Security

Reply
Contributor I
Posts: 33
Registered: ‎10-26-2012

authenticating to AD radius

I am useing ADIAS for my radius authentication with eap-peap and mschap2. I get multiple users saying they get dropped off the wifi several times. but users connecting to the same AP but different SSID without .1x authentication never get dropped. 

 

Is there something in the aaa profile I should be looking at spacificaly.

 

 

MVP
Posts: 1,380
Registered: ‎05-28-2008

Re: authenticating to AD radius

Hi,

In order for us to deep further and assist you - please supply us the following info:

  • More technical info regarding your topology
  • Can u do screenshot of your AAA profile + advanced profile  / 802.1x Profile / SSID profile / VAP.
  • Also it will be great if u can send your log - it's usually contain the reason for disconnecting clients.

 

Me.

 

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Contributor I
Posts: 33
Registered: ‎10-26-2012

Re: authenticating to AD radius

We have 1 master controller 3400 and 4 slaves 2 of those are 6000's and 2 are 3400's. The 4 campus design where the 2 6000's can take aps from all 4 sites if necessary.

 

we have 3 wlans 1 employee and student The one in question with radius authentication to AD using IAS

2 a open access guest ssid with back end ACL for security.

3 a Wep encrypted SSID soon to be removed

 

Both 2 and 3 will be fermoved soon replaced with Guest network with Captive portal.

 

right now I get complaints that users get dropped off the Secure network but no other ones even though they are all from the same AP's.

 

what log files should i be looking at ?

please look at attached files.

 

MVP
Posts: 1,380
Registered: ‎05-28-2008

Re: authenticating to AD radius

type in the cli:

 

show log all

 

 

 

 

and copy&paste the output to txt file.

(its better to do it while users keep disconnecting - in order for us to notice the reason)

 

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Contributor I
Posts: 33
Registered: ‎10-26-2012

Re: authenticating to AD radius

here is the log parsed down to only today.

 

I enabled mode aware this morning around 610 on the log so please ingore all the ARM reconfigurations.

 

MVP
Posts: 1,380
Registered: ‎05-28-2008

Re: authenticating to AD radius

[ Edited ]

Ok..from the log i can see we are handling auth profile issue.

"Maximum number of retries was attempted for station"

 

can u please print out all the AAA profile configuration/profiles details...

the 802.1x profile is the most importenet < seems like u have issue there > please copy&paste the details of this profile.

even a screenshot will be good - like this one:

dfgfg

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Contributor I
Posts: 33
Registered: ‎10-26-2012

Re: authenticating to AD radius

here is the screen cap

MVP
Posts: 1,380
Registered: ‎05-28-2008

Re: authenticating to AD radius

[ Edited ]

OK.

 

Everythings seems fine in your Aruba profiles...

 

please take a look on this post:

http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/Maximum-Number-of-Retries/td-p/68780/page/2


"Looks like client configuration issue of some sort; definitely not an Aruba issue.   I would check the configuration of those devices to make sure they are setup correctly; including certificate trusts, etc."

 

please also read this post:

http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/Source-of-RADIUS-timeouts/td-p/48530/page/2

 

and this post:

http://community.arubanetworks.com/t5/802-11-Client-Device/Intel-client-issues/td-p/5074

 

Let me know if you found your answer.

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
MVP
Posts: 1,380
Registered: ‎05-28-2008

Re: authenticating to AD radius

more relevant posts:

http://community.arubanetworks.com/t5/Authentication-and-Access/Users-using-802-1X-can-not-connect-to-the-wireless-network/td-p/26224

 

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/PEAP-clients-occasionally-unable-to-logon/td-p/1156

 

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Contributor I
Posts: 33
Registered: ‎10-26-2012

Re: authenticating to AD radius

My IAS guy has updated the Certificate on the radius servers reciently would that have anything to do with it? Do I have to do anything on the aruba side when the cert in IIS gets updated? I checked the IAS config and it shows the proper cert.

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: