Wireless Access

Reply
Contributor I
Posts: 80
Registered: ‎04-29-2013

everything but an iPhone works

I can connect win7/8, android, laptop, tablet, phone - but not iPhones (I don't have a iPad to test with)

 

Here is what I am seeing on the controller:

 

Dec  8 16:48:32  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM PUBLISH MAC user: BSS:9c:1c:12:a2:ff:20 MAC:6c:3e:6d:4c:05:bf VLAN:26 wired_or_wifi:1 data-ready:0 Dec  8 16:48:32  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: ADD STA channel event:0 for mac:6c:3e:6d:4c:05:bf Dec  8 16:48:32  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: DELETE MAC user 6c:3e:6d:4c:05:bf Dec  8 16:48:32  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: USER uuid(0x7c), mac(6c:3e:6d:4c:05:bf), name(), role(logon), devtype(), wired(0), auth_type(0), auth_subtype(0), encrypt_type(10), conn_port(0) Dec  8 16:48:32  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: USER uuid(0x7c), mac(6c:3e:6d:4c:05:bf), name(), role(logon), devtype(), wired(0), auth_type(0), auth_subtype(0), encrypt_type(10), conn_port(0) Dec  8 16:48:32  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: chan sta : DEL 6c:3e:6d:4c:05:bf ageout 0 Dec  8 16:48:32  authmgr[2070]: <124090> <DBUG> |authmgr|  Free macuser 0x0x107121f4 and user 0x0x10862764 for mac 6c:3e:6d:4c:05:bf. Dec  8 16:48:32  authmgr[2070]: <124091> <DBUG> |authmgr|  station_check_license_limits: mac 6c:3e:6d:4c:05:bf  encr-algo:64. Dec  8 16:48:32  authmgr[2070]: <124093> <DBUG> |authmgr|  Called mac_station_new() for mac 6c:3e:6d:4c:05:bf. Dec  8 16:48:32  authmgr[2070]: <124103> <DBUG> |authmgr|  Setting user 6c:3e:6d:4c:05:bf aaa profile to SPI_INTERNAL_AAA, reason: ncfg_get_wireless_aaa_prof. Dec  8 16:48:32  authmgr[2070]: <124103> <DBUG> |authmgr|  Setting user 6c:3e:6d:4c:05:bf aaa profile to SPI_INTERNAL_AAA, reason: ncfg_set_aaa_profile_defaults.

 

Dec  8 16:44:40  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM PUBLISH MAC user: BSS:9c:1c:12:a3:25:f0 MAC:c8:19:f7:0b:6e:24 VLAN:26 wired_or_wifi:1 data-ready:0 Dec  8 16:44:40  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: ADD STA channel event:0 for mac:c8:19:f7:0b:6e:24 Dec  8 16:44:40  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: DELETE MAC user c8:19:f7:0b:6e:24 Dec  8 16:44:40  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: USER uuid(0x63), mac(c8:19:f7:0b:6e:24), name(gibbonr1), role(EMPLOYEE-ROLE), devtype(Android), wired(0), auth_type(4), auth_subtype(9), encrypt_type(10), conn_port(0) Dec  8 16:44:40  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: USER uuid(0x72), mac(c8:19:f7:0b:6e:24), name(), role(logon), devtype(Android), wired(0), auth_type(0), auth_subtype(0), encrypt_type(10), conn_port(0) Dec  8 16:44:40  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: chan sta : DEL c8:19:f7:0b:6e:24 ageout 0 Dec  8 16:44:40  authmgr[2070]: <124090> <DBUG> |authmgr|  Free macuser 0x0x10744554 and user 0x0x10743b3c for mac c8:19:f7:0b:6e:24. Dec  8 16:44:40  authmgr[2070]: <124091> <DBUG> |authmgr|  station_check_license_limits: mac c8:19:f7:0b:6e:24  encr-algo:64. Dec  8 16:44:40  authmgr[2070]: <124093> <DBUG> |authmgr|  Called mac_station_new() for mac c8:19:f7:0b:6e:24. Dec  8 16:44:40  authmgr[2070]: <124103> <DBUG> |authmgr|  Setting user c8:19:f7:0b:6e:24 aaa profile to SPI_INTERNAL_AAA, reason: ncfg_get_wireless_aaa_prof. Dec  8 16:44:40  authmgr[2070]: <124103> <DBUG> |authmgr|  Setting user c8:19:f7:0b:6e:24 aaa profile to SPI_INTERNAL_AAA, reason: ncfg_set_aaa_profile_defaults.

 

 

 I am sorry that looks so ugly...but the fourth l;ine down in either case is the difference. On the droid, my name, role, devtype, auth-type, and auth-subtype are all being passed on the android, none are being passed on the iPhone. Any ideas? I've been banging away at this for a little over 7 hours now to no avail.

 

Thanks,

 

Russell

 

MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: everything but an iPhone works

 

What AOS are you using ?

 

What iOS the phone has installed ?

 

What type of authentication that SSID is using ?

 

Can you please share the following :

 

show auth-tracebuf  | include <device mac>

 

Have you tried resetting the network settings in the iPhone and try again ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 80
Registered: ‎04-29-2013

Re: everything but an iPhone works

What AOS are you using ?   ArubaOS 6.2.1.3

 

What iOS the phone has installed ?  iOS 7.0.4

 

What type of authentication that SSID is using ?  WPA2-Enterprise

 

Can you please share the following :

Dec  8 20:25:18  station-up             *  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            -      -     wpa2 aes
Dec  8 20:25:18  eap-id-req            <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            1      5
Dec  8 20:25:18  eap-id-resp           ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            1      12    davise1
Dec  8 20:25:18  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            65458  222
Dec  8 20:25:18  rad-resp              <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65458  90
Dec  8 20:25:18  eap-req               <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            2      6
Dec  8 20:25:18  eap-resp              ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            2      152
Dec  8 20:25:18  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65459  400
Dec  8 20:25:18  rad-resp              <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65459  1188
Dec  8 20:25:18  eap-req               <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            3      1096
Dec  8 20:25:18  eap-resp              ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            3      6
Dec  8 20:25:18  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65460  254
Dec  8 20:25:18  rad-resp              <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65460  1050
Dec  8 20:25:18  eap-req               <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            4      960
Dec  8 20:25:21  eap-resp              ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            4      220
Dec  8 20:25:21  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65461  468
Dec  8 20:25:21  rad-resp              <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65461  153
Dec  8 20:25:21  eap-req               <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            5      69
Dec  8 20:25:21  eap-resp              ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            5      6
Dec  8 20:25:21  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65462  254
Dec  8 20:25:21  rad-resp              <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65462  127
Dec  8 20:25:21  eap-req               <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            6      43
Dec  8 20:25:21  eap-resp              ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            6      43
Dec  8 20:25:21  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65463  291
Dec  8 20:25:21  rad-resp              <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65463  143
Dec  8 20:25:21  eap-req               <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            7      59
Dec  8 20:25:21  eap-resp              ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            7      43
Dec  8 20:25:21  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65464  291
Dec  8 20:25:21  rad-resp              <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65464  159
Dec  8 20:25:21  eap-req               <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            8      75
Dec  8 20:25:21  eap-resp              ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            8      107
Dec  8 20:25:21  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65465  355
Dec  8 20:25:21  rad-resp              <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65465  175
Dec  8 20:25:21  eap-req               <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            9      91
Dec  8 20:25:21  eap-resp              ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            9      43
Dec  8 20:25:21  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65466  291
Dec  8 20:25:21  rad-resp              <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65466  191
Dec  8 20:25:21  eap-req               <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            11     107
Dec  8 20:25:21  eap-resp              ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            11     43
Dec  8 20:25:21  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65467  291
Dec  8 20:25:21  rad-accept            <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65467  298
Dec  8 20:25:21  eap-success           <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            11     4
Dec  8 20:25:21  wpa2-key1             <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            -      117
Dec  8 20:25:21  wpa2-key2             ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            -      117
Dec  8 20:25:21  wpa2-key3             <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            -      151
Dec  8 20:25:21  wpa2-key4             ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            -      95
Dec  8 20:25:21  rem-ap-setkey         <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            -      16    wpa2 aes
Dec  8 20:25:43  station-down           *  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            -      - 

 

 

Have you tried resetting the network settings in the iPhone and try again ?  Yes

 

now, the problem has changed. they appear to be authenticating, but are being blocked by an error that states "SophosNACRegistration" failed, and we have no Sophos NAC that anyone here is aware of. Is there a place in either the CLI or the web GUI to attach a NAC?

 

Background -

We are converting from Cisco to Aruba. Each SSID from Cisco is replicated in Aruba. Each SSID in Cisco is replicated in Aruba. and lastly, as I mentioned above, every device available can connect to Aruba, but now the iPhones get a NAC error that no other device gets. pushing 10 hours of troubleshooting, and this is getting ridiculous. We've reverted, but I still have one test Aruba AP online.

 

Thanks for the help

MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: everything but an iPhone works

 

Not really familiar with the Sopho products but you should probably ask them if they an MDM appliance in place ? 

 

Are both network isolated ? because having the same SSIDs using different products could be a pain to troubleshoot if devices could hear both different APs and keep roaming between the two.

 

 

 

 

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 80
Registered: ‎04-29-2013

Re: everything but an iPhone works

yes, all of the Cisco APs were removed before we began testing the Aruba APs

MVP
Posts: 562
Registered: ‎11-28-2011

Re: everything but an iPhone works

Where are you seeing this "SophosNACRegistration" error? On the client iPhone I assume?

 

If so, it suggests it has some sort of supplicant on it that's trying to protect itself??? Just to prove it, try to find that supplicant and turn it off temporarily if it exists?

 

 

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Search Airheads
Showing results for 
Search instead for 
Did you mean: