Wireless Access

Reply
Contributor II
Posts: 72
Registered: ‎05-22-2011

Client Authentication Problem and RADIUS

Hello,

 

We have clients authenticating to a RADIUS server using certificates. We are seeing that the radius server is sending the RADIUS Accept message but the EAP SUCCES message from the controller to the client is not being generated/sent. We used the show auth tracebuf command to look at these messages. Is it possible to dig further into what the Radius Accept message contains using the aruba controller? I am curious if something incomplete is within the Radius accept message that is not enough for the controller to generate the Eap Sucess. Anyone who encountered this error before? Your help would be much appreciated. Thanks.

Guru Elite
Posts: 20,789
Registered: ‎03-29-2007

Re: Client Authentication Problem and RADIUS

On the Aruba Controller, turn on debugging for that specific client:

 

config t

logging level debug user-debug <mac address of client>

 

 

Then, type "show auth-tracebuf mac <mac address of client>" to see the messages going back and forth.

 

Make sure that client, if it has "Validate Server Certificate" configured indeed does have the radius server certficate trusted.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 72
Registered: ‎05-22-2011

Re: Client Authentication Problem and RADIUS

Actually we used show auth-tracebuf mac <client's MAC> and we are seeing radius accept but not the eap success after the radius success. Also under process logs we are seeing <INFO> |authmgr| Authentication result=Authentication Successful(0) which if I understand it correctly, the user is successfully authenticated. Any thoughts?

Guru Elite
Posts: 20,789
Registered: ‎03-29-2007

Re: Client Authentication Problem and RADIUS

check to make sure your client has  "validate server certificate" unchecked as a test.  Your client might not trust your radius server's certificate.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 72
Registered: ‎05-22-2011

Re: Client Authentication Problem and RADIUS

We did, and we tried it with validate server cert as well and verified that the root cert is added in the trusted root...

Guru Elite
Posts: 20,789
Registered: ‎03-29-2007

Re: Client Authentication Problem and RADIUS

Is that the only client with the issue?  Has this ever worked?  Does the AAA Test from the controller work?  What kind of client is this?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 72
Registered: ‎05-22-2011

Re: Client Authentication Problem and RADIUS

Hello,

 

Yes this was working before. No clients can authenticate. Clients are laptop computers with at least windows 7..

Guru Elite
Posts: 20,789
Registered: ‎03-29-2007

Re: Client Authentication Problem and RADIUS

Well,

 

What has changed since?  What triggered this?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 72
Registered: ‎05-22-2011

Re: Client Authentication Problem and RADIUS

It very likely the radius server, it is just that I am trying to find a way to prove it to the RADIUS guy....So I would like to know if there is a way to further identify why the controller won't generate the EAP SUCCESS message when it receives the RADIUS ACCEPT message..

Guru Elite
Posts: 20,789
Registered: ‎03-29-2007

Re: Client Authentication Problem and RADIUS

Unfortunately, the answer to that question is dependent on the events in the radius server.  Authentication is one thing, but key exchange is another, and the radius server participates in that after authentication.  We need to see the radius server logs to determine between the client and the radius server, what is the problem...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: