Wireless Access

last person joined: 16 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

AAA FastConnect not working

This thread has been viewed 1 times

  • 1.  AAA FastConnect not working

    Posted Dec 22, 2016 11:35 AM
      |   view attached

    Hi all,

    I've been playing around with ArubaOS authentication and one that resists to work is the AAA FastConnect or EAP Termination.

    My setup consists of:

    Aruba 620US running 6.4.4.9
    1 AP135
    1 Windows server 2012R2 working as CA, DHCP, AD, and NPS.
    1 Windows 7 wlan client.

    I do have 2 VAPs fully working now.
    1 with preshared key
    1 regular 802.1x pointing my NPS server without termination.

    However, when I try to join the SSID with termination, once I enter the credentials, they do not seem to work and the same credentials are asked once again.

    The nps doesn't log anything in the Audit Center and the controller logs I see the following:

    Dec 22 15:50:05 stm Deauth to sta: 00:26:82:73:e9:0c: Ageout AP 10.1.10.150-d8:c7:c8:4a:c3:92-AP135 Response to EAP Challenge Failed

    To configure termination I've followed the attached document, found in this forums. Its for AOS 3.x and windows2k3, and I didn't follow the document 100%, I do appy eap-peap with mschapv2, and I didn't configure the guest TLS option neither.

    So step by step taking in consideration that regular 802.1x works:

    Created a new controler CSR.
    Uploaded this CSR via https://ipaddress/certsrv
    Downloaded as server certificate.
    Also downloaded server CA.
    Uploaded both certificates to the controller.
    Configured a new 802.1x auth profile. Marked Termination, eap-peap, and eap-mschapv2. Selected the CA and server cert just created.
    Configured a new AAA profile with the previous created 802.1x profile.
    Created a new SSID profile.
    Created a new VAP profile and assigned the AAA profile and the SSID profile.

    On the client side I'm using the same CA uploaded on "trust root certificates" that I'm using on the regular 802.1x auth.

    Attachment(s)

    docx
    EAP-TLS Termination-2.docx   2.10 MB 1 version


  • 2.  RE: AAA FastConnect not working

    EMPLOYEE
    Posted Dec 22, 2016 11:38 AM
    If you have a RADIUS server, why are you using EAP-termination?


  • 3.  RE: AAA FastConnect not working

    Posted Dec 22, 2016 11:40 AM

    I was just testing the functionalities and try to understand them, thats all.



  • 4.  RE: AAA FastConnect not working

    Posted Dec 23, 2016 05:04 AM

    Did all follow the steps correctly?

    Is it something that I'm not understanding from the functionalitiy itself??



  • 5.  RE: AAA FastConnect not working

    MVP EXPERT
    Posted Dec 23, 2016 05:22 AM

    Are you able to provide the output of the following command #show auth-tracebuf  ?

     

    Do you also see the same issue if you use the Internal Server for autentication?



  • 6.  RE: AAA FastConnect not working

    EMPLOYEE
    Posted Dec 23, 2016 07:50 AM
    raul.llobera-ramirez@hpe.com wrote:

    Did all follow the steps correctly?

    Is it something that I'm not understanding from the functionalitiy itself??

    AAA FastConnect or EAP offload was a feature created a long time ago for users who did not have a radius server or who could not put a SSL certificate on a radius server.  Users who could only point to an LDAP server would use AAA FastConnect on the controller to do the EAP connection.  AAA FastConnect has a few drawbacks like the inability to do machine authentication with Windows 2008, 2012 server, and users having to install a supplicant that has EAP-GTC if they were authenticating with an LDAP server.

     

    Long story short, AAA FastConnect was a feature to address limitations in customer's infrastructure, but moving forward, most everyone has access to a radius server so it is not emphasized.  With that being said, it should work and just like the the user said above, you should type "show auth-tracebuf" on the commandline of the controller after you attempt authentication to see what is going on...



  • 7.  RE: AAA FastConnect not working

    Posted Dec 23, 2016 08:29 AM

    i keep posting the "show auth-tracebuf" output but for some reason the forum doesnt get updated... :(

     

    i keep posting the "show auth-tracebuf" output but for some reason the forum doesnt get updated... :(

    Dec 23 12:54:00 station-up * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92 - - wpa2 aes
    Dec 23 12:54:00 station-term-start * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92 11 -
    Dec 23 12:54:01 eap-term-start -> 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92/dot1x_prof-term - -
    Dec 23 12:54:01 station-term-start * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92 11 -
    Dec 23 12:54:25 eap-term-start -> 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92/dot1x_prof-term - -
    Dec 23 12:54:25 station-term-start * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92 11 -
    Dec 23 12:54:55 station-term-end * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92/dot1x_prof-term 43 - failure
    Dec 23 12:54:55 station-down * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92 - -
    Dec 23 12:54:58 station-up * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92 - - wpa2 aes
    Dec 23 12:54:58 station-term-start * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92 11 -
    Dec 23 12:54:58 eap-term-start -> 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92/dot1x_prof-term - -
    Dec 23 12:54:58 station-term-start * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92 11 -
    Dec 23 12:55:34 eap-term-start -> 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92/dot1x_prof-term - -
    Dec 23 12:55:34 station-term-start * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92 11 -