Wireless Access

Reply
Aruba Employee
Posts: 9
Registered: ‎02-02-2016

AAA FastConnect not working

Hi all,

I've been playing around with ArubaOS authentication and one that resists to work is the AAA FastConnect or EAP Termination.

My setup consists of:

Aruba 620US running 6.4.4.9
1 AP135
1 Windows server 2012R2 working as CA, DHCP, AD, and NPS.
1 Windows 7 wlan client.

I do have 2 VAPs fully working now.
1 with preshared key
1 regular 802.1x pointing my NPS server without termination.

However, when I try to join the SSID with termination, once I enter the credentials, they do not seem to work and the same credentials are asked once again.

The nps doesn't log anything in the Audit Center and the controller logs I see the following:

Dec 22 15:50:05 stm Deauth to sta: 00:26:82:73:e9:0c: Ageout AP 10.1.10.150-d8:c7:c8:4a:c3:92-AP135 Response to EAP Challenge Failed

To configure termination I've followed the attached document, found in this forums. Its for AOS 3.x and windows2k3, and I didn't follow the document 100%, I do appy eap-peap with mschapv2, and I didn't configure the guest TLS option neither.

So step by step taking in consideration that regular 802.1x works:

Created a new controler CSR.
Uploaded this CSR via https://ipaddress/certsrv
Downloaded as server certificate.
Also downloaded server CA.
Uploaded both certificates to the controller.
Configured a new 802.1x auth profile. Marked Termination, eap-peap, and eap-mschapv2. Selected the CA and server cert just created.
Configured a new AAA profile with the previous created 802.1x profile.
Created a new SSID profile.
Created a new VAP profile and assigned the AAA profile and the SSID profile.

On the client side I'm using the same CA uploaded on "trust root certificates" that I'm using on the regular 802.1x auth.

Guru Elite
Posts: 8,793
Registered: ‎09-08-2010

Re: AAA FastConnect not working

If you have a RADIUS server, why are you using EAP-termination?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba Employee
Posts: 9
Registered: ‎02-02-2016

Re: AAA FastConnect not working

I was just testing the functionalities and try to understand them, thats all.

Aruba Employee
Posts: 9
Registered: ‎02-02-2016

Re: AAA FastConnect not working

Did all follow the steps correctly?

Is it something that I'm not understanding from the functionalitiy itself??

MVP
Posts: 433
Registered: ‎07-26-2011

Re: AAA FastConnect not working

Are you able to provide the output of the following command #show auth-tracebuf  ?

 

Do you also see the same issue if you use the Internal Server for autentication?

ACMA, ACMP
If my post addresses your query, give kudos:)
Guru Elite
Posts: 21,580
Registered: ‎03-29-2007

Re: AAA FastConnect not working


raul.llobera-ramirez@hpe.com wrote:

Did all follow the steps correctly?

Is it something that I'm not understanding from the functionalitiy itself??


AAA FastConnect or EAP offload was a feature created a long time ago for users who did not have a radius server or who could not put a SSL certificate on a radius server.  Users who could only point to an LDAP server would use AAA FastConnect on the controller to do the EAP connection.  AAA FastConnect has a few drawbacks like the inability to do machine authentication with Windows 2008, 2012 server, and users having to install a supplicant that has EAP-GTC if they were authenticating with an LDAP server.

 

Long story short, AAA FastConnect was a feature to address limitations in customer's infrastructure, but moving forward, most everyone has access to a radius server so it is not emphasized.  With that being said, it should work and just like the the user said above, you should type "show auth-tracebuf" on the commandline of the controller after you attempt authentication to see what is going on...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee
Posts: 9
Registered: ‎02-02-2016

Re: AAA FastConnect not working

i keep posting the "show auth-tracebuf" output but for some reason the forum doesnt get updated... :(

 

i keep posting the "show auth-tracebuf" output but for some reason the forum doesnt get updated... :(

Dec 23 12:54:00 station-up * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92 - - wpa2 aes
Dec 23 12:54:00 station-term-start * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92 11 -
Dec 23 12:54:01 eap-term-start -> 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92/dot1x_prof-term - -
Dec 23 12:54:01 station-term-start * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92 11 -
Dec 23 12:54:25 eap-term-start -> 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92/dot1x_prof-term - -
Dec 23 12:54:25 station-term-start * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92 11 -
Dec 23 12:54:55 station-term-end * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92/dot1x_prof-term 43 - failure
Dec 23 12:54:55 station-down * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92 - -
Dec 23 12:54:58 station-up * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92 - - wpa2 aes
Dec 23 12:54:58 station-term-start * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92 11 -
Dec 23 12:54:58 eap-term-start -> 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92/dot1x_prof-term - -
Dec 23 12:54:58 station-term-start * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92 11 -
Dec 23 12:55:34 eap-term-start -> 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92/dot1x_prof-term - -
Dec 23 12:55:34 station-term-start * 00:26:82:73:e9:0c d8:c7:c8:4a:c3:92 11 -

Search Airheads
Showing results for 
Search instead for 
Did you mean: