Wireless Access

Hi All,

I have integrated aruba controller to use authentication from LDAP.

AAA test is happening from controller through PAP.

Termination is enabled on controller EAP -PEAP and EAP-GTC.

EAP-GTC supplicant is installed and made the profile settings as per the document .

now i am facing the problem while connecting ...validating identity error

so what may be the solution for this other than using radius server.

Uncheck "Validate Server Certificate" in your wireless profile.

i tried that also. but still its not working .....as the termination is in controller is that controller need any certificate to push to clients.

Is this a Windows computer?  Did you try connecting from a handheld?

Turn on user debugging:

config t

logging level debugging user.

Try to connect and after it fails, type "show log user 50" to see what is going on.

1. this is the windows XP client .

Logs :

Apr 25 15:50:08 :501100:  <NOTI> |stm|  Assoc success @ 15:50:08.921250: 00:0c:f1:4d:b6:a8: AP 192.168.29.8-00:1a:1e:5f:22:44-AP125

Apr 25 15:50:08 :501065:  <DBUG> |stm|  Sending STA 00:0c:f1:4d:b6:a8 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0x1, wmm:0, rsn_cap:0

Apr 25 15:50:08 :522035:  <INFO> |authmgr|  MAC=00:0c:f1:4d:b6:a8 Station UP: BSSID=00:1a:1e:5f:22:44 ESSID=Ldap VLAN=1 AP-name=AP125

Apr 25 15:50:08 :522004:  <DBUG> |authmgr|  MAC=00:0c:f1:4d:b6:a8 ingress 0x10d3 (tunnel 19), u_encr 64, m_encr 64, slotport 0x1022 , type: local, FW mode: 0, AP IP: 0.0.0.0

Apr 25 15:50:08 :500511:  <DBUG> |mobileip|  Station 00:0c:f1:4d:b6:a8, 0.0.0.0: Received association on ESSID: Ldap Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name AP125 Group default BSSID 00:1a:1e:5f:22:44, phy b, VLAN 1

Apr 25 15:50:08 :500010:  <NOTI> |mobileip|  Station 00:0c:f1:4d:b6:a8, 0.0.0.0: Mobility trail, on switch 192.168.29.248, VLAN 1, AP AP125, Ldap/00:1a:1e:5f:22:44/b

how about the output of "show auth-tracebuf"

Apr 25 15:50:07  station-term-start     *  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44                                 1      -
Apr 25 15:50:07  eap-term-start        ->  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44/dot1x_prof-mft83                -      -
Apr 25 15:50:07  station-term-start     *  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44                                 1      -
Apr 25 15:50:28  station-term-end       *  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44/dot1x_prof-mft83                3      -    failure
Apr 25 15:50:55  station-down           *  e0:ca:94:93:30:e4  00:1a:1e:5f:22:40                                 -      -
Apr 25 15:50:56  station-up             *  e0:ca:94:93:30:e4  00:1a:1e:5f:22:43                                 -      -    wpa2 aes
Apr 25 15:50:56  station-term-start     *  e0:ca:94:93:30:e4  00:1a:1e:5f:22:43                                 1      -
Apr 25 15:50:56  eap-term-start        ->  e0:ca:94:93:30:e4  00:1a:1e:5f:22:43/default                         -      -
Apr 25 15:50:56  station-term-start     *  e0:ca:94:93:30:e4  00:1a:1e:5f:22:43                                 1      -
Apr 25 15:51:02  eap-term-start        ->  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44/dot1x_prof-mft83                -      -
Apr 25 15:51:02  station-term-start     *  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44                                 1      -
Apr 25 15:51:09  station-down           *  e0:ca:94:93:30:e4  00:1a:1e:5f:22:43                                 -      -
Apr 25 15:51:10  station-up             *  e0:ca:94:93:30:e4  00:1a:1e:5f:22:43                                 -      -    wpa2 aes
Apr 25 15:51:10  station-term-start     *  e0:ca:94:93:30:e4  00:1a:1e:5f:22:43                                 1      -
Apr 25 15:51:10  eap-term-start        ->  e0:ca:94:93:30:e4  00:1a:1e:5f:22:43/default                         -      -
Apr 25 15:51:10  station-term-start     *  e0:ca:94:93:30:e4  00:1a:1e:5f:22:43                                 1      -
Apr 25 15:51:13  client-finish         ->  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44/dot1x_prof-mft83                -      -
Apr 25 15:51:13  server-finish         <-  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44/dot1x_prof-mft83                -      -
Apr 25 15:51:13  server-finish-ack     ->  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44/dot1x_prof-mft83                -      -
Apr 25 15:51:13  inner-eap-id-req      <-  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44/dot1x_prof-mft83                -      -
Apr 25 15:51:13  inner-eap-id-resp     ->  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44/dot1x_prof-mft83                -      -    arubadc
ithin
Apr 25 15:51:13  eap-mschap-chlg       <-  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44/dot1x_prof-mft83                -      -
Apr 25 15:51:13  eap-nak               ->  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44/dot1x_prof-mft83                -      -    EAP-GTC
Apr 25 15:51:13  eap-gtc-token-req     <-  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44/dot1x_prof-mft83                -      -
Apr 25 15:51:13  eap-gtc-token-res     ->  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44/dot1x_prof-mft83                -      8
Apr 25 15:51:13  pap-response          <-  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44/Ldap-2008                       -      -    arubadc
ithin
Apr 25 15:51:13  eap-tlv-rslt-failure  <-  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44/dot1x_prof-mft83                -      -
Apr 25 15:51:13  eap-tlv-rslt-failure  ->  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44/dot1x_prof-mft83                -      -
Apr 25 15:51:13  eap-failure           <-  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44/dot1x_prof-mft83                -      -
Apr 25 15:51:13  pap-request           ->  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44/dot1x_prof-mft83                -      -    arubadc
ithin
Apr 25 15:51:13  station-down           *  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44                                 -      -
Apr 25 15:51:13  station-up             *  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44                                 -      -    wpa2 aes
Apr 25 15:51:13  station-term-start     *  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44                                 1      -
Apr 25 15:51:13  eap-term-start        ->  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44/dot1x_prof-mft83                -      -
Apr 25 15:51:13  station-term-start     *  00:0c:f1:4d:b6:a8  00:1a:1e:5f:22:44                                 1      -

Do you have a screenshot of your Windows Config?

 Attached the screen shot of wireless profile .

Don't see anything.

Please check it now

Please delete the wireless profile entirely, then re-create from scratch.

done that ....please check the attached file ..........which will show the error that i am gettting ...

Hi,

I am also facing the same problem.

Can u check if the client gets IP address and able to access the required applications and servers ?

cause I am having same validating identity error but clients get IP addresses and are able to access all application but windows keep on showing that validating identity .

No it will not get IP address.

Please open a support case.  It is not easy to see what is happening from here.

ok done...opened a support ticket.

i studied in a document that .......PEAP requires only server-side certificates.

 In this scenario as i am enabling the termination in controller and i choosed EAP - PEAP and EAP-GTC so is there any need of certificate in controller.

---

@Nithin wrote:

i studied in a document that .......PEAP requires only server-side certificates.

 

 In this scenario as i am enabling the termination in controller and i choosed EAP - PEAP and EAP-GTC so is there any need of certificate in controller.

---

Nithin,

Yes, there is a need for a certificate in the controller, but it comes with a built-in certificate, so it at least should work with that if you uncheck "Validate Server Certificate".  Usually, a smartphone is more forgiving, so you should try to connect with that first to at least validate that the controller side is configured correctly.

how to apply certificate for that 802.1x profile any sceen shot and any document.

---

@Nithin wrote:

how to apply certificate for that 802.1x profile any sceen shot and any document.

---

Like I said, the controller has a built-in certificate and that is the one it will use if you have not uploaded any.  If you want to upload one, go to Configuration> Management> Certificates and upload a certificate type of "Server Cert".  After you upload, go to Configuration> Security> Authentication> L2 Authentication.  Click on 802.1x profile.  Choose the 802.1x profile that corresponds to your WLAN.  Under the Advanced Tab, there is a parameter called "Server-Certificate" where you will see your uploaded certificate and the built in one, available for selection.

Quite frankly, the only people that use GTC with LDAP are ones that do NOT have active directory.  Active Directory users configure radius, because they do not have to install anything like the GTC supplicant on all of their clients.

If you can, please test with a smartphone to make sure it works.

this is one of our client requirement thats why we are checking . we recommended for Radius only but they require LDAP only .   :(

If they have Active Directory, let them know how difficult it is to distribute and configure software onto all their clients and stand up a radius server.  Sometimes customers do not know what is best for them, unless you show them ;)

its working in Black berry.

But still facing the prob in laptops .....from this we can come to conclusion that the prob is in EAP-GTC plug in .....

What version of Windows are you using, what service pack?  Windows 7?

microsoft windows xp professional

version 2002

service pack 3

I got it worked with secureW2 EAP-GTC plug in for both Windows-XP and Windows-7, but this is third party plug in.

That is the best way to go, if you want to pursue EAP-GTC.