Wireless Access

User can't get 802.1x authentication and IP address when the controller relocate to another building (Data center B)but at the same location, but when controller at the original building (Data Center A) user can get 802.1x authentication.  May i know on Aruba controller have any command line can show the activity or log during the user try to get 802.1x authentication?

 

According the my customer info, they said the network VLAN configure should be the same for both data center.

 

Please advise

Authentication comes from the controller that he access point is connected to. Does the user have both controllers listed as radius clients in your server?

He should check the event viewer on the radius server. He should also type "show auth-tracebuf" on the command line of the controller having the issue.

ok, i will try "show auth-tracebuf" command line.

 

Radius server already have radius client which for the controller.

 

When the laptop connect to SSID with 802.1x authentication, the user stuck at "Logon- Control" role it does not go to "Authenticated" role.

Hi here is output from the "Show Auth-tracebuf"

 

What is the meaning of m-auth resp"?

Oct 29 18:02:40 station-up * 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 - - wpa2 aes
Oct 29 18:02:40 eap-id-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 1 5
Oct 29 18:02:41 eap-start -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 - -
Oct 29 18:02:41 eap-id-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 1 5
Oct 29 18:02:41 eap-id-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 1 10 chtin
Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 122 184
Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 122 90
Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 2 6
Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 2 112
Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 123 324
Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 123 1188
Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 3 1096
Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 3 6
Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 124 218
Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 124 1188
Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 4 1096
Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 4 6
Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 125 218
Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 125 1188
Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 5 1096
Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 5 6
Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 126 218
Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 126 252
Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 6 168
Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 6 348
Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 127 562
Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 127 153
Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 7 69
Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 7 6
Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65408 218
Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65408 127
Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 8 43
Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 8 80
Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65409 292
Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65409 143
Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 9 59
Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 9 80
Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65410 292
Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65410 159
Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 10 75
Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 10 144
Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65411 356
Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65411 175
Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 11 91
Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 11 80
Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65412 292
Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65412 191
Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 13 107
Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 13 80
Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65413 292
Oct 29 18:02:41 rad-accept <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65413 318
Oct 29 18:02:41 eap-success <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 13 4
Oct 29 18:02:41 station-data-ready * 00:1f:e1:cf:0f:a4 00:00:00:00:00:00 1 -
Oct 29 18:02:41 m-auth req * 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 - -
Oct 29 18:02:41 station-data-ready * 00:1f:e1:cf:0f:a4 00:00:00:00:00:00 1 -
Oct 29 18:02:41 m-auth resp * 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 - - failed
Oct 29 18:02:41 wpa2-key1 <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 - 117
Oct 29 18:02:42 wpa2-key1 <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 - 117
Oct 29 18:02:42 wpa2-key2 -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 - 117
Oct 29 18:02:42 wpa2-key3 <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 - 151
Oct 29 18:02:42 wpa2-key4 -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 - 95

That means you have "Enforce Machine Authentication" configured in the 802.1x profile and your machine is not one that passed machine authentication, so it will probably be assigned the machine authentication user role.  That role might be assigned to a VLAN that is not present on the second controller, and that might be your problem.