Wireless Access

last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

lost LDAP authentication

This thread has been viewed 2 times

  • 1.  lost LDAP authentication

    Posted Feb 19, 2014 03:17 PM

    last week, LDAP authentication for administration failed, and it has not recovered. I have checked with our servers folks, and so far they are saying that nothing has changed on that side. Here is what I am seeing:

     

    (SPIAARUBA01) #aaa test-server mschapv2 <server> gibbonr1 **********

    Internal Error : Invalid response (-1)

    (SPIAARUBA01) #aaa test-server pap <server> gibbonr1 **********

    Authentication server out of service

    (SPIAARUBA01) #

     

    Where can I look closer on the controller to see what's up?

     

    Russell



  • 2.  RE: lost LDAP authentication

    EMPLOYEE
    Posted Feb 19, 2014 03:30 PM
    Can you run:
    show aaa authentication-server ldap

    Does it show it as out of service there?


  • 3.  RE: lost LDAP authentication

    Posted Feb 19, 2014 03:34 PM

    (SPIAARUBA01) #show aaa authentication-server ldap

    LDAP Server List

    ----------------

    Name     References  Profile Status

    ----     ----------  --------------

    <LDAP1>  2

    <LDAP2>  2

    Total:2

    (SPIAARUBA01) #

     

     

    thanks for responding

     

    Russell



  • 4.  RE: lost LDAP authentication

    EMPLOYEE
    Posted Feb 19, 2014 03:44 PM

    Ok. So the controller doesn't think they are out of service.

    Try turning on the following logs, then do a test auth and check the logs.

    logging level debugging security subcat aaa
    Logging level debugging security subcat AAA process authmgr

    Sent from Windows Mail



  • 5.  RE: lost LDAP authentication

    Posted Feb 19, 2014 04:02 PM

    doesn't seem to be telling me much:

     

    (SPIAARUBA01) #aaa test-server mschap SPIPDC1 gibbonr1 ********

    Internal Error : Invalid response (-1)

    (SPIAARUBA01) #aaa test-server pap SPIPDC1 gibbonr1 **********

    Authentication server out of service

    (SPIAARUBA01) # show log all | include gibbonr1

     

     

    Feb 19 15:58:38  authmgr[1708]: <124011> <INFO> |authmgr|  Test authenticating user gibbonr1:****** using server SPIPDC1
    Feb 19 15:58:38  fpcli: USER:regibbo@172.28.98.5 COMMAND:<aaa test-server mschapv2 "SPIPDC1" "gibbonr1"  ******  > -- command executed successfully
    Feb 19 15:58:47  authmgr[1708]: <124011> <INFO> |authmgr|  Test authenticating user gibbonr1:****** using server SPIPDC1
    Feb 19 15:58:47  fpcli: USER:regibbo@172.28.98.5 COMMAND:<aaa test-server pap "SPIPDC1" "gibbonr1"  ******  > -- command executed successfully

     

    Different log I should look at?



  • 6.  RE: lost LDAP authentication

    EMPLOYEE
    Posted Feb 19, 2014 05:23 PM

    Sorry, tried typing them out from memory on my tablet and failed :)

     

    Try these:

     

    logging level debugging security process authmgr
    logging level debugging security subcat aaa

     

    Then do your test auth and run:

     

    show log security 30

     

    You should start to see more debug info like this:

     

    Feb 19 17:20:38 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1136] RADIUS RESPONSE ATTRIBUTES:
Feb 19 17:20:38 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1151]  PW_RADIUS_ID: \017
Feb 19 17:20:38 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1151]  Rad-Length: 20
Feb 19 17:20:38 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1151]  PW_RADIUS_CODE: \003
Feb 19 17:20:38 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1151]  PW_RAD_AUTHENTICATOR: K\276\004|\316^\334\334\240\214\366\010T\003L*
Feb 19 17:20:38 :124004:  <DBUG> |authmgr|  Auth server 'CLEARPASS_6-3' response=1
Feb 19 17:20:38 :124019:  <INFO> |authmgr|  Test server response: Authentication failed
Feb 19 17:20:43 :121031:  <DBUG> |authmgr| |aaa| [rc_sequence.c:114] seq_num_timeout_handler: Freed 0 entries

     



  • 7.  RE: lost LDAP authentication

    Posted Feb 20, 2014 10:03 AM

    alright! I see something, but I don't know what the numbers mean :(

     

    Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1029] Challenge from server
    Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1031] RADIUS RESPONSE ATTRIBUTES:
    Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  Session-Timeout: 30
    Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  EAP-Message: \001\011
    Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  State: \020\337\002\034
    Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  Message-Auth: \250h\327\210c\337\305'\016\030\020\307E\245\367\004
    Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  PW_RADIUS_ID: \027
    Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  Rad-Length: 175
    Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  PW_RADIUS_CODE: \013
    Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  PW_RAD_AUTHENTICATOR: q\011\361\315\341\343\252\370;\303\020`@\351\2132

     

    Russell



  • 8.  RE: lost LDAP authentication

    Posted Feb 20, 2014 01:44 PM

    What might this indicate:

     

    (SPIAARUBA01) #show aaa authentication-server ldap SPIPDC1 status

    LDAP Server Table

    -----------------

    LDAP Server Attribute  Value

    ---------------------  -----

    Priority               4

    Name                   SPIPDC1

    Hostname               10.7.0.112

    AuthPort               636

    AuthSSLPort            636

    Retries                3

    Timeout                20

    AdminDN                CN=CIS_Servicer,OU=Servicer Accounts,DC=hmcorp,DC=local AdminPasswd            *****

    BaseDN                 DC=hmcorp,DC=local

    KeyAttribute           sAMAccountName

    Filter                 (objectclass=*)

    Allow Cleartext        no

    Status                 Enabled

    InService              Up

    InitDone               no <------------------

    AdminBound             no <------------------

    Connection Type        unknown

    Server Down            yes

    Marked For Delete      no

    In Use Callback Set    no

    RefCount               16

    RebindTimerSet         yes

    RebindCount            1405

    ReqViolationCount      0

     



  • 9.  RE: lost LDAP authentication

    EMPLOYEE
    Posted Feb 20, 2014 07:08 PM

    Is there a chance that your admin bind password was changed? Can you verify with an LDAP browser utility? Also, please open a TAC case in parallel if this is urgent.



  • 10.  RE: lost LDAP authentication

    Posted Dec 31, 2015 12:30 AM

     

    haii all..

     

    i have same problem, how to enable AdminBound?

    what issue in this problem?

     

    (Aruba7005) #show aaa authentication-server ldap BJB_LDAP status

    LDAP Server Table
    -----------------
    LDAP Server Attribute        Value
    ---------------------        -----
    Priority                     2
    Name                         BJB_LDAP
    Hostname                     10.6.224.1
    AuthPort                     389
    AuthSSLPort                  636
    Retries                      3
    Timeout                      20
    AdminDN                      cn=vcenter,ou=user services,dc=bankjabar,dc=co,dc=id
    AdminPasswd                  *****
    BaseDN                       ou=kantor pusat,ou=bank jabar banten,dc=bankjabar,dc=co,dc=id
    KeyAttribute                 sAMAccountName
    Filter                       (objectclass=*)
    Allow Cleartext              yes
    Status                       Enabled
    InService                    Up
    InitDone                     yes
    AdminBound                   no
    Connection Type              start tls
    Server Down                  no
    Marked For Delete            no
    In Use Callback Set          no
    Outstanding Authentications  2
    RebindTimerSet               no
    RebindCount                  3
    ReqViolationCount            0


    (Aruba7005) #

     

     



  • 11.  RE: lost LDAP authentication

    EMPLOYEE
    Posted Dec 31, 2015 01:51 AM

    Change the preferred connection type to Clear Text and try again.



  • 12.  RE: lost LDAP authentication

    Posted Dec 31, 2015 11:13 AM

    Hi Harry,

     

    Please refer to the following article in order to have more insight in to LDAP functionality.

     

    https://arubanetworkskb.secure.force.com/pkb/articles/Troubleshooting/R-41

     

    As of now it looks like controller is trying to connect to LDAP server using secure LDAP which requires presence of SSL cert on LDAP server.

     

    -To communicate with the LDAP server, the controller tries to use tcp port 636 (LDAPS) first. If unsuccessful, the controller tries start_TLS over port 389. Both require that the server has an SSL/TLS certificate.

     

    -If that is unsuccessful and if "cleartext ==yes", the controller tries tcp port 389 in the cleartext.

     

    Please enable allow clear text in the LDAP server configuration & verify the LDAP status.

     

    Regards,

    Nitesh