Wireless Access

Reply
Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

AP93H Ethernet Ports vs AAA Wired Profile

Hello All,

 

I seem to be experiencing a weird issue with the ENET1 to ENET4 Ports on the AP93H APs as it relates to my applied AAA Wired Profile.

 

On my AAA Profile, I have a Server Group which includes a RADIUS Server and the Internal DB (Controller's Database).

However, anytime I plug in my laptop to the Ports, and I input my Credentials which should match the Internal DB, it either works or keeps going into a loop asking me to re-input my Credentials.

 

Now, assuming it worked and I then unplugged and re-plugged my Laptop into the same Port but this time input the 2nd credential that I have in the Database, it either goes back into the loop cycle again or it fails my authentication.

 

Has anyone experienced this? Or is there something I'm doing wrong?

 

 

MVP
Posts: 4,231
Registered: ‎07-20-2011

Re: AP93H Ethernet Ports vs AAA Wired Profile

 

 

What AOS code are you using ?

 

Can you please share your port config ?

 

Please enable logging level debugging security process aaa and then share the show log security | include <devicemac>

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: AP93H Ethernet Ports vs AAA Wired Profile

I am running AOS 6.3.

 

See below:

 


aaa server-group "Aruba-RADIUS"
allow-fail-through
auth-server Internal
auth-server RADIUS
!
aaa profile "Campus-WLAN-aaa_prof"
authentication-dot1x "Aruba-dot1x"
dot1x-default-role "Student"
dot1x-server-group "Aruba-RADIUS"


ap wired-ap-profile "default"
wired-ap-enable
switchport access vlan 931
switchport trunk native vlan 931


ap wired-port-profile "default"
no rap-backup
aaa-profile "Campus-WLAN-aaa_prof"
spanning-tree

 

Aug 9 08:18:44 :199802: <ERRS> |authmgr| gsm_auth.c, auth_gsm_delete_mac_user:258: AUTH GSM: failed delete for mac-user 00:24:81:3b:db:46 with error ERROR_HTBL_KEY_NOT_FOUND
Aug 9 08:20:23 :132149: <ERRS> |authmgr| MAC User Table Lookup Failed mac=00:24:81:3b:db:46 bssid=01:80:c2:00:00:03

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: AP93H Ethernet Ports vs AAA Wired Profile

What I have noticed too is that if I stop re-attempting to authenticate for awhile and I come back to it, it finally works.

But I have to unplug and plug back in so that I get the window to input my credentials.

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: AP93H Ethernet Ports vs AAA Wired Profile

Additional Info:

 

Aug 9 08:27:56 :132009: <ERRS> |authmgr| Station's dot1x context not initialized 00:24:81:3b:db:46 01:80:c2:00:00:03
Aug 9 08:27:56 :132030: <ERRS> |authmgr| Dropping EAPOL packet sent by Station 00:24:81:3b:db:46 01:80:c2:00:00:03
Aug 9 08:28:01 :199802: <ERRS> |authmgr| gsm_auth.c, auth_gsm_delete_mac_user:258: AUTH GSM: failed delete for mac-user 00:24:81:3b:db:46 with error ERROR_HTBL_KEY_NOT_FOUND
Aug 9 08:28:01 :132009: <ERRS> |authmgr| Station's dot1x context not initialized 00:24:81:3b:db:46 01:80:c2:00:00:03
Aug 9 08:28:01 :132030: <ERRS> |authmgr| Dropping EAPOL packet sent by Station 00:24:81:3b:db:46 01:80:c2:00:00:03
Aug 9 08:28:06 :199802: <ERRS> |authmgr| gsm_auth.c, auth_gsm_delete_mac_user:258: AUTH GSM: failed delete for mac-user 00:24:81:3b:db:46 with error ERROR_HTBL_KEY_NOT_FOUND
Aug 9 08:28:06 :132009: <ERRS> |authmgr| Station's dot1x context not initialized 00:24:81:3b:db:46 01:80:c2:00:00:03
Aug 9 08:28:06 :132030: <ERRS> |authmgr| Dropping EAPOL packet sent by Station 00:24:81:3b:db:46 01:80:c2:00:00:03
Aug 9 08:28:23 :199802: <ERRS> |authmgr| gsm_auth.c, auth_gsm_delete_mac_user:258: AUTH GSM: failed delete for mac-user 00:24:81:3b:db:46 with error ERROR_HTBL_KEY_NOT_FOUND

 

And all this time, it failed to authenticate me. Then I disabled and re-enabled the NIC and then got prompted to login. Then put in my credentials and then it continously went through a loop without successfully authenticating me.

 

MVP
Posts: 4,231
Registered: ‎07-20-2011

Re: AP93H Ethernet Ports vs AAA Wired Profile

[ Edited ]

 

Please try removing the failthrough config and removing the radius authentication if you are not using it and just using the internal database or remove the internal database and just leave Radius if you are planning to just use radius

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: AP93H Ethernet Ports vs AAA Wired Profile

Same thing.

 

Created another AAA profile that only has the Internal DB and tested on a different Laptop (MAC) and it fails.

 

 

MVP
Posts: 4,231
Registered: ‎07-20-2011

Re: AP93H Ethernet Ports vs AAA Wired Profile

 

You are doing 802.1x right ? or Mac auth ?

 

If you are doing 1x are you doing PEAP termination on the controller ?

 

Please read this

 

http://www.arubanetworks.com/techdocs/ArubaOS_60/UserGuide/802.1x.php

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: AP93H Ethernet Ports vs AAA Wired Profile

Finally found out what the issue is.

 

It has to do with the "User Idle Timeout" on the Controller. It's set to 5mins!

MVP
Posts: 4,231
Registered: ‎07-20-2011

Re: AP93H Ethernet Ports vs AAA Wired Profile

Interesting

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: