Wireless Access

last person joined: 8 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

AAA test successful, unable to connect to SSID

This thread has been viewed 1 times

  • 1.  AAA test successful, unable to connect to SSID

    Posted Mar 30, 2015 04:21 PM

    well, I think the title says it all. I am using ClearPass as the radius server. Here is a auth-tracebuf and user-debug. I'm at a loss as to what to look at next.

     

    Thanks,

     

    Russell

     

    (QA01AARUBA01) #show log user-debug all

    Mar 30 13:28:15 :501093:  <NOTI> |AP LAB-AP-2-ac:a3:1e:c3:3f:70@10.75.93.250 stm|  Auth success: 10:a5:d0:0e:13:91: AP 10.75.93.250-ac:a3:1e:b3:f7:10-LAB-AP-2-ac:a3:1e:c3:3f:70

    Mar 30 13:28:15 :501095:  <NOTI> |AP LAB-AP-2-ac:a3:1e:c3:3f:70@10.75.93.250 stm|  Assoc request @ 13:28:15.405200: 10:a5:d0:0e:13:91 (SN 1751): AP 10.75.93.250-ac:a3:1e:b3:f7:10-LAB-AP-2-ac:a3:1e:c3:3f:70

    Mar 30 13:28:15 :501100:  <NOTI> |stm|  Assoc success @ 13:28:15.442704: 10:a5:d0:0e:13:91: AP 10.75.93.250-ac:a3:1e:b3:f7:10-LAB-AP-2-ac:a3:1e:c3:3f:70

    Mar 30 13:28:15 :501100:  <NOTI> |AP LAB-AP-2-ac:a3:1e:c3:3f:70@10.75.93.250 stm|  Assoc success @ 13:28:15.407246: 10:a5:d0:0e:13:91: AP 10.75.93.250-ac:a3:1e:b3:f7:10-LAB-AP-2-ac:a3:1e:c3:3f:70

    Mar 30 13:28:15 :522295:  <DBUG> |authmgr|  Auth GSM : USER_STA event 0 for user 10:a5:d0:0e:13:91

    Mar 30 13:28:15 :522035:  <INFO> |authmgr|  MAC=10:a5:d0:0e:13:91 Station UP: BSSID=ac:a3:1e:b3:f7:10 ESSID=LAB-INTERNAL VLAN=427 AP-name=LAB-AP-2-ac:a3:1e:c3:3f:70

    Mar 30 13:28:15 :522077:  <DBUG> |authmgr|  MAC=10:a5:d0:0e:13:91 ingress 0x0x1000c (tunnel 12), u_encr 64, m_encr 64, slotport 0x0x2100 , type: remote, FW mode: 1, AP IP: 10.75.93.250 mdie 0 ft_complete 0

    Mar 30 13:28:15 :522264:  <DBUG> |authmgr|  "MAC:10:a5:d0:0e:13:91: Allocating UUID: 2.

    Mar 30 13:28:15 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 10:a5:d0:0e:13:91 vlan 0 derivation_type Reset VLANs for Station up index 0.

    Mar 30 13:28:15 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for 10:a5:d0:0e:13:91 vlan 427 fwdmode 0 derivation_type Default VLAN.

    Mar 30 13:28:15 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 10:a5:d0:0e:13:91 vlan 427 derivation_type Default VLAN index 1.

    Mar 30 13:28:15 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for 10:a5:d0:0e:13:91 vlan 427 fwdmode 0 derivation_type Current VLAN updated.

    Mar 30 13:28:15 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 10:a5:d0:0e:13:91 vlan 427 derivation_type Current VLAN updated index 2.

    Mar 30 13:28:15 :524141:  <DBUG> |authmgr|  clr_pmkcache_ft():988: MAC:10:a5:d0:0e:13:91 BSS:ac:a3:1e:b3:f7:10

    Mar 30 13:28:15 :522287:  <DBUG> |authmgr|  Auth GSM : MAC_USER publish for mac 10:a5:d0:0e:13:91 bssid ac:a3:1e:b3:f7:10 vlan 427 type 1 data-ready 0

    Mar 30 13:28:15 :522254:  <DBUG> |authmgr|  VDR - mac 10:a5:d0:0e:13:91 rolename logon fwdmode 1 derivation_type Initial Role Contained vp not present.

    Mar 30 13:28:15 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 10:a5:d0:0e:13:91 vlan 0 derivation_type Reset Role Based VLANs index 3.

    Mar 30 13:28:15 :522083:  <DBUG> |authmgr|  Skip User-Derivation, mba:0 udr_exist:0,default_role:logon,pDefRole:0x0xfea874

    Mar 30 13:28:15 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:10:a5:d0:0e:13:91, pmkid_present:False, pmkid:N/A

    Mar 30 13:28:15 :522096:  <DBUG> |authmgr|  10:a5:d0:0e:13:91: Sending STM new Role ACL : 2, and Vlan info: 427, action : 10, AP IP: 10.75.93.250, flags : 0 idle-timeout: 300

    Mar 30 13:28:15 :522242:  <DBUG> |authmgr|  MAC=10:a5:d0:0e:13:91 Station Created Update MMS: BSSID=ac:a3:1e:b3:f7:10 ESSID=LAB-INTERNAL VLAN=427 AP-name=LAB-AP-2-ac:a3:1e:c3:3f:70

    Mar 30 13:28:15 :522301:  <DBUG> |authmgr|  Auth GSM : USER publish for uuid 2 mac 10:a5:d0:0e:13:91 name  role logon devtype  wired 0 authtype 0 subtype 0  encrypt-type 10 conn-port 8448 fwd-mode 1

    Mar 30 13:28:20 :522175:  <DBUG> |authmgr|  skipping mac : 10:a5:d0:0e:13:91, from AP : 10.75.93.250, with authtype : 802.1x.

    Mar 30 13:28:22 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 10:a5:d0:0e:13:91 vlan 0 derivation_type Reset all Auth VLANs index 4.

    Mar 30 13:28:22 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for 10:a5:d0:0e:13:91 vlan 427 fwdmode 1 derivation_type Current VLAN updated.

    Mar 30 13:28:22 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 10:a5:d0:0e:13:91 vlan 427 derivation_type Current VLAN updated index 5.

    Mar 30 13:28:22 :522260:  <DBUG> |authmgr|  "VDR - Cur VLAN updated 10:a5:d0:0e:13:91 mob 0 inform 1 remote 1 wired 0 defvlan 427 exportedvlan 0 curvlan 427.

    Mar 30 13:28:22 :522030:  <INFO> |authmgr|  MAC=10:a5:d0:0e:13:91 Station deauthenticated: BSSID=ac:a3:1e:b3:f7:10, ESSID=LAB-INTERNAL

    Mar 30 13:28:22 :522127:  <DBUG> |authmgr|  {L2} Update role from logon to logon for IP=0.0.0.0.

    Mar 30 13:28:22 :522049:  <INFO> |authmgr|  MAC=10:a5:d0:0e:13:91,IP=N/A User role updated, existing Role=logon/none, new Role=logon/none, reason=Station is L2 deauthenticated

    Mar 30 13:28:24 :501102:  <NOTI> |AP LAB-AP-2-ac:a3:1e:c3:3f:70@10.75.93.250 stm|  Disassoc from sta: 10:a5:d0:0e:13:91: AP 10.75.93.250-ac:a3:1e:b3:f7:10-LAB-AP-2-ac:a3:1e:c3:3f:70 Reason STA has left and is disassociated

    Mar 30 13:28:24 :522296:  <DBUG> |authmgr|  Auth GSM : USER_STA delete event for user 10:a5:d0:0e:13:91 age 0 deauth_reason 8

    Mar 30 13:28:24 :522036:  <INFO> |authmgr|  MAC=10:a5:d0:0e:13:91 Station DN: BSSID=ac:a3:1e:b3:f7:10 ESSID=LAB-INTERNAL VLAN=427 AP-name=LAB-AP-2-ac:a3:1e:c3:3f:70

    Mar 30 13:28:24 :522152:  <DBUG> |authmgr|  station free: bssid=ac:a3:1e:b3:f7:10, @=0x0xcf5034.

    Mar 30 13:28:24 :501000:  <DBUG> |AP LAB-AP-2-ac:a3:1e:c3:3f:70@10.75.93.250 stm|  Station 10:a5:d0:0e:13:91: Clearing state

    Mar 30 13:28:24 :522244:  <DBUG> |authmgr|  MAC=10:a5:d0:0e:13:91 Station Deleted Update MMS

    Mar 30 13:28:24 :522301:  <DBUG> |authmgr|  Auth GSM : USER publish for uuid 2 mac 10:a5:d0:0e:13:91 name  role logon devtype  wired 0 authtype 0 subtype 0  encrypt-type 10 conn-port 8448 fwd-mode 1

    Mar 30 13:28:24 :522290:  <DBUG> |authmgr|  Auth GSM : MAC_USER delete for mac 10:a5:d0:0e:13:91

    Mar 30 13:28:24 :522303:  <DBUG> |authmgr|  Auth GSM : USER delete for mac 10:a5:d0:0e:13:91 uuid 2

    Mar 30 13:28:24 :522265:  <DBUG> |authmgr|  "MAC:10:a5:d0:0e:13:91: Deallocating UUID: 2.

    Mar 30 13:28:24 :501000:  <DBUG> |stm|  Station 10:a5:d0:0e:13:91: Clearing state

    Mar 30 13:28:24 :501102:  <NOTI> |stm|  Disassoc from sta: 10:a5:d0:0e:13:91: AP 10.75.93.250-ac:a3:1e:b3:f7:10-LAB-AP-2-ac:a3:1e:c3:3f:70 Reason STA has left and is disassociated

    Mar 30 13:28:24 :501037:  <NOTI> |stm|  Station 10:a5:d0:0e:13:91: no association found trying to disassociate to BSSID ac:a3:1e:b3:f7:10 on AP LAB-AP-2-ac:a3:1e:c3:3f:70

     

    (QA01AARUBA01) #    show auth-tracebuf

     

    Warning: user-debug is enabled on one or more specific MAC addresses;

             only those MAC addresses appear in the trace buffer.

     

    Auth Trace Buffer

    -----------------

     

     

    Mar 30 13:28:15  station-up             *  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              -   -    wpa2 aes

    Mar 30 13:28:15  eap-id-req            <-  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              1   5

    Mar 30 13:28:15  eap-id-resp           ->  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              1   12   davise1

    Mar 30 13:28:15  rad-req               ->  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              9   214

    Mar 30 13:28:20  dot1x-timeout          *  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              1   3    server timeout

    Mar 30 13:28:20  dot1x-timeout          *  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              2   2    station timeout

    Mar 30 13:28:20  eap-id-req            <-  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              2   5

    Mar 30 13:28:20  eap-id-resp           ->  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              2   12   davise1

    Mar 30 13:28:20  rad-req               ->  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              10  214

    Mar 30 13:28:22  rad-reject            <-  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10/CPPM-radius  10  20

    Mar 30 13:28:22  eap-failure           <-  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              2   4    server rejected

    Mar 30 13:28:24  station-down           *  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              -   -

     

    (QA01AARUBA01) # aaa test-server mschapv2 CPPM-radius davise1 ***********

     

    Authentication Successful



  • 2.  RE: AAA test successful, unable to connect to SSID

    Posted Mar 30, 2015 10:02 PM

    What do you see in access tracker of CPPM?  DOes your user get put into the correct role on the controller after passing authentication?



  • 3.  RE: AAA test successful, unable to connect to SSID

    Posted Mar 31, 2015 05:43 AM

    Hi,

    We can not figure out the issue with out access tracker output. generally in this scenarios, client EAP configuration can be suspected, check whether client is enabled  with MSCHAPV2 and also verify other EAP configuration at the client.

     

    Please share the output of Access tracker for that failed auth message.



  • 4.  RE: AAA test successful, unable to connect to SSID

    Posted Apr 17, 2015 06:38 AM

    I didn't want to leave this hanging. I am configuring the controller, and another person is configurung the clearpass appliance. Clearpass had not had much config on it yet, so the devices were connecting, hitting clearpass, clearpass didn't know what to do with them, and they were dropping from the SSID.

     

    Thanks for the replies.