Wireless Access

Reply
Contributor I
Posts: 80
Registered: ‎04-29-2013

AAA test successful, unable to connect to SSID

well, I think the title says it all. I am using ClearPass as the radius server. Here is a auth-tracebuf and user-debug. I'm at a loss as to what to look at next.

 

Thanks,

 

Russell

 

(QA01AARUBA01) #show log user-debug all

Mar 30 13:28:15 :501093:  <NOTI> |AP LAB-AP-2-ac:a3:1e:c3:3f:70@10.75.93.250 stm|  Auth success: 10:a5:d0:0e:13:91: AP 10.75.93.250-ac:a3:1e:b3:f7:10-LAB-AP-2-ac:a3:1e:c3:3f:70

Mar 30 13:28:15 :501095:  <NOTI> |AP LAB-AP-2-ac:a3:1e:c3:3f:70@10.75.93.250 stm|  Assoc request @ 13:28:15.405200: 10:a5:d0:0e:13:91 (SN 1751): AP 10.75.93.250-ac:a3:1e:b3:f7:10-LAB-AP-2-ac:a3:1e:c3:3f:70

Mar 30 13:28:15 :501100:  <NOTI> |stm|  Assoc success @ 13:28:15.442704: 10:a5:d0:0e:13:91: AP 10.75.93.250-ac:a3:1e:b3:f7:10-LAB-AP-2-ac:a3:1e:c3:3f:70

Mar 30 13:28:15 :501100:  <NOTI> |AP LAB-AP-2-ac:a3:1e:c3:3f:70@10.75.93.250 stm|  Assoc success @ 13:28:15.407246: 10:a5:d0:0e:13:91: AP 10.75.93.250-ac:a3:1e:b3:f7:10-LAB-AP-2-ac:a3:1e:c3:3f:70

Mar 30 13:28:15 :522295:  <DBUG> |authmgr|  Auth GSM : USER_STA event 0 for user 10:a5:d0:0e:13:91

Mar 30 13:28:15 :522035:  <INFO> |authmgr|  MAC=10:a5:d0:0e:13:91 Station UP: BSSID=ac:a3:1e:b3:f7:10 ESSID=LAB-INTERNAL VLAN=427 AP-name=LAB-AP-2-ac:a3:1e:c3:3f:70

Mar 30 13:28:15 :522077:  <DBUG> |authmgr|  MAC=10:a5:d0:0e:13:91 ingress 0x0x1000c (tunnel 12), u_encr 64, m_encr 64, slotport 0x0x2100 , type: remote, FW mode: 1, AP IP: 10.75.93.250 mdie 0 ft_complete 0

Mar 30 13:28:15 :522264:  <DBUG> |authmgr|  "MAC:10:a5:d0:0e:13:91: Allocating UUID: 2.

Mar 30 13:28:15 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 10:a5:d0:0e:13:91 vlan 0 derivation_type Reset VLANs for Station up index 0.

Mar 30 13:28:15 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for 10:a5:d0:0e:13:91 vlan 427 fwdmode 0 derivation_type Default VLAN.

Mar 30 13:28:15 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 10:a5:d0:0e:13:91 vlan 427 derivation_type Default VLAN index 1.

Mar 30 13:28:15 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for 10:a5:d0:0e:13:91 vlan 427 fwdmode 0 derivation_type Current VLAN updated.

Mar 30 13:28:15 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 10:a5:d0:0e:13:91 vlan 427 derivation_type Current VLAN updated index 2.

Mar 30 13:28:15 :524141:  <DBUG> |authmgr|  clr_pmkcache_ft():988: MAC:10:a5:d0:0e:13:91 BSS:ac:a3:1e:b3:f7:10

Mar 30 13:28:15 :522287:  <DBUG> |authmgr|  Auth GSM : MAC_USER publish for mac 10:a5:d0:0e:13:91 bssid ac:a3:1e:b3:f7:10 vlan 427 type 1 data-ready 0

Mar 30 13:28:15 :522254:  <DBUG> |authmgr|  VDR - mac 10:a5:d0:0e:13:91 rolename logon fwdmode 1 derivation_type Initial Role Contained vp not present.

Mar 30 13:28:15 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 10:a5:d0:0e:13:91 vlan 0 derivation_type Reset Role Based VLANs index 3.

Mar 30 13:28:15 :522083:  <DBUG> |authmgr|  Skip User-Derivation, mba:0 udr_exist:0,default_role:logon,pDefRole:0x0xfea874

Mar 30 13:28:15 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:10:a5:d0:0e:13:91, pmkid_present:False, pmkid:N/A

Mar 30 13:28:15 :522096:  <DBUG> |authmgr|  10:a5:d0:0e:13:91: Sending STM new Role ACL : 2, and Vlan info: 427, action : 10, AP IP: 10.75.93.250, flags : 0 idle-timeout: 300

Mar 30 13:28:15 :522242:  <DBUG> |authmgr|  MAC=10:a5:d0:0e:13:91 Station Created Update MMS: BSSID=ac:a3:1e:b3:f7:10 ESSID=LAB-INTERNAL VLAN=427 AP-name=LAB-AP-2-ac:a3:1e:c3:3f:70

Mar 30 13:28:15 :522301:  <DBUG> |authmgr|  Auth GSM : USER publish for uuid 2 mac 10:a5:d0:0e:13:91 name  role logon devtype  wired 0 authtype 0 subtype 0  encrypt-type 10 conn-port 8448 fwd-mode 1

Mar 30 13:28:20 :522175:  <DBUG> |authmgr|  skipping mac : 10:a5:d0:0e:13:91, from AP : 10.75.93.250, with authtype : 802.1x.

Mar 30 13:28:22 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 10:a5:d0:0e:13:91 vlan 0 derivation_type Reset all Auth VLANs index 4.

Mar 30 13:28:22 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for 10:a5:d0:0e:13:91 vlan 427 fwdmode 1 derivation_type Current VLAN updated.

Mar 30 13:28:22 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 10:a5:d0:0e:13:91 vlan 427 derivation_type Current VLAN updated index 5.

Mar 30 13:28:22 :522260:  <DBUG> |authmgr|  "VDR - Cur VLAN updated 10:a5:d0:0e:13:91 mob 0 inform 1 remote 1 wired 0 defvlan 427 exportedvlan 0 curvlan 427.

Mar 30 13:28:22 :522030:  <INFO> |authmgr|  MAC=10:a5:d0:0e:13:91 Station deauthenticated: BSSID=ac:a3:1e:b3:f7:10, ESSID=LAB-INTERNAL

Mar 30 13:28:22 :522127:  <DBUG> |authmgr|  {L2} Update role from logon to logon for IP=0.0.0.0.

Mar 30 13:28:22 :522049:  <INFO> |authmgr|  MAC=10:a5:d0:0e:13:91,IP=N/A User role updated, existing Role=logon/none, new Role=logon/none, reason=Station is L2 deauthenticated

Mar 30 13:28:24 :501102:  <NOTI> |AP LAB-AP-2-ac:a3:1e:c3:3f:70@10.75.93.250 stm|  Disassoc from sta: 10:a5:d0:0e:13:91: AP 10.75.93.250-ac:a3:1e:b3:f7:10-LAB-AP-2-ac:a3:1e:c3:3f:70 Reason STA has left and is disassociated

Mar 30 13:28:24 :522296:  <DBUG> |authmgr|  Auth GSM : USER_STA delete event for user 10:a5:d0:0e:13:91 age 0 deauth_reason 8

Mar 30 13:28:24 :522036:  <INFO> |authmgr|  MAC=10:a5:d0:0e:13:91 Station DN: BSSID=ac:a3:1e:b3:f7:10 ESSID=LAB-INTERNAL VLAN=427 AP-name=LAB-AP-2-ac:a3:1e:c3:3f:70

Mar 30 13:28:24 :522152:  <DBUG> |authmgr|  station free: bssid=ac:a3:1e:b3:f7:10, @=0x0xcf5034.

Mar 30 13:28:24 :501000:  <DBUG> |AP LAB-AP-2-ac:a3:1e:c3:3f:70@10.75.93.250 stm|  Station 10:a5:d0:0e:13:91: Clearing state

Mar 30 13:28:24 :522244:  <DBUG> |authmgr|  MAC=10:a5:d0:0e:13:91 Station Deleted Update MMS

Mar 30 13:28:24 :522301:  <DBUG> |authmgr|  Auth GSM : USER publish for uuid 2 mac 10:a5:d0:0e:13:91 name  role logon devtype  wired 0 authtype 0 subtype 0  encrypt-type 10 conn-port 8448 fwd-mode 1

Mar 30 13:28:24 :522290:  <DBUG> |authmgr|  Auth GSM : MAC_USER delete for mac 10:a5:d0:0e:13:91

Mar 30 13:28:24 :522303:  <DBUG> |authmgr|  Auth GSM : USER delete for mac 10:a5:d0:0e:13:91 uuid 2

Mar 30 13:28:24 :522265:  <DBUG> |authmgr|  "MAC:10:a5:d0:0e:13:91: Deallocating UUID: 2.

Mar 30 13:28:24 :501000:  <DBUG> |stm|  Station 10:a5:d0:0e:13:91: Clearing state

Mar 30 13:28:24 :501102:  <NOTI> |stm|  Disassoc from sta: 10:a5:d0:0e:13:91: AP 10.75.93.250-ac:a3:1e:b3:f7:10-LAB-AP-2-ac:a3:1e:c3:3f:70 Reason STA has left and is disassociated

Mar 30 13:28:24 :501037:  <NOTI> |stm|  Station 10:a5:d0:0e:13:91: no association found trying to disassociate to BSSID ac:a3:1e:b3:f7:10 on AP LAB-AP-2-ac:a3:1e:c3:3f:70

 

(QA01AARUBA01) #    show auth-tracebuf

 

Warning: user-debug is enabled on one or more specific MAC addresses;

         only those MAC addresses appear in the trace buffer.

 

Auth Trace Buffer

-----------------

 

 

Mar 30 13:28:15  station-up             *  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              -   -    wpa2 aes

Mar 30 13:28:15  eap-id-req            <-  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              1   5

Mar 30 13:28:15  eap-id-resp           ->  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              1   12   davise1

Mar 30 13:28:15  rad-req               ->  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              9   214

Mar 30 13:28:20  dot1x-timeout          *  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              1   3    server timeout

Mar 30 13:28:20  dot1x-timeout          *  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              2   2    station timeout

Mar 30 13:28:20  eap-id-req            <-  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              2   5

Mar 30 13:28:20  eap-id-resp           ->  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              2   12   davise1

Mar 30 13:28:20  rad-req               ->  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              10  214

Mar 30 13:28:22  rad-reject            <-  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10/CPPM-radius  10  20

Mar 30 13:28:22  eap-failure           <-  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              2   4    server rejected

Mar 30 13:28:24  station-down           *  10:a5:d0:0e:13:91  ac:a3:1e:b3:f7:10              -   -

 

(QA01AARUBA01) # aaa test-server mschapv2 CPPM-radius davise1 ***********

 

Authentication Successful

Regular Contributor I
Posts: 186
Registered: ‎10-20-2010

Re: AAA test successful, unable to connect to SSID

What do you see in access tracker of CPPM?  DOes your user get put into the correct role on the controller after passing authentication?

Valued Contributor II
Posts: 804
Registered: ‎12-01-2014

Re: AAA test successful, unable to connect to SSID

Hi,

We can not figure out the issue with out access tracker output. generally in this scenarios, client EAP configuration can be suspected, check whether client is enabled  with MSCHAPV2 and also verify other EAP configuration at the client.

 

Please share the output of Access tracker for that failed auth message.

Cheers,
Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]
Contributor I
Posts: 80
Registered: ‎04-29-2013

Re: AAA test successful, unable to connect to SSID

I didn't want to leave this hanging. I am configuring the controller, and another person is configurung the clearpass appliance. Clearpass had not had much config on it yet, so the devices were connecting, hitting clearpass, clearpass didn't know what to do with them, and they were dropping from the SSID.

 

Thanks for the replies.

Search Airheads
Showing results for 
Search instead for 
Did you mean: