Security

last person joined: 16 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Student unable to Roam on eduroam

This thread has been viewed 8 times

  • 1.  Student unable to Roam on eduroam

    Posted May 05, 2017 05:55 AM

    Here is an interesting problem that has me banging my head in frustration

     

    We have a student on eduroam with 3 devices, an android phone, an Ipad and a Windows 10 Surface device

     

    When the student is on campus, all 3 devices associate to eduroam and can use all our network resources as they should.

    When the student is away at another university, they start to hit issues with the Win 10 laptop.

    The Ipad can roam just fine

    The android phone can roam fine

    The Surface will not connect to eduroam at all

     

    If I look in access tracker, I can see authentication failed with the following message

     

    Error Code:
    215
    Error Category:
    Authentication failure
    Error Message:
    TLS session error
    Alerts for this Request
    RADIUSEAP-PEAP: fatal alert by client - access_denied
    TLS session reuse error

    Initially I was thinking that it was a Win 10 issue, but we have successfully been able to roam via eduroam on the same device using another test account, so that rules out Win 10.

    It can't be an account issue as the user would not be able to connect or roam on their other 2 devices, they can, so the account is OK

     

    If I look in the logs I can see the following, an SSL error which leads to an invalid tunnel

     

     

    2017-05-05 10:05:01,836[RequestHandler-1-0x7fe2da1f0700 r=psauto-1484427338-1283585 h=127 r=R0009cd03-04-590c403d] INFO Core.ServiceReqHandler - Service classification result = Eduroam 802.1x Roaming User Authentication
    2017-05-05 10:05:01,862[Th 51 Req 4395619 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 137:380:985FD3D276C3
    2017-05-05 10:05:01,863[Th 51 Req 4395619 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A
    2017-05-05 10:05:01,863[Th 51 Req 4395619 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A
    2017-05-05 10:05:01,864[Th 51 Req 4395619 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 137:1145:985FD3D276C3:ACQA3QDnAFhjEkMAJNQLQtiQsaC7jWYUQFx09A==
    2017-05-05 10:05:01,882[Th 59 Req 4395620 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 139:204:985FD3D276C3
    2017-05-05 10:05:01,883[Th 59 Req 4395620 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 139:1141:985FD3D276C3:AHgA5gBGAFFkEkMAYkDPaCQmS07OEeg9gEfBFw==
    2017-05-05 10:05:01,902[Th 53 Req 4395621 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 154:204:985FD3D276C3
    2017-05-05 10:05:01,902[Th 53 Req 4395621 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 154:1141:985FD3D276C3:AHYAjwC3ABBlEkMAUPuXRTJw0B4eF9dYYXQl7g==
    2017-05-05 10:05:01,922[Th 57 Req 4395622 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 138:204:985FD3D276C3
    2017-05-05 10:05:01,922[Th 57 Req 4395622 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 138:1141:985FD3D276C3:AFQAnQAfABxmEkMAK+vwsUb1BafpTAoSbNceUA==
    2017-05-05 10:05:01,941[Th 54 Req 4395623 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 75:205:985FD3D276C3
    2017-05-05 10:05:01,942[Th 54 Req 4395623 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 75:966:985FD3D276C3:AGUAPQCOAG5nEkMANtAIRufcum+otX9Z6tj6eg==
    2017-05-05 10:05:01,963[Th 56 Req 4395624 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 136:334:985FD3D276C3
    2017-05-05 10:05:01,963[Th 56 Req 4395624 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 136:160:985FD3D276C3:AFEAmgCPAEhoEkMAe/hl5rVHaRMBp6JhtEKFzg==
    2017-05-05 10:05:02,040[Th 55 Req 4395625 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 161:239:985FD3D276C3
    2017-05-05 10:05:02,040[Th 55 Req 4395625 SessId R0009cd03-04-590c403d] ERROR RadiusServer.Radius - TLS Alert read:fatal:access denied
    2017-05-05 10:05:02,040[Th 55 Req 4395625 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_eap_tls: No data inside of the tunnel.
    2017-05-05 10:05:02,040[Th 55 Req 4395625 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_eap_peap: No data inside of the tunnel.

     

    We have removed all relevant certs and have recreated her profile but we still have this issue - any ideas on how to fix this?



  • 2.  RE: Student unable to Roam on eduroam

    EMPLOYEE
    Posted May 05, 2017 07:18 AM
    Can you tell me about your EAP server certificate?
    Common name? Public or private? Same cert on a servers?


  • 3.  RE: Student unable to Roam on eduroam

    Posted May 05, 2017 09:19 AM

    It is a public cert bought from QuoVadis, same cert on both publisher and subscriber nodes

     

    I have asked the student to drop in so I can have another look as this one makes no sense to me as she can connect onsite but not when roaming...



  • 4.  RE: Student unable to Roam on eduroam

    EMPLOYEE
    Posted May 05, 2017 09:26 AM
    The common name is not a wildcard correct?


  • 5.  RE: Student unable to Roam on eduroam

    Posted May 05, 2017 11:15 AM

    Nope, no wildcards

    The VLAN is based on the role users pick up when they first associate as is the IP

    AOS version 6.4.4.9



  • 6.  RE: Student unable to Roam on eduroam

    Posted May 05, 2017 11:18 AM
    Is clearpass sending the VLANs?

    Get Outlook for iOS


  • 7.  RE: Student unable to Roam on eduroam

    Posted May 05, 2017 09:27 AM
    How are you assigning the VLAN ?
    What AOS version are you running ?

    Get Outlook for iOS