Security

 

Hey All,

Anyone ever have an issue where a Windows machines are not able to connect to any SSID on a new controller but Macs are?

 

I’m working on installing a new 3400 (6.2.1.2) to replace the existing 3200 (6.1.3.6).  Manually configured the new controller (did this so the random/unused bits of the old config aren’t copied over) and I am testing the setup before moving all our APs to the new controller.  Mac laptops do not seem to have an issue at all, but our Windows machines are not connecting.  I’ve verified the configs are relatively the same (minus some default changes between the OS versions), but I don’t see what the issue.  From the logs it looks like the machines are hanging at the authentication phase.  Any ideas what else I should look at?  Thanks.

 

 Config:

wlan virtual-ap "DSG-Guest_vap"
   aaa-profile "DSG-Guest_aaa"
   ssid-profile "DSG-Guest_ssid"
   vlan 410
   band-steering
   broadcast-filter all

aaa profile "DSG-Guest_aaa"
   authentication-dot1x "DSG-Guest_dot1x"
   dot1x-server-group "DSG-Guest_server-group"

aaa authentication dot1x "DSG-Guest_dot1x"
   machine-authentication enable
   machine-authentication machine-default-role "authenticated"
   machine-authentication user-default-role "authenticated"
   termination enable
   termination eap-type eap-peap
   termination inner-eap-type eap-mschapv2
   ca-cert "Bundle"
   server-cert "WildcardCorp"

wlan ssid-profile "DSG-Guest_ssid"
   essid "DSG-Guest_t"
   opmode wpa2-aes

aaa server-group "DSG-Guest_server-group"
   allow-fail-through
 auth-server Internal
 auth-server DSG-Guest-Raiden_radius

aaa authentication-server radius "DSG-Guest-Raiden_radius"
   host "10.159.54.234"
   key *******
   authport 1645
   acctport 1646
   nas-identifier "DSG-Guest"
   source-interface vlan 312

 

Logs:

Windows:
Jun 20 10:26:53 :501093:  <NOTI> |AP RAP105-AP04@10.159.48.51 stm|  Auth success: 58:94:6b:69:67:50: AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:26:53 :501095:  <NOTI> |stm|  Assoc request @ 10:26:53.959420: 58:94:6b:69:67:50 (SN 645): AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:26:53 :501095:  <NOTI> |AP RAP105-AP04@10.159.48.51 stm|  Assoc request @ 10:26:53.351284: 58:94:6b:69:67:50 (SN 645): AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:26:53 :501100:  <NOTI> |AP RAP105-AP04@10.159.48.51 stm|  Assoc success @ 10:26:53.352374: 58:94:6b:69:67:50: AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:26:53 :501100:  <NOTI> |stm|  Assoc success @ 10:26:53.962942: 58:94:6b:69:67:50: AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:26:53 :522035:  <INFO> |authmgr|  MAC=58:94:6b:69:67:50 Station UP: BSSID=d8:c7:c8:99:63:eb ESSID=DSG-Guest_t VLAN=410 AP-name=RAP105-AP04
Jun 20 10:26:53 :522077:  <DBUG> |authmgr|  MAC=58:94:6b:69:67:50 ingress 0x0x1000d (tunnel 13), u_encr 64, m_encr 64, slotport 0x0x2000 , type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Jun 20 10:26:53 :522246:  <DBUG> |authmgr|  Idle timeout should be driven by STM for MAC 58:94:6b:69:67:50.
Jun 20 10:26:53 :522083:  <DBUG> |authmgr|  Skip User-Derivation, mba:0 udr_exist:0,default_role:logon,pDefRole:0x0x10992d64
Jun 20 10:26:53 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:58:94:6b:69:67:50, pmkid_present:False, pmkid:N/A
Jun 20 10:26:53 :522128:  <DBUG> |authmgr|  download-L2: acl=1/0 role=logon, tunl=0x0x1000d, PA=0, HA=1, RO=0, VPN=0.
Jun 20 10:26:53 :522050:  <INFO> |authmgr|  MAC=58:94:6b:69:67:50,IP=N/A User data downloaded to datapath, new Role=logon/1, bw Contract=0/0,reason=layer 2 event driven download
Jun 20 10:26:53 :522242:  <DBUG> |authmgr|  MAC=58:94:6b:69:67:50 Station Created Update MMS: BSSID=d8:c7:c8:99:63:eb ESSID=DSG-Guest_t VLAN=410 AP-name=RAP105-AP04

Mac:
Jun 20 10:25:01 :501093:  <NOTI> |AP RAP105-AP04@10.159.48.51 stm|  Auth success: e0:f8:47:3c:55:8a: AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:25:01 :501095:  <NOTI> |stm|  Assoc request @ 10:25:01.861402: e0:f8:47:3c:55:8a (SN 3317): AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:25:01 :501095:  <NOTI> |AP RAP105-AP04@10.159.48.51 stm|  Assoc request @ 10:25:01.461527: e0:f8:47:3c:55:8a (SN 3317): AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:25:01 :501100:  <NOTI> |AP RAP105-AP04@10.159.48.51 stm|  Assoc success @ 10:25:01.462624: e0:f8:47:3c:55:8a: AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:25:01 :501100:  <NOTI> |stm|  Assoc success @ 10:25:01.865113: e0:f8:47:3c:55:8a: AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:25:01 :522035:  <INFO> |authmgr|  MAC=e0:f8:47:3c:55:8a Station UP: BSSID=d8:c7:c8:99:63:eb ESSID=DSG-Guest_t VLAN=410 AP-name=RAP105-AP04
Jun 20 10:25:01 :522077:  <DBUG> |authmgr|  MAC=e0:f8:47:3c:55:8a ingress 0x0x1000d (tunnel 13), u_encr 64, m_encr 64, slotport 0x0x2000 , type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Jun 20 10:25:01 :522246:  <DBUG> |authmgr|  Idle timeout should be driven by STM for MAC e0:f8:47:3c:55:8a.
Jun 20 10:25:01 :522083:  <DBUG> |authmgr|  Skip User-Derivation, mba:0 udr_exist:0,default_role:logon,pDefRole:0x0x10992d64
Jun 20 10:25:01 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:e0:f8:47:3c:55:8a, pmkid_present:False, pmkid:N/A
Jun 20 10:25:01 :522128:  <DBUG> |authmgr|  download-L2: acl=1/0 role=logon, tunl=0x0x1000d, PA=0, HA=1, RO=0, VPN=0.
Jun 20 10:25:01 :522050:  <INFO> |authmgr|  MAC=e0:f8:47:3c:55:8a,IP=N/A User data downloaded to datapath, new Role=logon/1, bw Contract=0/0,reason=layer 2 event driven download
Jun 20 10:25:01 :522242:  <DBUG> |authmgr|  MAC=e0:f8:47:3c:55:8a Station Created Update MMS: BSSID=d8:c7:c8:99:63:eb ESSID=DSG-Guest_t VLAN=410 AP-name=RAP105-AP04
Jun 20 10:25:01 :522042:  <NOTI> |authmgr|  User Authentication Failed: username=TimS MAC=e0:f8:47:3c:55:8a IP=0.0.0.0 auth method=802.1x auth server=Internal
Jun 20 10:25:01 :522038:  <INFO> |authmgr|  username=TimS MAC=e0:f8:47:3c:55:8a IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=DSG-Guest-Raiden_radius
Jun 20 10:25:01 :522044:  <INFO> |authmgr|  MAC=e0:f8:47:3c:55:8a Station authenticate(start): method=8021x-User, role=logon///logon, VLAN=410/410/0/0/0/0, Derivation=0/0, Value Pair=1
Jun 20 10:25:01 :522136:  <DBUG> |authmgr|  {L2} authenticated from profile \"DSG-Guest_aaa\".
...

 

#3400
#3200

It could possibly an issue with the cert . Are you using the same cert as before ?

What do you see when you do show auth-tracebuf or if you enable logging level debugging security

To rule out the cert have you tried unchecking the validate cert in the windows wireless settings and see if the device is able to connect

No, I’m not using the same cert, but I don’t think it is a cert issue, as I don’t get prompted to terminate/connect.  I unchecked validate cert and tried anyways without any luck. 

 

show auth-tracebuf:

Jun 20 14:35:59  station-up             *  58:94:6b:69:67:50  d8:c7:c8:99:63:eb                          -      -   wpa2 aes
Jun 20 14:35:59  station-term-start     *  58:94:6b:69:67:50  d8:c7:c8:99:63:eb                          410    -
Jun 20 14:35:59  eap-term-start        ->  58:94:6b:69:67:50  d8:c7:c8:99:63:eb/DSG-Guest_dot1x          -      -
Jun 20 14:35:59  station-term-start     *  58:94:6b:69:67:50  d8:c7:c8:99:63:eb                          410    -
Jun 20 14:36:24  station-term-end       *  58:94:6b:69:67:50  d8:c7:c8:99:63:eb/DSG-Guest_dot1x          3      -   failure
Jun 20 14:36:24  eap-failure           <-  58:94:6b:69:67:50  d8:c7:c8:99:63:eb/DSG-Guest_dot1x          -      4
Jun 20 14:36:24  station-down           *  58:94:6b:69:67:50  d8:c7:c8:99:63:eb                          -      -
Jun 20 14:36:29  station-up             *  58:94:6b:69:67:50  d8:c7:c8:99:63:eb                          -      -   wpa2 aes
Jun 20 14:36:29  station-term-start     *  58:94:6b:69:67:50  d8:c7:c8:99:63:eb                          410    -
Jun 20 14:36:29  eap-term-start        ->  58:94:6b:69:67:50  d8:c7:c8:99:63:eb/DSG-Guest_dot1x          -      -
Jun 20 14:36:29  station-term-start     *  58:94:6b:69:67:50  d8:c7:c8:99:63:eb                          410    -
Jun 20 14:36:46  station-down           *  58:94:6b:69:67:50  d8:c7:c8:99:63:eb                          -      -

 

show log security all:

Jun 20 14:36:29 :124230:  <DBUG> |authmgr|  Rx message 3007/67108864, length 248 from 127.0.0.1:8345
Jun 20 14:36:29 :124220:  <DBUG> |authmgr|  stm_message_handler : msg_type 3007
Jun 20 14:36:29 :124091:  <DBUG> |authmgr|  station_check_license_limits: mac 58:94:6b:69:67:50  encr-algo:64.
Jun 20 14:36:29 :124086:  <DBUG> |authmgr|  Create macuser 0x0x10ab9224 and user 0x0x10a26a44.
Jun 20 14:36:29 :124093:  <DBUG> |authmgr|  Called mac_station_new() for mac 58:94:6b:69:67:50.
Jun 20 14:36:29 :124103:  <DBUG> |authmgr|  Setting user 58:94:6b:69:67:50 aaa profile to DSG-Guest_aaa, reason: ncfg_get_wireless_aaa_prof.
Jun 20 14:36:29 :124103:  <DBUG> |authmgr|  Setting user 58:94:6b:69:67:50 aaa profile to DSG-Guest_aaa, reason: ncfg_set_aaa_profile_defaults.
Jun 20 14:36:29 :124234:  <DBUG> |authmgr|  Tx message to Sibyte, blocking with ack, Opcode = 164, msglen = 200 1 user messages bundled, actions = 17
Jun 20 14:36:29 :124104:  <DBUG> |authmgr|  ifmap: user=0x0x10a26a44, ipuser=0x0x0, mac=58:94:6b:69:67:50, event=4.
Jun 20 14:36:29 :124105:  <DBUG> |authmgr|  MM: mac=58:94:6b:69:67:50, state=4, name=, role=logon, dev_type=, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=1.
Jun 20 14:36:47 :124230:  <DBUG> |authmgr|  Rx message 3007/67108864, length 248 from 127.0.0.1:8345
Jun 20 14:36:47 :124220:  <DBUG> |authmgr|  stm_message_handler : msg_type 3007
Jun 20 14:36:47 :124104:  <DBUG> |authmgr|  ifmap: user=0x0x10a26a44, ipuser=0x0x0, mac=58:94:6b:69:67:50, event=5.
Jun 20 14:36:47 :124105:  <DBUG> |authmgr|  MM: mac=58:94:6b:69:67:50, state=5, name=, role=logon, dev_type=, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=1.
Jun 20 14:36:47 :124234:  <DBUG> |authmgr|  Tx message to Sibyte, blocking with ack, Opcode = 17, msglen = 200 action = 1
Jun 20 14:36:47 :124090:  <DBUG> |authmgr|  Free macuser 0x0x10ab9224 and user 0x0x10a26a44 for mac 58:94:6b:69:67:50.
Jun 20 14:37:49 :124230:  <DBUG> |authmgr|  Rx message 14001/5221, length 199 from 127.0.0.1:8220

 

Are you doing machine authentication ?

Have you tried installing the cert manually ?

Is terminated at the controller ?

Can you see the eap failure reason in the radius server logs ?

Looking at the config he is doing machine auth and terminating on the controller.

Like vfabian said it could be useful to see the RADIUS logs.

 

Can I ask why the internal database is in this server group? What happens if you remove it or put your RADIUS server first in the list?

 

aaa server-group "DSG-Guest_server-group"
   allow-fail-through
 auth-server Internal
 auth-server DSG-Guest-Raiden_radius

---

@TimS wrote:

 

Hey All,

Anyone ever have an issue where a Windows machines are not able to connect to any SSID on a new controller but Macs are?

 

I’m working on installing a new 3400 (6.2.1.2) to replace the existing 3200 (6.1.3.6).  Manually configured the new controller (did this so the random/unused bits of the old config aren’t copied over) and I am testing the setup before moving all our APs to the new controller.  Mac laptops do not seem to have an issue at all, but our Windows machines are not connecting.  I’ve verified the configs are relatively the same (minus some default changes between the OS versions), but I don’t see what the issue.  From the logs it looks like the machines are hanging at the authentication phase.  Any ideas what else I should look at?  Thanks.

 

 Config:

wlan virtual-ap "DSG-Guest_vap"
   aaa-profile "DSG-Guest_aaa"
   ssid-profile "DSG-Guest_ssid"
   vlan 410
   band-steering
   broadcast-filter all

aaa profile "DSG-Guest_aaa"
   authentication-dot1x "DSG-Guest_dot1x"
   dot1x-server-group "DSG-Guest_server-group"

aaa authentication dot1x "DSG-Guest_dot1x"
   machine-authentication enable
   machine-authentication machine-default-role "authenticated"
   machine-authentication user-default-role "authenticated"
   termination enable
   termination eap-type eap-peap
   termination inner-eap-type eap-mschapv2
   ca-cert "Bundle"
   server-cert "WildcardCorp"

wlan ssid-profile "DSG-Guest_ssid"
   essid "DSG-Guest_t"
   opmode wpa2-aes

aaa server-group "DSG-Guest_server-group"
   allow-fail-through
 auth-server Internal
 auth-server DSG-Guest-Raiden_radius

aaa authentication-server radius "DSG-Guest-Raiden_radius"
   host "10.159.54.234"
   key *******
   authport 1645
   acctport 1646
   nas-identifier "DSG-Guest"
   source-interface vlan 312

 

Logs:

Windows:
Jun 20 10:26:53 :501093:  <NOTI> |AP RAP105-AP04@10.159.48.51 stm|  Auth success: 58:94:6b:69:67:50: AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:26:53 :501095:  <NOTI> |stm|  Assoc request @ 10:26:53.959420: 58:94:6b:69:67:50 (SN 645): AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:26:53 :501095:  <NOTI> |AP RAP105-AP04@10.159.48.51 stm|  Assoc request @ 10:26:53.351284: 58:94:6b:69:67:50 (SN 645): AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:26:53 :501100:  <NOTI> |AP RAP105-AP04@10.159.48.51 stm|  Assoc success @ 10:26:53.352374: 58:94:6b:69:67:50: AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:26:53 :501100:  <NOTI> |stm|  Assoc success @ 10:26:53.962942: 58:94:6b:69:67:50: AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:26:53 :522035:  <INFO> |authmgr|  MAC=58:94:6b:69:67:50 Station UP: BSSID=d8:c7:c8:99:63:eb ESSID=DSG-Guest_t VLAN=410 AP-name=RAP105-AP04
Jun 20 10:26:53 :522077:  <DBUG> |authmgr|  MAC=58:94:6b:69:67:50 ingress 0x0x1000d (tunnel 13), u_encr 64, m_encr 64, slotport 0x0x2000 , type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Jun 20 10:26:53 :522246:  <DBUG> |authmgr|  Idle timeout should be driven by STM for MAC 58:94:6b:69:67:50.
Jun 20 10:26:53 :522083:  <DBUG> |authmgr|  Skip User-Derivation, mba:0 udr_exist:0,default_role:logon,pDefRole:0x0x10992d64
Jun 20 10:26:53 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:58:94:6b:69:67:50, pmkid_present:False, pmkid:N/A
Jun 20 10:26:53 :522128:  <DBUG> |authmgr|  download-L2: acl=1/0 role=logon, tunl=0x0x1000d, PA=0, HA=1, RO=0, VPN=0.
Jun 20 10:26:53 :522050:  <INFO> |authmgr|  MAC=58:94:6b:69:67:50,IP=N/A User data downloaded to datapath, new Role=logon/1, bw Contract=0/0,reason=layer 2 event driven download
Jun 20 10:26:53 :522242:  <DBUG> |authmgr|  MAC=58:94:6b:69:67:50 Station Created Update MMS: BSSID=d8:c7:c8:99:63:eb ESSID=DSG-Guest_t VLAN=410 AP-name=RAP105-AP04

Mac:
Jun 20 10:25:01 :501093:  <NOTI> |AP RAP105-AP04@10.159.48.51 stm|  Auth success: e0:f8:47:3c:55:8a: AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:25:01 :501095:  <NOTI> |stm|  Assoc request @ 10:25:01.861402: e0:f8:47:3c:55:8a (SN 3317): AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:25:01 :501095:  <NOTI> |AP RAP105-AP04@10.159.48.51 stm|  Assoc request @ 10:25:01.461527: e0:f8:47:3c:55:8a (SN 3317): AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:25:01 :501100:  <NOTI> |AP RAP105-AP04@10.159.48.51 stm|  Assoc success @ 10:25:01.462624: e0:f8:47:3c:55:8a: AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:25:01 :501100:  <NOTI> |stm|  Assoc success @ 10:25:01.865113: e0:f8:47:3c:55:8a: AP 10.159.48.51-d8:c7:c8:99:63:eb-RAP105-AP04
Jun 20 10:25:01 :522035:  <INFO> |authmgr|  MAC=e0:f8:47:3c:55:8a Station UP: BSSID=d8:c7:c8:99:63:eb ESSID=DSG-Guest_t VLAN=410 AP-name=RAP105-AP04
Jun 20 10:25:01 :522077:  <DBUG> |authmgr|  MAC=e0:f8:47:3c:55:8a ingress 0x0x1000d (tunnel 13), u_encr 64, m_encr 64, slotport 0x0x2000 , type: local, FW mode: 0, AP IP: 0.0.0.0 mdie 0 ft_complete 0
Jun 20 10:25:01 :522246:  <DBUG> |authmgr|  Idle timeout should be driven by STM for MAC e0:f8:47:3c:55:8a.
Jun 20 10:25:01 :522083:  <DBUG> |authmgr|  Skip User-Derivation, mba:0 udr_exist:0,default_role:logon,pDefRole:0x0x10992d64
Jun 20 10:25:01 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:e0:f8:47:3c:55:8a, pmkid_present:False, pmkid:N/A
Jun 20 10:25:01 :522128:  <DBUG> |authmgr|  download-L2: acl=1/0 role=logon, tunl=0x0x1000d, PA=0, HA=1, RO=0, VPN=0.
Jun 20 10:25:01 :522050:  <INFO> |authmgr|  MAC=e0:f8:47:3c:55:8a,IP=N/A User data downloaded to datapath, new Role=logon/1, bw Contract=0/0,reason=layer 2 event driven download
Jun 20 10:25:01 :522242:  <DBUG> |authmgr|  MAC=e0:f8:47:3c:55:8a Station Created Update MMS: BSSID=d8:c7:c8:99:63:eb ESSID=DSG-Guest_t VLAN=410 AP-name=RAP105-AP04
Jun 20 10:25:01 :522042:  <NOTI> |authmgr|  User Authentication Failed: username=TimS MAC=e0:f8:47:3c:55:8a IP=0.0.0.0 auth method=802.1x auth server=Internal
Jun 20 10:25:01 :522038:  <INFO> |authmgr|  username=TimS MAC=e0:f8:47:3c:55:8a IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=DSG-Guest-Raiden_radius
Jun 20 10:25:01 :522044:  <INFO> |authmgr|  MAC=e0:f8:47:3c:55:8a Station authenticate(start): method=8021x-User, role=logon///logon, VLAN=410/410/0/0/0/0, Derivation=0/0, Value Pair=1
Jun 20 10:25:01 :522136:  <DBUG> |authmgr|  {L2} authenticated from profile \"DSG-Guest_aaa\".
...

 

---

1.  You are doing EAP-Termination

2.  The Server Certificate from the Old Controller is NOT part of the config, so it was not copied to the new one.  Hence, you are using the factory default certificate.  You need to import a certificate that is trusted by your clients into the controller and reference it in the 802.1x profile, OR turn of termination and use the certificate in your radius server.

 

Discovered the issue.  I looks like the Cert I was using is not liked by the controller.  I switched back to the self-assigned cert and the Windows machines are able to connect (after a cert warning).