Wireless Access

Reply
Contributor I

lost LDAP authentication

last week, LDAP authentication for administration failed, and it has not recovered. I have checked with our servers folks, and so far they are saying that nothing has changed on that side. Here is what I am seeing:

 

(SPIAARUBA01) #aaa test-server mschapv2 <server> gibbonr1 **********

Internal Error : Invalid response (-1)

(SPIAARUBA01) #aaa test-server pap <server> gibbonr1 **********

Authentication server out of service

(SPIAARUBA01) #

 

Where can I look closer on the controller to see what's up?

 

Russell

Guru Elite

Re: lost LDAP authentication

Can you run:
show aaa authentication-server ldap

Does it show it as out of service there?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: lost LDAP authentication

(SPIAARUBA01) #show aaa authentication-server ldap

LDAP Server List

----------------

Name     References  Profile Status

----     ----------  --------------

<LDAP1>  2

<LDAP2>  2

Total:2

(SPIAARUBA01) #

 

 

thanks for responding

 

Russell

Guru Elite

Re: lost LDAP authentication

Ok. So the controller doesn't think they are out of service.

Try turning on the following logs, then do a test auth and check the logs.

logging level debugging security subcat aaa
Logging level debugging security subcat AAA process authmgr

Sent from Windows Mail


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: lost LDAP authentication

doesn't seem to be telling me much:

 

(SPIAARUBA01) #aaa test-server mschap SPIPDC1 gibbonr1 ********

Internal Error : Invalid response (-1)

(SPIAARUBA01) #aaa test-server pap SPIPDC1 gibbonr1 **********

Authentication server out of service

(SPIAARUBA01) # show log all | include gibbonr1

 

 

Feb 19 15:58:38  authmgr[1708]: <124011> <INFO> |authmgr|  Test authenticating user gibbonr1:****** using server SPIPDC1
Feb 19 15:58:38  fpcli: USER:regibbo@172.28.98.5 COMMAND:<aaa test-server mschapv2 "SPIPDC1" "gibbonr1"  ******  > -- command executed successfully
Feb 19 15:58:47  authmgr[1708]: <124011> <INFO> |authmgr|  Test authenticating user gibbonr1:****** using server SPIPDC1
Feb 19 15:58:47  fpcli: USER:regibbo@172.28.98.5 COMMAND:<aaa test-server pap "SPIPDC1" "gibbonr1"  ******  > -- command executed successfully

 

Different log I should look at?

Guru Elite

Re: lost LDAP authentication

Sorry, tried typing them out from memory on my tablet and failed :)

 

Try these:

 

logging level debugging security process authmgr
logging level debugging security subcat aaa

 

Then do your test auth and run:

 

show log security 30

 

You should start to see more debug info like this:

 

Feb 19 17:20:38 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1136] RADIUS RESPONSE ATTRIBUTES:
Feb 19 17:20:38 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1151]  PW_RADIUS_ID: \017
Feb 19 17:20:38 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1151]  Rad-Length: 20
Feb 19 17:20:38 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1151]  PW_RADIUS_CODE: \003
Feb 19 17:20:38 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1151]  PW_RAD_AUTHENTICATOR: K\276\004|\316^\334\334\240\214\366\010T\003L*
Feb 19 17:20:38 :124004:  <DBUG> |authmgr|  Auth server 'CLEARPASS_6-3' response=1
Feb 19 17:20:38 :124019:  <INFO> |authmgr|  Test server response: Authentication failed
Feb 19 17:20:43 :121031:  <DBUG> |authmgr| |aaa| [rc_sequence.c:114] seq_num_timeout_handler: Freed 0 entries

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: lost LDAP authentication

alright! I see something, but I don't know what the numbers mean :(

 

Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1029] Challenge from server
Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1031] RADIUS RESPONSE ATTRIBUTES:
Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  Session-Timeout: 30
Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  EAP-Message: \001\011
Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  State: \020\337\002\034
Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  Message-Auth: \250h\327\210c\337\305'\016\030\020\307E\245\367\004
Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  PW_RADIUS_ID: \027
Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  Rad-Length: 175
Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  PW_RADIUS_CODE: \013
Feb 20 09:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  PW_RAD_AUTHENTICATOR: q\011\361\315\341\343\252\370;\303\020`@\351\2132

 

Russell

Contributor I

Re: lost LDAP authentication

What might this indicate:

 

(SPIAARUBA01) #show aaa authentication-server ldap SPIPDC1 status

LDAP Server Table

-----------------

LDAP Server Attribute  Value

---------------------  -----

Priority               4

Name                   SPIPDC1

Hostname               10.7.0.112

AuthPort               636

AuthSSLPort            636

Retries                3

Timeout                20

AdminDN                CN=CIS_Servicer,OU=Servicer Accounts,DC=hmcorp,DC=local AdminPasswd            *****

BaseDN                 DC=hmcorp,DC=local

KeyAttribute           sAMAccountName

Filter                 (objectclass=*)

Allow Cleartext        no

Status                 Enabled

InService              Up

InitDone               no <------------------

AdminBound             no <------------------

Connection Type        unknown

Server Down            yes

Marked For Delete      no

In Use Callback Set    no

RefCount               16

RebindTimerSet         yes

RebindCount            1405

ReqViolationCount      0

 

Guru Elite

Re: lost LDAP authentication

Is there a chance that your admin bind password was changed? Can you verify with an LDAP browser utility? Also, please open a TAC case in parallel if this is urgent.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: lost LDAP authentication

 

haii all..

 

i have same problem, how to enable AdminBound?

what issue in this problem?

 

(Aruba7005) #show aaa authentication-server ldap BJB_LDAP status

LDAP Server Table
-----------------
LDAP Server Attribute        Value
---------------------        -----
Priority                     2
Name                         BJB_LDAP
Hostname                     10.6.224.1
AuthPort                     389
AuthSSLPort                  636
Retries                      3
Timeout                      20
AdminDN                      cn=vcenter,ou=user services,dc=bankjabar,dc=co,dc=id
AdminPasswd                  *****
BaseDN                       ou=kantor pusat,ou=bank jabar banten,dc=bankjabar,dc=co,dc=id
KeyAttribute                 sAMAccountName
Filter                       (objectclass=*)
Allow Cleartext              yes
Status                       Enabled
InService                    Up
InitDone                     yes
AdminBound                   no
Connection Type              start tls
Server Down                  no
Marked For Delete            no
In Use Callback Set          no
Outstanding Authentications  2
RebindTimerSet               no
RebindCount                  3
ReqViolationCount            0


(Aruba7005) #

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: