08-08-2014 08:10 AM
Hi Airheads Communtiry,
I am currently facing an issue at the controller of a customer of mine.
Regarding to this old discussion I tried to troubleshoot the configuration or the behavior.
But I was Unable to resolve the issue.
I try to authenticate admin users and Lobby Users via Radius.
But I am currently even unable to simply authenticate into the default role and I am not sure where the misconfiguration is.
Do I have to change the configuration of my Controller or is there a problem at the configuration of my Radius?
I can provide you the output of the Debug I have performed already like it was described in the old discussion.
Aug 8 15:13:37 :124011: <INFO> |authmgr| Test authenticating user winketa:****** using server Radius1 Aug 8 15:13:37 :121041: <DBUG> |authmgr| User winketa MAC=00:00:00:00:00:00 not found. Aug 8 15:13:37 :124004: <DBUG> |authmgr| Auth server 'Radius1' response=0 Aug 8 15:13:37 :124019: <INFO> |authmgr| Test server response: Authentication Successful Aug 8 15:11:38 :124004: <DBUG> |authmgr| RX (sock) message of type 1, len 1016 Aug 8 15:11:38 :124546: <DBUG> |authmgr| aal_authenticate user:winketa vpnflags:0. Aug 8 15:11:38 :124004: <DBUG> |authmgr| unknown user=172.31.29.241, method=Management Aug 8 15:11:38 :124547: <DBUG> |authmgr| aal_authenticate server_group:default. Aug 8 15:11:38 :124004: <DBUG> |authmgr| Select server for method=Management, user=winketa, essid=<>, server-group=KVB_RADIUS_ADMIN, last_srv <> Aug 8 15:11:38 :124004: <DBUG> |authmgr| server=Radius1, ena=1, ins=1 (1) Aug 8 15:11:38 :124038: <INFO> |authmgr| Selected server Radius1 for method=Management; user=winketa, essid=<>, domain=<>, server-group=RADIUS_ADMIN Aug 8 15:11:38 :124064: <NOTI> |authmgr| Administrative User result=Authentication failed(1), method=Management, username=winketa IP=172.31.29.241 auth server=Radius1 Aug 8 15:11:38 :124003: <INFO> |authmgr| Authentication result=Authentication failed(1), method=Management, server=Radius1, user=172.31.29.241 Aug 8 15:11:38 :124004: <DBUG> |authmgr| Auth server 'Radius1' response=1 Aug 8 15:11:38 :125022: <WARN> |aaa| Authentication failed for User winketa, Logged in from 172.31.29.241 port 56934, Connecting to 172.31.190.50 port 4343 connection type HTTPS
I tried to login via with the User "winketa" in the AAA diagnostics tool everything went fine. As you see in my first authentication attempt. The radius returns a successful authentication.
But if I try to log into the WebGUI using the same credentials the controller sends some additional information to the radius like the issuing hosts IP address.
I think this is why my radius sends a authentication reject.
But I cant see where I can change this behavior.
Or where my misconfiguration is?
Here I have a screenshot with my current configuration.
I already tried several "Server Rules" I also tried to have no "Server Rules" applied but nothing changed the current behavior.
Do you guys have any idea how to solve this issue?
I like to thank you for your support in advance!
08-08-2014 08:17 AM
08-08-2014 08:54 AM
Oh I see that the link to the old discussion doesnt work as Hyperlink so I will add it here as plain text just for completeness maybe there is something interesting in it for you guys.
Thanks olino for the quick response.
I retried the test an I saw that on the diagnostics page it says that it is using MSCHAPv2 but you are able to use PAP also.
I tried both mechanisms.
Here are the output of the AAA Logging during the test.
MSCHAPv2 Aug 8 16:29:21 :124011: <INFO> |authmgr| Test authenticating user winketa:****** using server Radius1 Aug 8 16:29:21 :121041: <DBUG> |authmgr| User winketa MAC=00:00:00:00:00:00 not found. Aug 8 16:29:21 :124004: <DBUG> |authmgr| Auth server 'Radius1' response=0 Aug 8 16:29:21 :124019: <INFO> |authmgr| Test server response: Authentication Successful PAP Aug 8 16:29:57 :124011: <INFO> |authmgr| Test authenticating user winketa:****** using server Radius1 Aug 8 16:29:57 :124004: <DBUG> |authmgr| Auth server 'Radius1' response=1 Aug 8 16:29:57 :124019: <INFO> |authmgr| Test server response: Authentication failed
Looks like it is about the response "0" means allowed and "1" means rejected.
But if I try to logon regular into the GUI I am unable to perform a simple MSCHAPv2 request only with the given credentials.
The Controller always send some stuff like the issuing hosts IP Address and so on.
Maybe someone has any clue?
08-08-2014 09:24 AM
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs