Unified Wired & Wireless Access

Reply
Occasional Contributor II
scottwe
Posts: 19
Registered: ‎11-16-2010

deauth to sta

I have a client that cannot connect to our production wireless network but can connect to a development network on the same access point. The client is using the same machine and 802.1x authentication for each network. I have debug logs for a successful (dev) and a failed (prd) session but the main difference I see is:

 

//a success

Mar 20 13:24:56 :522035:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx Station UP: BSSID=d8:c7:c8:xx:2f:41 ESSID=dev VLAN=2 AP-name=ab208

Mar 20 13:24:56 :522004:  <DBUG> |authmgr|  MAC=68:a3:c4:c9:xx:xx ingress 0x10f1 (tunnel 145), u_encr 16, m_encr 4112, slotport 0x1000 

Mar 20 13:25:25 :522038:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=ACS-B

//role, IP and other good stuff happen

 

//a failure

Mar 20 13:24:12 :522035:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx Station UP: BSSID=d8:c7:c8:xx:2f:40 ESSID=prd VLAN=2 AP-name=ab208

Mar 20 13:24:12 :522004:  <DBUG> |authmgr|  MAC=68:a3:c4:c9:xx:xx ingress 0x11b6 (tunnel 342), u_encr 16, m_encr 4112, slotport 0x1000 

//repeat the previous message five more times, then

Mar 20 13:24:31 :501106:  <NOTI> |stm|  Deauth to sta: 68:a3:c4:c9:xx:xx: Ageout AP 10.xxx.70.210-d8:c7:xx:xx:2f:40-ab208 handle_sapcp

//followed by similar messages

 

 

Anybody have an idea?

Moderator
cjoseph
Posts: 12,179
Registered: ‎03-29-2007

Re: deauth to sta


scottwe wrote:

I have a client that cannot connect to our production wireless network but can connect to a development network on the same access point. The client is using the same machine and 802.1x authentication for each network. I have debug logs for a successful (dev) and a failed (prd) session but the main difference I see is:

 

//a success

Mar 20 13:24:56 :522035:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx Station UP: BSSID=d8:c7:c8:xx:2f:41 ESSID=dev VLAN=2 AP-name=ab208

Mar 20 13:24:56 :522004:  <DBUG> |authmgr|  MAC=68:a3:c4:c9:xx:xx ingress 0x10f1 (tunnel 145), u_encr 16, m_encr 4112, slotport 0x1000 

Mar 20 13:25:25 :522038:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=ACS-B

//role, IP and other good stuff happen

 

//a failure

Mar 20 13:24:12 :522035:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx Station UP: BSSID=d8:c7:c8:xx:2f:40 ESSID=prd VLAN=2 AP-name=ab208

Mar 20 13:24:12 :522004:  <DBUG> |authmgr|  MAC=68:a3:c4:c9:xx:xx ingress 0x11b6 (tunnel 342), u_encr 16, m_encr 4112, slotport 0x1000 

//repeat the previous message five more times, then

Mar 20 13:24:31 :501106:  <NOTI> |stm|  Deauth to sta: 68:a3:c4:c9:xx:xx: Ageout AP 10.xxx.70.210-d8:c7:xx:xx:2f:40-ab208 handle_sapcp

//followed by similar messages

 

 

Anybody have an idea?


While the client is failing, type "show auth-tracebuf mac <mac address of client>" to see why.

 

Colin Joseph
Aruba Customer Engineering
Occasional Contributor II
scottwe
Posts: 19
Registered: ‎11-16-2010

Re: deauth to sta

Thank you, neat command!

 

I see:

 

Mar 21 13:32:52  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

Mar 21 13:32:52  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:53  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

Mar 21 13:32:53  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:53  eap-start             ->  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     

Mar 21 13:32:53  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:55  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

Mar 21 13:32:55  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:55  eap-start             ->  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     

Mar 21 13:32:55  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:56  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

 

over and over again, credentials are never passed and authentication servers don't get into the mix, which is different from a successful logon. I don't understand what the command reference guide is telling me about the arrows andif this is on the client or server side. 

 

Moderator
cjoseph
Posts: 12,179
Registered: ‎03-29-2007

Re: deauth to sta

Are you sure the client is configured with the right encryption?

 

Colin Joseph
Aruba Customer Engineering
Occasional Contributor II
scottwe
Posts: 19
Registered: ‎11-16-2010

Re: deauth to sta

yes. we went through and manually set it for wpa2-enterprise and aes as a test, still could not get it to go. we run in mixed mode, either tkip or aes is valid.

Moderator
cjoseph
Posts: 12,179
Registered: ‎03-29-2007

Re: deauth to sta

Are these 802.11n access points?  If so, the 802.11n standard only allows cipher types of AES and Open.  TKIP is not allowed.

 

Colin Joseph
Aruba Customer Engineering
Occasional Contributor II
scottwe
Posts: 19
Registered: ‎11-16-2010

Re: deauth to sta

They are N. Good point. When I manually configure the client to use WPA2 and AES (which I can see using the command you gave me, thanks again) they still cannot connect. I'm beginning to think it is the clients system but it is at a remote location and the clientdoes not have other devices available to test with.

Moderator
cjoseph
Posts: 12,179
Registered: ‎03-29-2007

Re: deauth to sta

You probably want to open a case so that they can see the full picture...  Has this EVER worked?

 

Colin Joseph
Aruba Customer Engineering
Occasional Contributor II
scottwe
Posts: 19
Registered: ‎11-16-2010

Re: deauth to sta

With this device no it has never worked. Other devices, yes.

Moderator
cjoseph
Posts: 12,179
Registered: ‎03-29-2007

Re: deauth to sta

Have you considered upgrading the client drivers?

 

Colin Joseph
Aruba Customer Engineering
Search Airheads