Wireless Access

I am currently in the process of setting up a 7010, with an existing configuration. Most devices connecting to the AP-205 work perfectly fine, except android phones, when attempting to connect through 802.1x.

The Android phones connect perfectly fine when connecting through the public Virtual AP (which has no authentication), and every other device works fine on both the 802.1x (iphones and laptops) and the public VAP.

The error message that appears is "ap currently not in use. internet connection slow"

Anyone encounter this issue before?

EDIT: I was able to find a different Android device to test with this, a Nexus that is running android 6.0.1. The other 2 android devices that did not work are both Samsung Galaxy S5's running 5.1.1

http://thedroidguy.com/2016/02/galaxy-s4-ap-currently-not-in-use-internet-connection-slow-error-other-issues-1055115#Problem3

The android was able to connect to the virtual AP in question when I set a static IP. However, it had no internet access, and did not show up in the clients list on the mobility controller.

Also for testing purposes, I upgraded one of the android devices from 5.1.1 to 6.0.1, however this did not resolve the issue.

No, it is not.

Well,

There are plenty of Android Devices that connect using 802.1x on an Aruba Network from 4.x to 5.x to 6.x, so it works in many setups.  The question is, what is wrong with your setup?  You might have to open a TAC case or let us look at your logs to understand what is going wrong.  Otherwise, we will just end up guessing what your problem is, which could take alot of time.

What is the best way to go about grabbing a log file for this?

- Find out the mac address of the device.

- on the commandline of the controller, type:

config t

logging level debugging user-debug <mac address of device>

- Try to connect the device

- On the controller commandline type "show log user-debug all" and take a look at that log

Here is a pastebin of the log: http://pastebin.com/tFUYHByr

<NOTI> |AP SLS-HQ1@192.168.0.134 stm|  Disassoc from sta: fc:c2:de:16:ba:4a: AP 192.168.0.134-f0:5c:19:f7:05:81-SLS-HQ1 Reason STA has left and is disassociated

The controller is getting the disassociation from the client.  If it is just 802.1x on android, you need to only specify the user identity and password.  Do not specify a CA certificate or any other settings.

on the device, EAP method auto-completes as PEAP, I have phase 2 authentication set to none and CA certificate set to unspecified. Is there a way to unspecify PEAP, or should I change this to something else on the controller side?

It should be PEAP if you are using PEAP.  That should be all that you need.

Alrighty, well in that case no change to connectivity, still cannot connect via 802.1x with certain android devices. Anything else in the logs?

I don't anything besides the android device sending a deauth.  You could look on your radius server and see if there are any messages corresponding to that device to give you a clue.  

RADIUS server might be a clue as I do not use one. I use the internal database as the authentication, which I believe is configured properly as iphones and laptops can connect to the virtual AP using the same login credentials. Is there anything in the logs that say anything about this device trying to auth with a radius server?

What version of ArubaOS are you using and how long has this solution been installed?

6.4.3.7, it has been installed for about a week. The config was migrated from a 3200 mobility controller.

From Logs provided, I see authentication is successful and user is put in SLS-Staff-auth role.

May 18 09:08:38 :522038:  <INFO> |authmgr|  username=aaron MAC=fc:c2:de:16:ba:4a IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=Internal

May 18 09:08:38 :522050:  <INFO> |authmgr|  MAC=fc:c2:de:16:ba:4a,IP=N/A User data downloaded to datapath, new Role=SLS-Staff-auth/102, bw Contract=0/0, reason=Download driven by user role setting, idle-timeout=3600

May 18 09:09:09 :522296:  <DBUG> |authmgr|  Auth GSM : USER_STA delete event for user fc:c2:de:16:ba:4a age 0 deauth_reason 8 ---> This could be due to fact that the client was failing to get an IP address.

I believe the logs were collected with the client not set with static IP. I believe it will be better if you provide the tech-support logs to understand the configuration.

http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-generate-logs-tar-with-tech-support-information/ta-p/178198

Regards,

Karthikeyan Mookkandi

would not let me attach logs through this web form, here they are:

https://drive.google.com/file/d/0ByYiVc_v534IWFFLcUxyM2JRTGs/view?usp=sharing

I see 'a' band is disabled on controller. Is there any reason for that? Galaxy s5 is dual band capable device. Please check if its the same behavior in a band.

---

@keya_n wrote:

I see 'a' band is disabled on controller. Is there any reason for that? Galaxy s5 is dual band capable device. Please check if its the same behavior in a band.

---

Hi Keya, not sure what you mean by this, if you mean 802.1a as in 'a' band. It is, or at least should be, enabled, and I am not sure how to go about toggling this.

The 802.11a radio is disabled because you have this:

rf dot11a-radio-profile "SLS-802.11a"
no radio-enable

Your device is somehow not completing the 4-way handshake:

