 4
Nov 25 16:00:32  authmgr[1719]: <522050> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3,IP=N/A User data downloaded to datapath, new Role=authenticated/73, bw Contract=0/0, reason=Download driven by user role setting, idle-timeout=300
Nov 25 16:00:32  authmgr[1719]: <522301> <DBUG> |authmgr|  Auth GSM : USER publish for uuid 332 mac ec:1f:72:eb:ea:d3 name hendrik role authenticated devtype Android wired 0 authtype 4 subtype 0  encrypt-type 10 conn-port 8448 fwd-mode 0
Nov 25 16:00:32  authmgr[1719]: <522258> <DBUG> |authmgr|  "VDR - Add to history of user user ec:1f:72:eb:ea:d3 vlan 0 derivation_type Reset Dot1x VLANs index 4.
Nov 25 16:00:32  authmgr[1719]: <522254> <DBUG> |authmgr|  VDR - mac ec:1f:72:eb:ea:d3 rolename NULL fwdmode 0 derivation_type Dot1x Aruba VSA vp present.
Nov 25 16:00:32  authmgr[1719]: <522254> <DBUG> |authmgr|  VDR - mac ec:1f:72:eb:ea:d3 rolename NULL fwdmode 0 derivation_type Dot1x MSFT Attributes vp present.
Nov 25 16:00:32  authmgr[1719]: <522254> <DBUG> |authmgr|  VDR - mac ec:1f:72:eb:ea:d3 rolename NULL fwdmode 0 derivation_type Dot1x Server Rule vp present.
Nov 25 16:00:32  authmgr[1719]: <522259> <DBUG> |authmgr|  "VDR - Do Role Based VLAN Derivation user ec:1f:72:eb:ea:d3 role authenticated authtype 4 rolehow default for authentication type 802.1x.
Nov 25 16:00:32  authmgr[1719]: <522254> <DBUG> |authmgr|  VDR - mac ec:1f:72:eb:ea:d3 rolename authenticated fwdmode 0 derivation_type User Dot1x Role Contained vp not present.
Nov 25 16:00:32  authmgr[1719]: <522258> <DBUG> |authmgr|  "VDR - Add to history of user user ec:1f:72:eb:ea:d3 vlan 0 derivation_type Reset Role Based VLANs index 5.
Nov 25 16:00:32  authmgr[1719]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for ec:1f:72:eb:ea:d3 vlan 2 fwdmode 0 derivation_type Current VLAN updated.
Nov 25 16:00:32  authmgr[1719]: <522258> <DBUG> |authmgr|  "VDR - Add to history of user user ec:1f:72:eb:ea:d3 vlan 2 derivation_type Current VLAN updated index 6.
Nov 25 16:00:32  authmgr[1719]: <522260> <DBUG> |authmgr|  "VDR - Cur VLAN updated ec:1f:72:eb:ea:d3 mob 0 inform 0 remote 0 wired 0 defvlan 2 exportedvlan 0 curvlan 2.
Nov 25 16:00:32  authmgr[1719]: <522029> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3 Station authenticate: method=802.1x, role=authenticated///logon, VLAN=2/2, Derivation=1/1, Value Pair=1 
Nov 25 16:00:32  authmgr[1719]: <522301> <DBUG> |authmgr|  Auth GSM : USER publish for uuid 332 mac ec:1f:72:eb:ea:d3 name hendrik role authenticated devtype Android wired 0 authtype 4 subtype 9  encrypt-type 10 conn-port 8448 fwd-mode 0
Nov 25 16:00:33  authmgr[1719]: <522053> <DBUG> |authmgr|  PMK Cache getting updated for ec:1f:72:eb:ea:d3, (def, cur, vhow) = (2, 2, 1) with vlan=0 vlanhow=0 essid=Test-SSID role=authenticated rhow=1
Nov 25 16:00:33  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:33  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:33  authmgr[1719]: <524139> <DBUG> |authmgr|  add_pmkcache():864: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:33  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:33  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:33  authmgr[1719]: <524140> <DBUG> |authmgr|  add_pmkcache_ft():955: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:33  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:33  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:33  authmgr[1719]: <132094> <WARN> |authmgr|  MIC failed in WPA2 Key Message 2 from Station ec:1f:72:eb:ea:d3 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:36  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:36  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:36  authmgr[1719]: <524140> <DBUG> |authmgr|  add_pmkcache_ft():955: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:36  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:36  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:36  authmgr[1719]: <132094> <WARN> |authmgr|  MIC failed in WPA2 Key Message 2 from Station ec:1f:72:eb:ea:d3 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:39  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:39  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:39  authmgr[1719]: <524140> <DBUG> |authmgr|  add_pmkcache_ft():955: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:39  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:39  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:39  authmgr[1719]: <132094> <WARN> |authmgr|  MIC failed in WPA2 Key Message 2 from Station ec:1f:72:eb:ea:d3 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:42  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:42  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:42  authmgr[1719]: <524140> <DBUG> |authmgr|  add_pmkcache_ft():955: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:42  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:42  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:42  authmgr[1719]: <132094> <WARN> |authmgr|  MIC failed in WPA2 Key Message 2 from Station ec:1f:72:eb:ea:d3 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:45  authmgr[1719]: <132086> <INFO> |authmgr|  WPA 2 Key exchange failed to complete, de-authenticating the station ec:1f:72:eb:ea:d3 associated with AP 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:45  authmgr[1719]: <522289> <DBUG> |authmgr|  Auth GSM : MAC_USER mu_delete publish for mac ec:1f:72:eb:ea:d3 bssid 9c:1c:12:0f:7d:d4 vlan 2 type 1 data-ready 0 deauth-reason 49
Nov 25 16:00:45  stm[2159]: <501106> <NOTI> |stm|  Deauth to sta: ec:1f:72:eb:ea:d3: Ageout AP 10.254.253.107-9c:1c:12:0f:7d:d4-B-Block_GndFlr_Networks wifi_deauth_sta
Nov 25 16:00:45  authmgr[2056]: <522296> <DBUG> |authmgr|  Auth GSM : USER_STA delete event for user ec:1f:72:eb:ea:d3 age 0 deauth_reason 49

