Hi,
I’m experiencing weird issues with 802.1x/EAP-TLS authentication and AP205 running AOS 6.4.2.3 (620 and 7010 controllers) on newer set of machines with W8.1. This only occurs when on the 5 Ghz band, 2.4 Ghz works just fine on all devices. Other tested units such as older machines on 802.11a, Android devices on 4.2.2 and 4.4.3 and iPhone works just fine with AP205. It seems like the TLS handshake doesn’t properly finish according to the FreeRADIUS logs, and debugging Aruba controller gives me a reponse of 6, which would mean there’s something about the (lacking) challenge response. The strange thing is that it works just fine with all the other tested Campus AP’s (105, 125) and RAP’s (RAP3, RAP109) with the same set of configuration (AP Group). I have tried terminating the AP’s on both master and local controller with the same behavior.
As a result of the failure in connecting the client’s wlan NIC seems to crash and it stops listing available SSIDs. Disabling/enabling or rebooting gets the NIC operational, but crashes everytime client attempts to reconnect to the AP-205 in question.
Briefly described;
• Same issues when running AOS 6.4.2.2 and 6.4.2.3
• Older machine with EAP-TLS and Android/iOS with EAP-TLS/EAP-PEAP works fine with all APs/RAPs
• New machine with EAP-TLS/EAP-PEAP does not work on AP-205 on 5 Ghz band, though working fine on 2.4 Ghz and both bands on other tested CAP/RAPs.
• Connecting to PSK based SSIDs works just fine regardless of device, OS or frequency band.
• auth-tracebuf gives me dot1x-timeout and controller output value 6.
• client trail-info gives me "APAE Disconnect"
Excerpt from FreeRADIUS;
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 00c1], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 0953], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 030d], ServerKeyExchange
[tls] TLS_accept: SSLv3 write key exchange A
[tls] >>> TLS 1.0 Handshake [length 0095], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
..
Sending Access-Challenge of id 162 to 192.168.5.9 port 32860
Aruba-User-Role = "authenticated"
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6bbc95f76bbe987fdf1d2f664c8f5cc2
..
WARNING: !! EAP session for state 0x5d2bf7975d29fa8d did not finish!
.. This would indicate the lack of response from the client.
auth-tracebuf Aruba controller;
Jan 2 20:22:59 eap-req <- 7c:7a:91:c4:b4:27 ac:a3:1e:c2:d4:70 5 1024
Jan 2 20:23:04 eap-req <- 7c:7a:91:c4:b4:27 ac:a3:1e:c2:d4:70 5 1024
Jan 2 20:23:09 eap-req <- 7c:7a:91:c4:b4:27 ac:a3:1e:c2:d4:70 5 1024
Jan 2 20:23:14 eap-req <- 7c:7a:91:c4:b4:27 ac:a3:1e:c2:d4:70 5 1024
Jan 2 20:23:19 dot1x-timeout * 7c:7a:91:c4:b4:27 ac:a3:1e:c2:d4:70 5 3 server timeout
Jan 2 20:23:19 dot1x-timeout * 7c:7a:91:c4:b4:27 ac:a3:1e:c2:d4:70 6 2 station timeout
Jan 2 20:23:19 eap-id-req <- 7c:7a:91:c4:b4:27 ac:a3:1e:c2:d4:70 6 5
Jan 2 20:23:24 rad-acct-stop -> 7c:7a:91:c4:b4:27 ac:a3:1e:c2:d4:70 - -
Jan 2 20:23:24 dot1x-timeout * 7c:7a:91:c4:b4:27 ac:a3:1e:c2:d4:70 6 1 station timeout
I have a TAC open on this issue, but I thought there might've been others out there with the same problems.
Any ideas?
#AP205