7488:May 18 09:08:37  station-up             *  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  -    wpa2 aes
7489:May 18 09:08:37  station-term-start     *  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          1  -    
7490:May 18 09:08:37  client-finish         ->  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81/SLS-Staff-dot1x-profile  -  -    
7491:May 18 09:08:37  server-finish         <-  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81/SLS-Staff-dot1x-profile  -  61   
7492:May 18 09:08:37  server-finish-ack     ->  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81/SLS-Staff-dot1x-profile  -  -    
7493:May 18 09:08:37  inner-eap-id-req      <-  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81/SLS-Staff-dot1x-profile  -  35   
7494:May 18 09:08:37  inner-eap-id-resp     ->  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81/SLS-Staff-dot1x-profile  -  -    aaron
7495:May 18 09:08:37  eap-mschap-chlg       <-  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81/SLS-Staff-dot1x-profile  -  67   
7496:May 18 09:08:37  eap-mschap-response   ->  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81/SLS-Staff-dot1x-profile  8  49   
7497:May 18 09:08:37  mschap-request        ->  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81/SLS-Staff-dot1x-profile  8  -    aaron
7498:May 18 09:08:37  mschap-response       <-  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81/Internal                 -  -    aaron
7499:May 18 09:08:37  eap-mschap-success    <-  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81/SLS-Staff-dot1x-profile  -  83   
7500:May 18 09:08:37  eap-mschap-success-ack->  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81/SLS-Staff-dot1x-profile  -  -    
7501:May 18 09:08:37  eap-tlv-rslt-success  <-  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81/SLS-Staff-dot1x-profile  -  43   
7502:May 18 09:08:37  eap-tlv-rslt-success  ->  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  2    
7503:May 18 09:08:37  eap-success           <-  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81/SLS-Staff-dot1x-profile  -  4    
7504:May 18 09:08:37  wpa2-key1             <-  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  117  
7505:May 18 09:08:37  wpa2-key2             ->  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  117  
7506:May 18 09:08:37  wpa2-key3             <-  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  151  
7507:May 18 09:08:38  wpa2-key4             ->  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  95   
7508:May 18 09:09:08  station-down           *  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  -    
7509:May 18 09:09:10  station-up             *  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  -    wpa2 aes
7510:May 18 09:09:10  wpa2-key1             <-  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  117  
7511:May 18 09:09:10  wpa2-key2             ->  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  135  
7512:May 18 09:09:10  wpa2-key3             <-  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  151  
7513:May 18 09:09:10  wpa2-key4             ->  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  95
7514:May 18 09:09:58  station-down           *  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  -    
7515:May 18 09:10:15  station-up             *  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  -    wpa2 aes
7516:May 18 09:10:15  wpa2-key1             <-  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  117  
7517:May 18 09:10:16  wpa2-key1             <-  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  117  
7518:May 18 09:10:16  wpa2-key2             ->  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  135  
7519:May 18 09:10:16  wpa2-key3             <-  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  151  
7520:May 18 09:10:16  wpa2-key4             ->  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  95
7521:May 18 09:10:48  station-down           *  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  -    
7522:May 18 09:10:49  station-up             *  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  -    wpa2 aes
7523:May 18 09:10:49  wpa2-key1             <-  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  117  
7524:May 18 09:10:49  wpa2-key2             ->  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  135  
7525:May 18 09:10:49  wpa2-key3             <-  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  151  
7526:May 18 09:10:49  wpa2-key4             ->  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  95
7527:May 18 09:11:56  station-down           *  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  -    
7528:May 18 09:13:00  station-up             *  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  -    wpa2 aes
7529:May 18 09:13:00  wpa2-key1             <-  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  117  
7530:May 18 09:13:00  wpa2-key2             ->  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  135  
7531:May 18 09:13:00  wpa2-key3             <-  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  151  
7532:May 18 09:13:00  wpa2-key4             ->  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  95   
7533:May 18 09:13:00  station-down           *  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  -
7534:May 18 09:46:15  station-up             *  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  -    wpa2 aes
7535:May 18 09:46:15  station-term-start     *  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          1  -    
7536:May 18 09:46:18  station-down           *  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  -    
7537:May 18 09:46:23  station-up             *  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  -    wpa2 aes
7538:May 18 09:46:23  station-term-start     *  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          1  -    
7539:May 18 09:46:23  station-down           *  fc:c2:de:16:ba:4a  f0:5c:19:f7:05:81                          -  -    

I have enabled the a radio on this AP, unfortunately it did not make a difference in the connection. Is there a way to investigate as to where this device is hanging up in the authentication process?

I can only advise that you use a real radius server and not termination.  Termination was a workaround for people who could not get a radius server up and running for testing, or were forced to use ldap and additional software to do EAP-GTC.  If you have an NPS server in your domain, I suggest you follow the instructions here for a long-term solution.  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

To enable, the radio, I would do this:

config t

rf dot11a-radio-profile "SLS-802.11a"
radio-enable

Which SSID?

SLS-Staff is the SSID that is having the issue. The android device connects to SLS-Public perfectly fine.

---

@AaronDallaLonga wrote:

on the device, EAP method auto-completes as PEAP, I have phase 2 authentication set to none and CA certificate set to unspecified. Is there a way to unspecify PEAP, or should I change this to something else on the controller side?

---

On the more recent versions of Android, you should set Phase 2 to MSCHAPv2.

---

@Michael_Clarke wrote:

---

@AaronDallaLonga wrote:

on the device, EAP method auto-completes as PEAP, I have phase 2 authentication set to none and CA certificate set to unspecified. Is there a way to unspecify PEAP, or should I change this to something else on the controller side?

---

On the more recent versions of Android, you should set Phase 2 to MSCHAPv2.

---

Hi Michael. Thanks a ton! This was the cause of the issue.

Many legacy android devices just not connect.

I open a TAC case and "the issue is the device"... we have a lot of students with that type of devices (no more SO updates available: "already have the lasta OS update for your device") that have 802.11g and some early 802.11n.... Some details: The WPA-PSK essid in the same AP/Group connect fine. The device was restored to factory default and then updated to "last". We did troubleshoot in NPS and Controller.

Old post yes but... just writing... (the Subject Pops UP and my eyes poses here :P )

Are you saying that you used NPS to authenticate and turned termination off?