Any suggestions on what I am doing wrong or missing is more than welcome.

 

Guru Elite
Posts: 21,491
Registered: ‎03-29-2007

Re: Having some 802.1x Authentication issues

1.  NEVER change the 802.1x settings/timers  Please set them back to the defaults

2.  Find out what error message if any that the Radius Server has in its event logs

3.  On the controller side, type "show auth-tracebuf mac <mac address of client>" to see what is happening

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 89
Registered: ‎10-27-2013

Re: Having some 802.1x Authentication issues

Hi Collin

 

Reverted the Timers back to their original settings

Got the following output from the trace-buf command

 

Nov 27 11:05:38  station-up             *  ec:1f:72:eb:ea:d3  6c:f3:7f:db:8f:52              -    -     wpa2 psk aes
Nov 27 11:05:38  wpa2-key1             <-  ec:1f:72:eb:ea:d3  6c:f3:7f:db:8f:52              -    117   
Nov 27 11:05:39  wpa2-key2             ->  ec:1f:72:eb:ea:d3  6c:f3:7f:db:8f:52              -    117   
Nov 27 11:05:39  wpa2-key3             <-  ec:1f:72:eb:ea:d3  6c:f3:7f:db:8f:52              -    151   
Nov 27 11:05:39  wpa2-key4             ->  ec:1f:72:eb:ea:d3  6c:f3:7f:db:8f:52              -    95    
Nov 27 11:05:59  station-down           *  ec:1f:72:eb:ea:d3  6c:f3:7f:db:8f:52              -    -     
Nov 27 11:05:59  station-up             *  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d1              -    -     wpa2 psk aes
Nov 27 11:05:59  wpa2-key1             <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d1              -    117   
Nov 27 11:05:59  wpa2-key2             ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d1              -    117   
Nov 27 11:05:59  wpa2-key3             <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d1              -    151   
Nov 27 11:05:59  wpa2-key4             ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d1              -    95    
Nov 27 11:16:23  station-down           *  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d1              -    -     
Nov 27 11:16:25  station-up             *  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    -     wpa2 aes
Nov 27 11:16:25  station-term-start     *  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              2    -     
Nov 27 11:16:26  client-finish         ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    -     
Nov 27 11:16:26  server-finish         <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    61    
Nov 27 11:16:26  server-finish-ack     ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    -     
Nov 27 11:16:26  inner-eap-id-req      <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    35    
Nov 27 11:16:26  inner-eap-id-resp     ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    -     hendrik
Nov 27 11:16:26  eap-mschap-chlg       <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    67    
Nov 27 11:16:26  eap-mschap-response   ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   8    49    
Nov 27 11:16:26  mschap-request        ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   8    -     hendrik
Nov 27 11:16:26  mschap-response       <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/2008-Radius  -    -     hendrik
Nov 27 11:16:26  eap-mschap-success    <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    83    
Nov 27 11:16:26  eap-mschap-success-ack->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    -     
Nov 27 11:16:26  eap-tlv-rslt-success  <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    43    
Nov 27 11:16:26  eap-tlv-rslt-success  ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    2     
Nov 27 11:16:26  eap-success           <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    4     
Nov 27 11:16:26  wpa2-key1             <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    117   
Nov 27 11:16:26  wpa2-key2             ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    240   mic failure
Nov 27 11:16:27  wpa2-key1             <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    117   
Nov 27 11:16:27  wpa2-key2             ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    240   mic failure
Nov 27 11:16:28  wpa2-key1             <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    117   
Nov 27 11:16:28  wpa2-key2             ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    240   mic failure
Nov 27 11:16:29  wpa2-key1             <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    117   
Nov 27 11:16:29  wpa2-key2             ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    240   mic failure
Nov 27 11:16:30  wpa2-key1             <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    117   
Nov 27 11:16:30  station-down           *  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    -     

I thought the 2003 server was causing a problem and got a 2008 server. Still having the same problem -- Might it be my Aruba config thats a problem and not the Radius server?

 

On the Radius server I do see an error

Reason Code:            23
    Reason:                An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

 

I have deleted the Certs, recreated them, deleted the policies and recreated them - but still getting this error. I am not sure where these EAP logs are - BUT If I am looking at the right logs (in C:\Windows\System32\LogFiles\INI1511)
I see the following lines

 

"RADNET","IAS",11/27/2015,11:13:27,1,"hendrik","NETWORKS\hendrik","000B866E1E74","EC1F72EBEAD3",,,,"10.254.253.21",0,0,"10.254.253.21","Aruba-Controller",,,19,,,1,4,"Secure Wireless Connections 2",0,"311 1 10.254.253.22 11/26/2015 13:30:42 203",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections 2",1,,,,
"RADNET","IAS",11/27/2015,11:13:27,2,,"NETWORKS\hendrik",,,,,,,,0,"10.254.253.21","Aruba-Controller",,,,,1,2,4,"Secure Wireless Connections 2",0,"311 1 10.254.253.22 11/26/2015 13:30:42 203",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"0x084E4554574F524B53",,,"Secure Wireless Connections 2",1,,,,
"RADNET","IAS",11/27/2015,11:13:37,1,"hendrik","NETWORKS\hendrik","000B866E1E74","EC1F72EBEAD3",,,,"10.254.253.21",0,0,"10.254.253.21","Aruba-Controller",,,19,,,1,4,"Secure Wireless Connections 2",0,"311 1 10.254.253.22 11/26/2015 13:30:42 204",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections 2",1,,,,
"RADNET","IAS",11/27/2015,11:13:37,2,,"NETWORKS\hendrik",,,,,,,,0,"10.254.253.21","Aruba-Controller",,,,,1,2,4,"Secure Wireless Connections 2",0,"311 1 10.254.253.22 11/26/2015 13:30:42 204",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"0x084E4554574F524B53",,,"Secure Wireless Connections 2",1,,,,

Also followed steps you recommended another user (he was using instants though) in a different post, but still no luck....  :(

http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/PEAP-authentication-failure-Reason-code-23/td-p/71530

 

Some extra details

Enabnling Termination on the controller makes no difference (I believe for 802.1x it should be disbaled) so currently disabled.

Running a AAA test for the user against the server does succeed.

 

Any other advice?

 

 

 

Guru Elite
Posts: 21,491
Registered: ‎03-29-2007

Re: Having some 802.1x Authentication issues

Termination should be off, yes.

 

Did you generate a server certificate for the IAS server for Server authentication?  Please see the article here;  http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/ta-p/80672

 

The #1 reason why the AAA test works and authentication does not work is having a proper radius server certificate...

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 89
Registered: ‎10-27-2013

Re: Having some 802.1x Authentication issues

Hi

 

Just an update on this - I followed the steps in th document http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/ta-p/80672 exactly as indiocated. Still had the problem. Created a new domain and server for testing and problem persisted. Added new certificates (computer, Domain Controller and also a few custom Certificates), still had same problem.

 

Pulled out an old 3400 Controller redid my complete Aruba controlelr configuration on it and it workled like a charm with new test domain and original domain what I started with.

I believe there might be something I messed up in the Aruba configuration or my 3600 controller is FUBAR.

 

When I get aproval I am migrating my new configuration (full flash config) from 3400 to the 3600 to see if the problem persists and to see if it is the controller or the config that is faulty.

 

Will post an update once I have done this.

Guru Elite
Posts: 21,491
Registered: ‎03-29-2007

Re: Having some 802.1x Authentication issues

Hendrik,

 

If you have support, please open a case.  Most of the configuration is on the radius server and there is very little configuration on the controller.  Since there is little configuration on the controller, I am not sure a flash backup is a good move, or it would just introduce issues into your new configuration.  Again, the bulk of the configuration is on the radius server.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 89
Registered: ‎10-27-2013

Re: Having some 802.1x Authentication issues

Hi

 

Just some feedback - unfortunately the controller is out of support (had many a conversation around renewal with no success).

Testing with the other controller and config it all works 100%, I think it is something on the original Config that was at fault. The previous admins fiddled with a lot of settings of which is unused or unrequired -possibly something I couldn't spot that was misconfigured.

But anyway we are running on the new config now with no hickups (using setup steps as indicated - Thx Collin), had a bit of an issue with some of my Remote APs, but was resolved quite easily.

Search Airheads
Showing results for 
Search instead for 
Did you mean: