Wireless Access

Reply
Contributor I
Posts: 32
Registered: ‎03-13-2014

802.1x authentication issue

Hi

 

Im currently working on wireless 802.1x authentication using aruba controller based and windows server 2012 R2 as backend Radius + AD (by another vendor). I have configured the controller as attach.  Im using single SSID with dynamically vlan assignment to each different group of users.

 

When I try to test the authentication, this is the few error log that I get fro aruba controller: (Full log I have attached it in attachement area). I Just want to know what seem to be the problem, whether it on Server side or Wireless Infra side?

 

Apr 3 18:17:02 authmgr[1647]: <132197> <ERRS> |authmgr| Maximum number of retries was attempted for station 00:21:5d:89:b3:86 9c:1c:12:94:1c:00, deauthenticating the station 
Apr 3 18:17:15 sapd[1598]: <127000> <ERRS> |AP 9c:1c:12:c1:3f:56@10.99.0.35 sapd| |ids-ap| AP(9c:1c:12:93:f5:60): Rogue AP: An AP classified an access point(BSSID 40:01:c6:d0:e8:40 and SSID on CHANNEL 3) as rogue because it matched the MAC (40:01:c6:a5:4b:81) with IP (10.99.0.100). 
Apr 3 18:17:16 authmgr[1647]: <132207> <ERRS> |authmgr| RADIUS reject for station SMRstudenttest1 00:21:5d:89:b3:86 from server SMR2NPSSRV1. 
Apr 3 18:17:16 authmgr[1647]: <132053> <ERRS> |authmgr| Dropping the radius packet for Station 00:21:5d:89:b3:86 9c:1c:12:94:1c:00 doing 802.1x 


Apr 3 18:17:31 authmgr[1647]: <132207> <ERRS> |authmgr| RADIUS reject for station smrstudenttest1 f4:f9:51:73:25:22 from server SMR2NPSSRV1. 
Apr 3 18:17:31 authmgr[1647]: <132053> <ERRS> |authmgr| Dropping the radius packet for Station f4:f9:51:73:25:22 9c:1c:12:94:1c:10 doing 802.1x 
Apr 3 18:17:37 authmgr[1647]: <132207> <ERRS> |authmgr| RADIUS reject for station smtstudenttest1 3c:d0:f8:0f:87:59 from server SMR2NPSSRV1. 
Apr 3 18:17:37 authmgr[1647]: <132053> <ERRS> |authmgr| Dropping the radius packet for Station 3c:d0:f8:0f:87:59 9c:1c:12:94:1c:00 doing 802.1x 
Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

Re: 802.1x authentication issue

You need to look in the event viewer of your radius server to see why it is rejecting the client.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 22
Registered: ‎04-02-2013

Re: 802.1x authentication issue

On the Radius server are you getting an event ID 13 - check radius source interface on controller.  6272 - Can't authenticate against AD.

MVP
Posts: 2,992
Registered: ‎10-25-2011

Re: 802.1x authentication issue

Are you using EAP TLS?

If so ,you need to open the Network policy that you created and go to settings in inside there click add and add a value for framed MTU and put this value in it 1344

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Contributor I
Posts: 32
Registered: ‎03-13-2014

Re: 802.1x authentication issue

Thanks for the reply. What you meant by radius source inteface on controller is the port interface on aruba that connected to network?

Contributor I
Posts: 32
Registered: ‎03-13-2014

Re: 802.1x authentication issue

Hi Carlos,

 

What u mean here is server policy?

MVP
Posts: 2,992
Registered: ‎10-25-2011

Re: 802.1x authentication issue

 

Open the NPS console

On the Network policy

 

EAPTLS1.PNG

On settings you need to put this value

 

EAP TLS6.PNG

 

 

When you using EAP TLS most of the times you need to add this fixed Framed MTU

The Framed MTU is something you need because in some cases, switches, routers or firewalls. etc  drop packets because they are configured to discard packets that require fragmentation.  And if you dont configure this it will drop it and you will see it will not work... so just configure it! so that way the EAP payloads maximum size is reduced.

I tell you this because on the logs i was looking that the 802.1x packets were being drop...

 

Anyways this is just for EAP TLS... On EAP PEAP you should not need this...

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Contributor I
Posts: 32
Registered: ‎03-13-2014

Re: 802.1x authentication issue

Thanks Carlos, by the way the server part is from another vendor so I cant do much. But will inform the vendor on this.

I will try it out when Im onsite with the server vendor.

 

Cheers.

MVP
Posts: 2,992
Registered: ‎10-25-2011

Re: 802.1x authentication issue

which is the vendor brand of the RAdius server? well if its possible to know?

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Contributor I
Posts: 32
Registered: ‎03-13-2014

Re: 802.1x authentication issue

They using windows server 2012 r2 as NPS+AD+Domain

Search Airheads
Showing results for 
Search instead for 
Did you mean: