Security

I am useing ADIAS for my radius authentication with eap-peap and mschap2. I get multiple users saying they get dropped off the wifi several times. but users connecting to the same AP but different SSID without .1x authentication never get dropped. 

Is there something in the aaa profile I should be looking at spacificaly.

Hi,

In order for us to deep further and assist you - please supply us the following info:

• More technical info regarding your topology
• Can u do screenshot of your AAA profile + advanced profile  / 802.1x Profile / SSID profile / VAP.
• Also it will be great if u can send your log - it's usually contain the reason for disconnecting clients.

Me.

We have 1 master controller 3400 and 4 slaves 2 of those are 6000's and 2 are 3400's. The 4 campus design where the 2 6000's can take aps from all 4 sites if necessary.

we have 3 wlans 1 employee and student The one in question with radius authentication to AD using IAS

2 a open access guest ssid with back end ACL for security.

3 a Wep encrypted SSID soon to be removed

Both 2 and 3 will be fermoved soon replaced with Guest network with Captive portal.

right now I get complaints that users get dropped off the Secure network but no other ones even though they are all from the same AP's.

what log files should i be looking at ?

please look at attached files.

Attachment(s)

VAP Profile.txt   1 KB 1 version

SSID Profile.txt   2 KB 1 version

AAA Profile.txt   911 B 1 version

1x authentication profile.txt   3 KB 1 version

type in the cli:

show log all

and copy&paste the output to txt file.

(its better to do it while users keep disconnecting - in order for us to notice the reason)

here is the log parsed down to only today.

I enabled mode aware this morning around 610 on the log so please ingore all the ARM reconfigurations.

Attachment(s)

May29 log.txt   685 KB 1 version

Ok..from the log i can see we are handling auth profile issue.

"Maximum number of retries was attempted for station"

can u please print out all the AAA profile configuration/profiles details...

the 802.1x profile is the most importenet < seems like u have issue there > please copy&paste the details of this profile.

even a screenshot will be good - like this one:

here is the screen cap

OK.

Everythings seems fine in your Aruba profiles...

please take a look on this post:

http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/Maximum-Number-of-Retries/td-p/68780/page/2

"Looks like client configuration issue of some sort; definitely not an Aruba issue.   I would check the configuration of those devices to make sure they are setup correctly; including certificate trusts, etc."

please also read this post:

http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/Source-of-RADIUS-timeouts/td-p/48530/page/2

and this post:

http://community.arubanetworks.com/t5/802-11-Client-Device/Intel-client-issues/td-p/5074

Let me know if you found your answer.

more relevant posts:

http://community.arubanetworks.com/t5/Authentication-and-Access/Users-using-802-1X-can-not-connect-to-the-wireless-network/td-p/26224

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/PEAP-clients-occasionally-unable-to-logon/td-p/1156

My IAS guy has updated the Certificate on the radius servers reciently would that have anything to do with it? Do I have to do anything on the aruba side when the cert in IIS gets updated? I checked the IAS config and it shows the proper cert.

u should check the cert in your client side - and be sure that the group policy really updated the cert... (As far as i know)

or

take 1 single problemtic clinet - and check the cert on the client side < even do a manual install >