Wireless Access

Reply
MVP
Posts: 1,414
Registered: ‎11-30-2011

wlsx(N)UserAuthenticationFailed not being send

[ Edited ]

working with airwave and the controller, configured SNMP traps and seeing traps come in, but when an authentication fails i dont get the wlsx(N)UserAuthenticationFailed traps. anyone got a clue on the reason?

 

they are enabled

 

(name) #show snmp trap-list

SNMP TRAP LIST
--------------
TRAP-NAME                                  CONFIGURABLE  ENABLE-STATE
---------                                  ------------  ------------
authenticationFailure                      Yes           Enabled
...

wlsxMgmtUserAuthenticationFailed           Yes           Enabled
wlsxNUserAuthenticationFailed              Yes           Enabled
wlsxUserAuthenticationFailed               Yes           Enabled

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: wlsx(N)UserAuthenticationFailed not being send

ok, think i found it, disabled EAP termination and the traps were send.

 

could that be it? anyone got a clue why they aren't send with EAP termination enabled?

Guru Elite
Posts: 21,499
Registered: ‎03-29-2007

Re: wlsx(N)UserAuthenticationFailed not being send

That trap is only sent for an authentication failure from an authentication source.  If your problem existed between the client and the controller, your problem might be with certificate or EAP setup vs an actual authentication failure.  I would turn on client debugging and see what the auth-tracebuf says.  

 

Please let us know if you enter a wrong username and password and see if it sends the trap.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: wlsx(N)UserAuthenticationFailed not being send

ok, did the testing, this what i get with a wrong request and EAP termination on

Jun  8 23:45:41  station-down           *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -
Jun  8 23:45:42  station-up             *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -    wpa2 aes
Jun  8 23:45:42  station-term-start     *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     31  -
Jun  8 23:45:42  eap-term-start        ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -
Jun  8 23:45:42  station-term-start     *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     31  -
Jun  8 23:45:48  station-down           *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -
Jun  8 23:45:49  station-up             *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -    wpa2 aes
Jun  8 23:45:49  station-term-start     *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     31  -
Jun  8 23:45:49  eap-term-start        ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -
Jun  8 23:45:49  station-term-start     *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     31  -
Jun  8 23:45:56  client-finish         ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -
Jun  8 23:45:56  server-finish         <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   61
Jun  8 23:45:56  server-finish-ack     ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -
Jun  8 23:45:56  inner-eap-id-req      <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   35
Jun  8 23:45:56  inner-eap-id-resp     ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -    wrong
Jun  8 23:45:56  eap-mschap-chlg       <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   67
Jun  8 23:45:56  eap-mschap-response   ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  9   49
Jun  8 23:45:56  mschap-request        ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  9   -    wrong
Jun  8 23:45:56  mschap-response       <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/radius01            -   -    wrong
Jun  8 23:45:56  eap-mschap-chlg-retry <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   115
Jun  8 23:46:01  eap-mschap-chlg-retry <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   115
Jun  8 23:46:06  eap-mschap-chlg-retry <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   115
Jun  8 23:46:11  eap-mschap-chlg-retry <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   115
Jun  8 23:46:16  eap-mschap-chlg-retry <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   115
Jun  8 23:46:21  eap-mschap-chlg-retry <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   115
Jun  8 23:46:26  eap-failure           <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   4

 

and this for a succesful one

Jun  8 23:46:52  station-down           *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -
Jun  8 23:46:55  station-up             *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -    wpa2 aes
Jun  8 23:46:55  station-term-start     *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     31  -
Jun  8 23:46:55  eap-term-start        ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -
Jun  8 23:46:55  station-term-start     *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     31  -
Jun  8 23:47:03  client-finish         ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -
Jun  8 23:47:03  server-finish         <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   61
Jun  8 23:47:03  server-finish-ack     ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -
Jun  8 23:47:03  inner-eap-id-req      <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   35
Jun  8 23:47:03  inner-eap-id-resp     ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -    test
Jun  8 23:47:03  eap-mschap-chlg       <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   67
Jun  8 23:47:03  eap-mschap-response   ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  9   49
Jun  8 23:47:03  mschap-request        ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  9   -    test
Jun  8 23:47:03  mschap-response       <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/radius01            -   -    test
Jun  8 23:47:03  eap-mschap-success    <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   83
Jun  8 23:47:03  eap-mschap-success-ack->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -
Jun  8 23:47:03  eap-tlv-rslt-success  <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   43
Jun  8 23:47:03  eap-tlv-rslt-success  ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   2
Jun  8 23:47:03  eap-success           <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   4
Jun  8 23:47:03  wpa2-key1             <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   117
Jun  8 23:47:03  wpa2-key2             ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   117
Jun  8 23:47:03  wpa2-key3             <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   151
Jun  8 23:47:03  wpa2-key4             ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   95


then with EAP termination off and a wrong one (same wrong one as with eap termination on)

-
Jun  8 23:49:03  station-up             *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -    wpa2 aes
Jun  8 23:49:03  eap-id-req            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   5
Jun  8 23:49:03  eap-start             ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -
Jun  8 23:49:03  eap-id-req            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   5
Jun  8 23:49:08  eap-id-resp           ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   10   wrong
Jun  8 23:49:08  rad-req               ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     74  198
Jun  8 23:49:08  rad-reject            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/radius01            74  44
Jun  8 23:49:08  eap-failure           <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   4    server rejected

 

this with a good authentication and eap termination off


Jun  8 23:49:08  station-down           *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -
Jun  8 23:49:10  station-up             *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -    wpa2 aes
Jun  8 23:49:10  eap-id-req            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   5
Jun  8 23:49:10  eap-start             ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -
Jun  8 23:49:10  eap-id-req            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   5
Jun  8 23:49:15  eap-id-req            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   5
Jun  8 23:49:20  eap-id-req            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     2   5
Jun  8 23:49:25  eap-id-req            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     2   5

and with a correct one

Jun  8 23:50:18  station-down           *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -
Jun  8 23:52:20  station-up             *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -     wpa2 aes
Jun  8 23:52:20  eap-id-req            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   5
Jun  8 23:52:20  eap-start             ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -
Jun  8 23:52:20  eap-id-req            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   5
Jun  8 23:52:25  eap-id-resp           ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   9     test
Jun  8 23:52:25  rad-req               ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     76  196
Jun  8 23:52:25  rad-resp              <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/radius01            76  90
Jun  8 23:52:25  eap-req               <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     2   6
Jun  8 23:52:25  eap-resp              ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     2   109
Jun  8 23:52:25  rad-req               ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/radius01            77  334
Jun  8 23:52:25  rad-resp              <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/radius01            77  1188
Jun  8 23:52:25  rad-accept            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/radius01            86  330
Jun  8 23:52:25  eap-success           <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     12  4
Jun  8 23:52:25  wpa2-key1             <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   117
Jun  8 23:52:25  wpa2-key2             ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   117
Jun  8 23:52:25  wpa2-key3             <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   151
Jun  8 23:52:25  wpa2-key4             ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   95


it seems that with termination the the reject doesnt show so the trap doesnt trigger, is that on purpose or something configured on my side?

Guru Elite
Posts: 21,499
Registered: ‎03-29-2007

Re: wlsx(N)UserAuthenticationFailed not being send

I do not know.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: