Security

Reply
Occasional Contributor II
Posts: 20
Registered: ‎10-30-2009

MDAC Issues - Failed association

Im in the process of setting up a mobile provisioning profile for IOS devices that pushes users to a Aurba BYOD SSID performing EAP-TLS termination. The mobile profile downloads to the client fine but when the client connects to the BYOD ssid it fails to connect. I get the following message in the error logs and auth trace  buffer

 

Nov 30 16:00:16 <localdb 133019> <ERRS> |localdb| User a4:67:06:2a:ab:71 was not found in the database
Nov 30 16:00:16 <localdb 133006> <ERRS> |localdb| User a4:67:06:2a:ab:71 Failed Authentication
Nov 30 16:02:34 <localdb 133019> <ERRS> |localdb| User a4:67:06:2a:ab:71 was not found in the database
Nov 30 16:02:34 <localdb 133006> <ERRS> |localdb| User a4:67:06:2a:ab:71 Failed Authentication
Nov 30 16:04:34 <localdb 133019> <ERRS> |localdb| User a4:67:06:2a:ab:71 was not found in the database
Nov 30 16:04:34 <localdb 133006> <ERRS> |localdb| User a4:67:06:2a:ab:71 Failed Authentication
Nov 30 16:09:26 <authmgr 132152> <ERRS> |authmgr| 802.1x termination is disabled user a4:67:06:2a:ab:71, profile default-psk

(LGWCAAAWMC02) #
(LGWCAAAWMC02) #
(LGWCAAAWMC02) #
(LGWCAAAWMC02) #show auth-tracebuf ?
count Show last count number of packets
failures Show only failures
mac Filter on a specific STA or AP
| Output Modifiers
<cr>

(LGWCAAAWMC02) #show auth-tracebuf failures

Auth Trace Buffer
-----------------


Nov 30 16:00:16 m-auth resp * a4:67:06:2a:ab:71 d8:c7:c8:12:a2:49 - - failed
Nov 30 16:02:34 m-auth resp * a4:67:06:2a:ab:71 d8:c7:c8:12:a2:49 - - failed
Nov 30 16:04:33 m-auth resp * a4:67:06:2a:ab:71 d8:c7:c8:12:9f:c9 - - fail

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: MDAC Issues - Failed association

It looks like termination on the SSID is disabled (under the dot1x profile).  It also looks like MAC authentication is enabled (under the AAA profile) and the controller is looking for the MAC address in the internal db.   Can you check those two things?

Occasional Contributor II
Posts: 20
Registered: ‎10-30-2009

Re: MDAC Issues - Failed association

Hi Olino,

 

thats what i initially thought as it looked like a machine cache error but EAP termination is enabled on the dot.1x profile and is pointing to the root CA and server certificate uploaded from the Amigopod. I can also confirm that mac auth is disabled on the AAA profile.

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: MDAC Issues - Failed association

Please do "show ap bss-table | include d8:c7:c8:12:a2:49" to verify that you are trying to connect to the correct SSID.  That bssid is from the failed auth-tracebuf command below.

Occasional Contributor II
Posts: 20
Registered: ‎10-30-2009

Re: MDAC Issues - Failed association

The iPad is connecting to the BYOD SSID and sucessfully authenticating it's EAP certificate, however, it's then sending a machine authentication request that is failing on the controller, you can see this authentication trail on the auth-trace buffer. Machine authentication is disabled on the 802.1x profile. Any help would be greatly appreciated

Guru Elite
Posts: 21,291
Registered: ‎03-29-2007

Re: MDAC Issues - Failed association

Please open a support case in parallel to this.  Those messages are usually in response to mac authentication, OR enforce machine authentication being enabled.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 20
Registered: ‎10-30-2009

Re: MDAC Issues - Failed association

TAC case is already opened I was just trying to get a headstart on this while I waited for the escalation engineer. I've just rechecked my config and can confirm machine auth is disabled on the accompanying 802.1x profile.


cjoseph wrote:

Please open a support case in parallel to this.  Those messages are usually in response to mac authentication, OR enforce machine authentication being enabled.

 


 

Guru Elite
Posts: 21,291
Registered: ‎03-29-2007

Re: MDAC Issues - Failed association

The parameter that needs to be unchecke is "Enforce Machine Authentication" in the 802.1x profile.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 20
Registered: ‎10-30-2009

Re: MDAC Issues - Failed association

This option is unchecked

Guru Elite
Posts: 21,291
Registered: ‎03-29-2007

Re: MDAC Issues - Failed association

[ Edited ]

The auth-tracebuf says that it is failing machine authentication.

 

I would type "show station-table" to find out what AAA profile it is attempting to connect to.  Then I would type "show aaa profile <name>" to  make sure that there is no mac authentication profile, OR mac authentication server group in it.  From that output I would get the 802.1x profile and type "show aaa authentication dot1x <name of that profile>" to make sure that enforce machine authentication is not checked and "Check certificate Common name" are not enabled.

 

You could be looking at the wrong AAA profile.

 

Remember, in this forum we do not have all the info we need to figure out everything due to privacy issues, so we are just guessing based on the information presented.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: