Security

Reply
Occasional Contributor II
Posts: 19
Registered: ‎08-15-2016

Student unable to Roam on eduroam

Here is an interesting problem that has me banging my head in frustration

 

We have a student on eduroam with 3 devices, an android phone, an Ipad and a Windows 10 Surface device

 

When the student is on campus, all 3 devices associate to eduroam and can use all our network resources as they should.

When the student is away at another university, they start to hit issues with the Win 10 laptop.

The Ipad can roam just fine

The android phone can roam fine

The Surface will not connect to eduroam at all

 

If I look in access tracker, I can see authentication failed with the following message

 

Error Code:
215
Error Category:
Authentication failure
Error Message:
TLS session error
Alerts for this Request
RADIUSEAP-PEAP: fatal alert by client - access_denied
TLS session reuse error

Initially I was thinking that it was a Win 10 issue, but we have successfully been able to roam via eduroam on the same device using another test account, so that rules out Win 10.

It can't be an account issue as the user would not be able to connect or roam on their other 2 devices, they can, so the account is OK

 

If I look in the logs I can see the following, an SSL error which leads to an invalid tunnel

 

 

2017-05-05 10:05:01,836[RequestHandler-1-0x7fe2da1f0700 r=psauto-1484427338-1283585 h=127 r=R0009cd03-04-590c403d] INFO Core.ServiceReqHandler - Service classification result = Eduroam 802.1x Roaming User Authentication
2017-05-05 10:05:01,862[Th 51 Req 4395619 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 137:380:985FD3D276C3
2017-05-05 10:05:01,863[Th 51 Req 4395619 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A
2017-05-05 10:05:01,863[Th 51 Req 4395619 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A
2017-05-05 10:05:01,864[Th 51 Req 4395619 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 137:1145:985FD3D276C3:ACQA3QDnAFhjEkMAJNQLQtiQsaC7jWYUQFx09A==
2017-05-05 10:05:01,882[Th 59 Req 4395620 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 139:204:985FD3D276C3
2017-05-05 10:05:01,883[Th 59 Req 4395620 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 139:1141:985FD3D276C3:AHgA5gBGAFFkEkMAYkDPaCQmS07OEeg9gEfBFw==
2017-05-05 10:05:01,902[Th 53 Req 4395621 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 154:204:985FD3D276C3
2017-05-05 10:05:01,902[Th 53 Req 4395621 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 154:1141:985FD3D276C3:AHYAjwC3ABBlEkMAUPuXRTJw0B4eF9dYYXQl7g==
2017-05-05 10:05:01,922[Th 57 Req 4395622 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 138:204:985FD3D276C3
2017-05-05 10:05:01,922[Th 57 Req 4395622 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 138:1141:985FD3D276C3:AFQAnQAfABxmEkMAK+vwsUb1BafpTAoSbNceUA==
2017-05-05 10:05:01,941[Th 54 Req 4395623 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 75:205:985FD3D276C3
2017-05-05 10:05:01,942[Th 54 Req 4395623 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 75:966:985FD3D276C3:AGUAPQCOAG5nEkMANtAIRufcum+otX9Z6tj6eg==
2017-05-05 10:05:01,963[Th 56 Req 4395624 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 136:334:985FD3D276C3
2017-05-05 10:05:01,963[Th 56 Req 4395624 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 136:160:985FD3D276C3:AFEAmgCPAEhoEkMAe/hl5rVHaRMBp6JhtEKFzg==
2017-05-05 10:05:02,040[Th 55 Req 4395625 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Eduroam 802.1x Roaming User Authentication" - 161:239:985FD3D276C3
2017-05-05 10:05:02,040[Th 55 Req 4395625 SessId R0009cd03-04-590c403d] ERROR RadiusServer.Radius - TLS Alert read:fatal:access denied
2017-05-05 10:05:02,040[Th 55 Req 4395625 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_eap_tls: No data inside of the tunnel.
2017-05-05 10:05:02,040[Th 55 Req 4395625 SessId R0009cd03-04-590c403d] INFO RadiusServer.Radius - rlm_eap_peap: No data inside of the tunnel.

 

We have removed all relevant certs and have recreated her profile but we still have this issue - any ideas on how to fix this?

Guru Elite
Posts: 8,798
Registered: ‎09-08-2010

Re: Student unable to Roam on eduroam

Can you tell me about your EAP server certificate?
Common name? Public or private? Same cert on a servers?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 19
Registered: ‎08-15-2016

Re: Student unable to Roam on eduroam

It is a public cert bought from QuoVadis, same cert on both publisher and subscriber nodes

 

I have asked the student to drop in so I can have another look as this one makes no sense to me as she can connect onsite but not when roaming...

Guru Elite
Posts: 8,798
Registered: ‎09-08-2010

Re: Student unable to Roam on eduroam

The common name is not a wildcard correct?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 4,314
Registered: ‎07-20-2011

Re: Student unable to Roam on eduroam

How are you assigning the VLAN ?
What AOS version are you running ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 19
Registered: ‎08-15-2016

Re: Student unable to Roam on eduroam

[ Edited ]

Nope, no wildcards

The VLAN is based on the role users pick up when they first associate as is the IP

AOS version 6.4.4.9

MVP
Posts: 4,314
Registered: ‎07-20-2011

Re: Student unable to Roam on eduroam

Is clearpass sending the VLANs?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: