Wireless Access

last person joined: 20 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

deauth to sta

This thread has been viewed 13 times

  • 1.  deauth to sta

    Posted Mar 20, 2012 05:06 PM

    I have a client that cannot connect to our production wireless network but can connect to a development network on the same access point. The client is using the same machine and 802.1x authentication for each network. I have debug logs for a successful (dev) and a failed (prd) session but the main difference I see is:

     

    //a success

    Mar 20 13:24:56 :522035:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx Station UP: BSSID=d8:c7:c8:xx:2f:41 ESSID=dev VLAN=2 AP-name=ab208

    Mar 20 13:24:56 :522004:  <DBUG> |authmgr|  MAC=68:a3:c4:c9:xx:xx ingress 0x10f1 (tunnel 145), u_encr 16, m_encr 4112, slotport 0x1000 

    Mar 20 13:25:25 :522038:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=ACS-B

    //role, IP and other good stuff happen

     

    //a failure

    Mar 20 13:24:12 :522035:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx Station UP: BSSID=d8:c7:c8:xx:2f:40 ESSID=prd VLAN=2 AP-name=ab208

    Mar 20 13:24:12 :522004:  <DBUG> |authmgr|  MAC=68:a3:c4:c9:xx:xx ingress 0x11b6 (tunnel 342), u_encr 16, m_encr 4112, slotport 0x1000 

    //repeat the previous message five more times, then

    Mar 20 13:24:31 :501106:  <NOTI> |stm|  Deauth to sta: 68:a3:c4:c9:xx:xx: Ageout AP 10.xxx.70.210-d8:c7:xx:xx:2f:40-ab208 handle_sapcp

    //followed by similar messages

     

     

    Anybody have an idea?



  • 2.  RE: deauth to sta

    EMPLOYEE
    Posted Mar 20, 2012 06:17 PM
    @scottwe wrote:

    I have a client that cannot connect to our production wireless network but can connect to a development network on the same access point. The client is using the same machine and 802.1x authentication for each network. I have debug logs for a successful (dev) and a failed (prd) session but the main difference I see is:

     

    //a success

    Mar 20 13:24:56 :522035:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx Station UP: BSSID=d8:c7:c8:xx:2f:41 ESSID=dev VLAN=2 AP-name=ab208

    Mar 20 13:24:56 :522004:  <DBUG> |authmgr|  MAC=68:a3:c4:c9:xx:xx ingress 0x10f1 (tunnel 145), u_encr 16, m_encr 4112, slotport 0x1000 

    Mar 20 13:25:25 :522038:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=ACS-B

    //role, IP and other good stuff happen

     

    //a failure

    Mar 20 13:24:12 :522035:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx Station UP: BSSID=d8:c7:c8:xx:2f:40 ESSID=prd VLAN=2 AP-name=ab208

    Mar 20 13:24:12 :522004:  <DBUG> |authmgr|  MAC=68:a3:c4:c9:xx:xx ingress 0x11b6 (tunnel 342), u_encr 16, m_encr 4112, slotport 0x1000 

    //repeat the previous message five more times, then

    Mar 20 13:24:31 :501106:  <NOTI> |stm|  Deauth to sta: 68:a3:c4:c9:xx:xx: Ageout AP 10.xxx.70.210-d8:c7:xx:xx:2f:40-ab208 handle_sapcp

    //followed by similar messages

     

     

    Anybody have an idea?

    While the client is failing, type "show auth-tracebuf mac <mac address of client>" to see why.

     



  • 3.  RE: deauth to sta

    Posted Mar 21, 2012 05:34 PM

    Thank you, neat command!

     

    I see:

     

    Mar 21 13:32:52  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

    Mar 21 13:32:52  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

    Mar 21 13:32:53  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

    Mar 21 13:32:53  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

    Mar 21 13:32:53  eap-start             ->  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     

    Mar 21 13:32:53  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

    Mar 21 13:32:55  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

    Mar 21 13:32:55  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

    Mar 21 13:32:55  eap-start             ->  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     

    Mar 21 13:32:55  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

    Mar 21 13:32:56  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

     

    over and over again, credentials are never passed and authentication servers don't get into the mix, which is different from a successful logon. I don't understand what the command reference guide is telling me about the arrows andif this is on the client or server side. 

     



  • 4.  RE: deauth to sta

    EMPLOYEE
    Posted Mar 21, 2012 11:35 PM

    Are you sure the client is configured with the right encryption?

     



  • 5.  RE: deauth to sta

    Posted Mar 26, 2012 04:50 PM

    yes. we went through and manually set it for wpa2-enterprise and aes as a test, still could not get it to go. we run in mixed mode, either tkip or aes is valid.



  • 6.  RE: deauth to sta

    EMPLOYEE
    Posted Mar 26, 2012 05:44 PM

    Are these 802.11n access points?  If so, the 802.11n standard only allows cipher types of AES and Open.  TKIP is not allowed.

     



  • 7.  RE: deauth to sta

    Posted Mar 28, 2012 06:06 PM

    They are N. Good point. When I manually configure the client to use WPA2 and AES (which I can see using the command you gave me, thanks again) they still cannot connect. I'm beginning to think it is the clients system but it is at a remote location and the clientdoes not have other devices available to test with.



  • 8.  RE: deauth to sta

    EMPLOYEE
    Posted Mar 28, 2012 09:19 PM

    You probably want to open a case so that they can see the full picture...  Has this EVER worked?

     



  • 9.  RE: deauth to sta

    Posted Apr 06, 2012 11:36 AM

    With this device no it has never worked. Other devices, yes.



  • 10.  RE: deauth to sta

    EMPLOYEE
    Posted Apr 06, 2012 12:33 PM

    Have you considered upgrading the client drivers?