Wireless Access

good morning,

a few days ago my wireless netowrk was fine,
but now all devices turning on windows cannot authenticate except them which are turning on android.

please, what is the problem?

i have the 7210 controller and the 103 AP's.

thank you.

Faycal,

 

could you please give us more information?

 

AAA profile configuration, SSID configuration and VAP configuration.

Are you using user derivation rules?

 

Also, can you run show audit-trail and check the changes that have been made on the controller?

 

Cheers

first, thnak you,

yes,I am using user derivation rules

 

 

 AAA Profile List
----------------
Name References Profile Status
---- ---------- --------------
default 2
default-dot1x 0 Predefined (editable)
default-dot1x-psk 0 Predefined (editable)
default-mac-auth 0 Predefined (editable)
default-open 0 Predefined (editable)
default-xml-api 0 Predefined (editable)
Guest-aaa-profile 1
mgmt-aaa-profile 1
New_WLAN-aaa_prof 1
NoAuthAAAProfile 1 Predefined (editable)
Pro-aaa-Profile 1
Res-aaa-profile 1
VIP-aaa-profile 1

 

 

Hi,

 

Can you send us the specific information from the AAA profile that you are saying that is not working anymore and the derivation rules for that service?

 

show audit-trial (review that there are no changes from yesterday) - no need to paste here the logs but check since Sep 12 and find it out.

 

cheers

 

 

 

 

hi,

the aaa test server is successful, device on android connect,

for the AAA Profiles:

i have res-aaa-profile

authentication 802.1x

role logon

initial role: logon

802.1X Authentication Default Role: authenticated

termination enable
termination eap-type eap-tls
termination eap-type eap-peap
termination inner-eap-type eap-mschapv2
termination inner-eap-type eap-gtc

 

aaa server-group "GSRV-RADIUS"
allow-fail-through
load-balance
auth-server SRV-RADIUS,

 

Network authentication security WPA2

encryption AES

 

Hi,

Yes, it is a start.

I imagine that inside your SRV-RADIUS you added clearpass, nps or
another RADIUS server. Or you don't have RADIUS server and that is why
are you doing termination on the controller?


If you have a corporate user you use EAP-TLS and you have a certificate
in that corporate laptop, right?

When you are using non-corporate traffic, you use EAP-PEAP and you
authenticate against an AD or database, right?

Are you sending any roles back to the controller once the user has been
authenticated or do you just used the authenticate role?
I mean, when you say that android works, which role do you receive?
(Show user | i (mac address or ip address))

Cheers
Borja

hi,

thanks

i have RADUIS server to authenticate AD user's, without clearpass,

you're right, corporate users authenticate with certificate

i use only authentication role .... for android user, i receive the role authenticated,

thanks again

OK - so you have a RADIUS server. I don't now why you are using termination.

 

An android user, connects to the SSID and introduces his AD username and password. If that is correct, it receives it gets the default role (authenticated) 

 

A corporate laptop, connects to the same SSID with certificates. If the authentication is successful - which role is going to be assigned? How does your derivation rule look like?

 

 

 ""An android user, connects to the SSID and introduces his AD username and password. If that is correct, it receives it gets the default role (authenticated) "" --> yes

 

""A corporate laptop, connects to the same SSID with certificates. If the authentication is successful - which role is going to be assigned? How does your derivation rule look like?"" -->  the same role is assigned: authenticated

i don't have derivation rules,

thanks