Security

Reply
Contributor I
Posts: 27
Registered: ‎09-10-2013

Windows 7 802.1x via Wired port on RAP109

Hi

Hoping someone can point me in the right direction here.

 

I am using a 3400 with a RAP109.  I have setup the wireless using 802.1x auth however I am having an issue setting this up with wired 802.1x

 

I have followed the RAP Network setup guide step-by-step using the RAP in split-tunnel mode, with the same NPS as wireless. However 802.1x never authenticates.  The port is set as untrusted, the 802.1X Authentication Profile has Termination with eap-peap and eap-mschapv2

 

The user always get initial role of ‘denyall’, testing by setting this to ‘authenticated’ works.  I am using the same 802.1X Authentication Default Role as the wireless profile

 

On the radius server I have setup a new Connection Request Policy with NAS Port Type (VPN or Ethernet) using Microsoft PEAP with MS-CHAP-v2.  Also Network Policy with NAS Port Type (VPN or Ethernet) with Domain Computers or Domain Users.

 

Thanks in advance.

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: Windows 7 802.1x via Wired port on RAP109

If you want to use Windows machine authentication, you will need to turn
termination off in the AAA profile.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 27
Registered: ‎09-10-2013

Re: Windows 7 802.1x via Wired port on RAP109

I was wanting to have user authentication to be consistent with the wireless profile.

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: Windows 7 802.1x via Wired port on RAP109

Can you turn on user-debug and then post the output for that device after attempting to authenticate?

 

(config) #logging level debugging user-debug <mac-addr>

 

(controller) #show log user-debug all | include <mac-addr>


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Windows 7 802.1x via Wired port on RAP109

What does the logs look like on NPS?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor I
Posts: 27
Registered: ‎09-10-2013

Re: Windows 7 802.1x via Wired port on RAP109

I am not getting anything on NPS however controller logs output is as below:

 

Nov 12 11:18:04 :522035:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0 Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/a VLAN=17 AP-name=24:de:c6:cb:65:6a
Nov 12 11:18:04 :522077:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0 ingress 0x0x10031 (tunnel 49), u_encr 1, m_encr 1, slotport 0x0x31 wired, type: remote, FW mode: 3, AP IP: 172.17.0.10 mdie 0 ft_complete 0
Nov 12 11:18:04 :522212:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0 IP=0.0.0.0:  MAC auth start: entry-type=L2, bssid=01:80:c2:00:00:03, essid=  sg=HB_mac_auth.
Nov 12 11:18:04 :522042:  <NOTI> |authmgr|  User Authentication Failed: username=60eb69f50ef0 MAC=60:eb:69:f5:0e:f0 IP=0.0.0.0 auth method=MAC auth server=
Nov 12 11:18:04 :522190:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0 IP=0.0.0.0: MAC auth fail: entry-type=L2, bssid=01:80:c2:00:00:03.
Nov 12 11:18:04 :522035:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0 Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/a VLAN=17 AP-name=24:de:c6:cb:65:6a
Nov 12 11:18:04 :522077:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0 ingress 0x0x10031 (tunnel 49), u_encr 1, m_encr 1, slotport 0x0x2001 wired, type: remote, FW mode: 3, AP IP: 172.17.0.10 mdie 0 ft_complete 0
Nov 12 11:18:04 :522078:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0, wired: 1, vlan:17 ingress:0x0x10031 (tunnel 49), ingress:0x0x10031 new_aaa_prof: HB_Remote_Wired-aaa_prof, stored profile: HB_Remote_Wired-aaa_prof stored wired: 1 stored essid:  , stored-ingress: 0x0x10031
Nov 12 11:18:04 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:60:eb:69:f5:0e:f0, pmkid_present:False, pmkid:N/A
Nov 12 11:18:04 :522144:  <DBUG> |authmgr|  L2 entry updated from RAP:172.17.0.10, Wired user IP:0.0.0.0, MAC : 60:eb:69:f5:0e:f0, VLAN:17, BSSID:24:de:c6:cb:65:6b.
Nov 12 11:18:05 :522035:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0 Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/a VLAN=17 AP-name=24:de:c6:cb:65:6a
Nov 12 11:18:05 :522077:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0 ingress 0x0x10031 (tunnel 49), u_encr 1, m_encr 1, slotport 0x0x2001 wired, type: remote, FW mode: 3, AP IP: 172.17.0.10 mdie 0 ft_complete 0
Nov 12 11:18:05 :522078:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0, wired: 1, vlan:17 ingress:0x0x10031 (tunnel 49), ingress:0x0x10031 new_aaa_prof: HB_Remote_Wired-aaa_prof, stored profile: HB_Remote_Wired-aaa_prof stored wired: 1 stored essid:  , stored-ingress: 0x0x10031
Nov 12 11:18:05 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:60:eb:69:f5:0e:f0, pmkid_present:False, pmkid:N/A
Nov 12 11:18:05 :522049:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0,IP=0.0.0.0 User role updated, existing Role=denyall/none, new Role=denyall/denyall, reason=First IP user created
Nov 12 11:18:05 :522006:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0 IP=10.1.36.127 User entry added: reason=Auth Request
Nov 12 11:18:05 :522049:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0,IP=10.1.36.127 User role updated, existing Role=denyall/denyall, new Role=denyall/denyall, reason=RAP New user with no l3 auth or authenticated station
Nov 12 11:18:05 :522049:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0,IP=10.1.36.127 User role updated, existing Role=denyall/denyall, new Role=denyall/denyall, reason=User not authenticated for inheriting attributes
Nov 12 11:18:05 :522146:  <DBUG> |authmgr|  Adding AP Wired User (split) 60:eb:69:f5:0e:f0 to STM stats tree.
Nov 12 11:18:05 :522096:  <DBUG> |authmgr|  60:eb:69:f5:0e:f0: Sending STM new Role ACL : 59, and Vlan info: 17, action : 18, AP IP: 172.17.0.10, flags : 0
Nov 12 11:18:05 :522035:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0 Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/a VLAN=17 AP-name=24:de:c6:cb:65:6a
Nov 12 11:18:05 :522077:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0 ingress 0x0x10031 (tunnel 49), u_encr 1, m_encr 1, slotport 0x0x2001 wired, type: remote, FW mode: 3, AP IP: 172.17.0.10 mdie 0 ft_complete 0
Nov 12 11:18:05 :522078:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0, wired: 1, vlan:17 ingress:0x0x10031 (tunnel 49), ingress:0x0x10031 new_aaa_prof: HB_Remote_Wired-aaa_prof, stored profile: HB_Remote_Wired-aaa_prof stored wired: 1 stored essid: , stored-ingress: 0x0x10031
Nov 12 11:18:05 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:60:eb:69:f5:0e:f0, pmkid_present:False, pmkid:N/A
Nov 12 11:18:05 :522049:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0,IP=10.1.36.127 User role updated, existing Role=denyall/denyall, new Role=denyall/denyall, reason=RAP New user with no l3 auth or authenticated station
Nov 12 11:18:05 :522049:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0,IP=10.1.36.127 User role updated, existing Role=denyall/denyall, new Role=denyall/denyall, reason=User not authenticated for inheriting attributes
Nov 12 11:18:05 :522146:  <DBUG> |authmgr|  Adding AP Wired User (split) 60:eb:69:f5:0e:f0 to STM stats tree.
Nov 12 11:18:05 :522096:  <DBUG> |authmgr|  60:eb:69:f5:0e:f0: Sending STM new Role ACL : 59, and Vlan info: 17, action : 18, AP IP: 172.17.0.10, flags : 0
Nov 12 11:18:05 :522035:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0 Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/a VLAN=17 AP-name=24:de:c6:cb:65:6a
Nov 12 11:18:05 :522077:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0 ingress 0x0x10031 (tunnel 49), u_encr 1, m_encr 1, slotport 0x0x2001 wired, type: remote, FW mode: 3, AP IP: 172.17.0.10 mdie 0 ft_complete 0
Nov 12 11:18:05 :522078:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0, wired: 1, vlan:17 ingress:0x0x10031 (tunnel 49), ingress:0x0x10031 new_aaa_prof: HB_Remote_Wired-aaa_prof, stored profile: HB_Remote_Wired-aaa_prof stored wired: 1 stored essid: , stored-ingress: 0x0x10031
Nov 12 11:18:05 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:60:eb:69:f5:0e:f0, pmkid_present:False, pmkid:N/A
Nov 12 11:18:05 :522049:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0,IP=10.1.36.127 User role updated, existing Role=denyall/denyall, new Role=denyall/denyall, reason=RAP New user with no l3 auth or authenticated station
Nov 12 11:18:05 :522049:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0,IP=10.1.36.127 User role updated, existing Role=denyall/denyall, new Role=denyall/denyall, reason=User not authenticated for inheriting attributes
Nov 12 11:18:05 :522146:  <DBUG> |authmgr|  Adding AP Wired User (split) 60:eb:69:f5:0e:f0 to STM stats tree.
Nov 12 11:18:05 :522096:  <DBUG> |authmgr|  60:eb:69:f5:0e:f0: Sending STM new Role ACL : 59, and Vlan info: 17, action : 18, AP IP: 172.17.0.10, flags : 0
Nov 12 11:18:30 :522030:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0 Station deauthenticated: BSSID=24:de:c6:cb:65:6b, ESSID=
Nov 12 11:18:30 :522049:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0,IP=N/A User role updated, existing Role=denyall/denyall, new Role=denyall/denyall, reason=Station is L2 deauthenticated
Nov 12 11:18:30 :522010:  <NOTI> |authmgr|  MAC=60:eb:69:f5:0e:f0 IP=10.1.36.127 User de-authenticated: name=60eb69f50ef0, cause=unknown
Nov 12 11:18:30 :522049:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0,IP=10.1.36.127 User role updated, existing Role=denyall/denyall, new Role=denyall/denyall, reason=User de-authenticated with a role
Nov 12 11:18:30 :522096:  <DBUG> |authmgr|  60:eb:69:f5:0e:f0: Sending STM new Role ACL : 59, and Vlan info: 17, action : 10, AP IP: 172.17.0.10, flags : 0
Nov 12 11:18:30 :501074:  <WARN> |stm|  wifi_deauth_sta: bad data, dropping. mac: 60:eb:69:f5:0e:f0 bssid: 01:80:c2:00:00:03

Guru Elite
Posts: 21,525
Registered: ‎03-29-2007

Re: Windows 7 802.1x via Wired port on RAP109

It looks like you have mac authentication enabled on that connection (a mac authentication profile attached to the AAA profile).  If mac authentication fails, the authentication does not go any further, and that is why you would see nothing on the NPS:

 

Nov 12 11:18:04 :522042:  <NOTI> |authmgr|  User Authentication Failed: username=60eb69f50ef0 MAC=60:eb:69:f5:0e:f0 IP=0.0.0.0 auth method=MAC auth server=

 

You either need to (1) Turn off Mac authentication by changing the mac authentication profile on the aaa profile to N/A or enable l2 faithrough on the AAA profile, which will allow 802.1x to continue, even though mac authentication fails.  



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 27
Registered: ‎09-10-2013

Re: Windows 7 802.1x via Wired port on RAP109

This is what troubles me as I do have L2 Authentication Fail Through enabled,  I set this when first configuring the AAA profile. I don't know why it isn't proceeding when mac auth fails through.

Guru Elite
Posts: 21,525
Registered: ‎03-29-2007

Re: Windows 7 802.1x via Wired port on RAP109


DL77 wrote:

This is what troubles me as I do have L2 Authentication Fail Through enabled,  I set this when first configuring the AAA profile. I don't know why it isn't proceeding when mac auth fails through.


I would turn l2-failthrough off, and turn off mac authentication and get a valid 802.1x authentication before layering anything else on top of it.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: