Wireless Access

last person joined: 3 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Windows 7/10 AD Joined issues

  • 1.  Windows 7/10 AD Joined issues

    Posted May 22, 2019 02:58 PM

    Ever since migrating to 8.x code from 6.x we received a handful of reports with issues with our AD Managed wireless laptops.

     

    One of the issues we are seeing is when a user with cached credentials logs into a wireless machine, they see the message "Unable to Connect to Network, logging on".  Our AD machines are configured to machine auth using the AD Computer object.  I confirmed that when the machine is that the control-alt-delete screen, they have a valid role and IP address. I started a ping to the machines IP from my desktop and proceeded to login with my AD credentials.  After doing so, the machine drops a few pings, displays the "unable to connect message" and continues to login with cached credentials, then the machine starts pinging again.

     

    Also once a user is logged into the machine, they get the message they were logged on using previously stored credentials and their mapped drives have red Xs.  However, you can just click on them and they connect.

     

    If a user without cached credentials trys to login they get the "no logon sevrers" message, even though the machine is machine authed with valid IP and role.

     

    I have compared all of the settings for this VAP and AAA profile between the old and new controller environment and they are identical.  I also opened a TAC case but they were unable to find any issues with the config.  If I bring up an AP on our old controllers the issue goes away when connected to that AP.

     

    We use NPS for our AD joined machines and are running 8.4.0.1 with 7240XMs for the MDs.

     

    Anyone else seen this issue?

     

     

    -

     



  • 2.  RE: Windows 7/10 AD Joined issues

    Posted May 22, 2019 02:59 PM

    Are you doing machine authentication?  Are you changing roles or VLANs depending on user or machine authentication?



  • 3.  RE: Windows 7/10 AD Joined issues

    Posted May 22, 2019 03:30 PM

    cjoseph,

     

    Yes we are doing machine auth and no the roles are the same between the machine auth and user auth.



  • 4.  RE: Windows 7/10 AD Joined issues

    Posted May 22, 2019 04:08 PM

    What about the VLANS?  Can you ping a user's device before the user logs into the ctrl-alt-delete screen?

     

    Try "show ap client trail-info <mac address of client>" to see if the VLAN is changing.



  • 5.  RE: Windows 7/10 AD Joined issues

    Posted May 22, 2019 04:31 PM

    Yes I can ping the device before the user logs in and the VLAN stays the same after they log in, it just drops a few pings after they click sign in.  When it drops pings it appears to dissassociate and reassociate.  As soon as I see it stop pinging the "Unable to connect to Network, logging on" message appears.

     

    If there are cached credentials it will continue.  If not, it won't let the user log in. 



  • 6.  RE: Windows 7/10 AD Joined issues

    Posted May 22, 2019 04:38 PM

    What are the ACLS on the machine authenticated role?  (show rights <role>).



  • 7.  RE: Windows 7/10 AD Joined issues

    Posted May 22, 2019 05:03 PM

     

    Valid = 'Yes'
    CleanedUp = 'No'
    Derived Role = 'FacStaff-NAP'
    Up BW:No Limit Down BW:No Limit
    L2TP Pool = default-l2tp-pool
    PPTP Pool = default-pptp-pool
    Number of users referencing it = 512
    Assigned VLAN = gcn_pool
    Periodic reauthentication: Disabled
    DPI Classification: Enabled
    Youtube education: Disabled
    Web Content Classification: Enabled
    IP-Classification Enforcement: Enabled
    ACL Number = 111/0
    Openflow: Enabled
    Max Sessions = 65535

    Check CP Profile for Accounting = TRUE

    Application Exception List
    --------------------------
    Name Type
    ---- ----

    Application BW-Contract List
    ----------------------------
    Name Type BW Contract Id Direction
    ---- ---- ----------- -- ---------

    access-list List
    ----------------
    Position Name Type Location
    -------- ---- ---- --------
    1 global-sacl session
    2 apprf-facstaff-nap-sacl session
    3 allowdhcp-denydhcpserver session
    4 deny-controller session
    5 allowall session

    global-sacl
    -----------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    apprf-facstaff-nap-sacl
    -----------------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    allowdhcp-denydhcpserver
    ------------------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    1 user any udp 68 deny Low 4
    2 any any svc-dhcp permit Low 4
    deny-controller
    ---------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    1 any public-controller-ip any deny Low 4
    allowall
    --------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    1 any any any permit Low 4
    2 any any any-v6 permit Low 6

    Expired Policies (due to time constraints) = 0

     

     

    -

     



  • 8.  RE: Windows 7/10 AD Joined issues

    Posted May 22, 2019 05:08 PM

    We would then move to look at the AAA and the 802.1x profiles to see if there is anything non-default.



  • 9.  RE: Windows 7/10 AD Joined issues

    Posted May 22, 2019 05:09 PM

    Assigned VLAN = gcn_pool

     

     

    Wait.  I would remove the VLAN pool from the user role.  You should assign the Vlan Pool to the Virtual AP.



  • 10.  RE: Windows 7/10 AD Joined issues

    Posted May 23, 2019 08:03 AM

    AAA Profile "UNCG-GCN-FacStaff"
    -------------------------------
    Parameter Value
    --------- -----
    Initial role DropALL
    MAC Authentication Profile N/A
    MAC Authentication Default Role guest
    MAC Authentication Server Group default
    802.1X Authentication Profile UNCG-GCN-FacStaff
    802.1X Authentication Default Role DropALL
    802.1X Authentication Server Group nps
    Download Role from CPPM Disabled
    Set username from dhcp option 12 Disabled
    L2 Authentication Fail Through Disabled
    Multiple Server Accounting Disabled
    User idle timeout N/A
    Max IPv4 for wireless user 2
    RADIUS Accounting Server Group nps
    RADIUS Roaming Accounting Disabled
    RADIUS Interim Accounting Disabled
    RADIUS Acct-Session-Id In Access-Request Disabled
    XML API server N/A
    RFC 3576 server N/A
    User derivation rules N/A
    Wired to Wireless Roaming Disabled
    Reauthenticate wired user on VLAN change Disabled
    Device Type Classification Enabled
    Enforce DHCP Disabled
    PAN Firewall Integration Disabled
    Open SSID radius accounting Disabled
    Apply ageout mechanism on bridge mode wireless clients Disabled

     

    802.1X Authentication Profile "UNCG-GCN-FacStaff"
    -------------------------------------------------
    Parameter Value
    --------- -----
    Max authentication failures 0
    Enforce Machine Authentication Disabled
    Machine Authentication: Default Machine Role guest
    Machine Authentication Cache Timeout 24 hr(s)
    Blacklist on Machine Authentication Failure Disabled
    Machine Authentication: Default User Role FacStaff-NONAP
    Interval between Identity Requests 5 sec
    Quiet Period after Failed Authentication 30 sec
    Reauthentication Interval 3600 sec
    Use Server provided Reauthentication Interval Disabled
    Use the termination-action attribute from the Server Disabled
    Multicast Key Rotation Time Interval 1800 sec
    Unicast Key Rotation Time Interval 900 sec
    Authentication Server Retry Interval 5 sec
    Authentication Server Retry Count 3
    Framed MTU 1100 bytes
    Max number of requests sent during an Auth attempt 5
    Max Number of Reauthentication Attempts 3
    Maximum number of times Held State can be bypassed 0
    Dynamic WEP Key Message Retry Count 1
    Dynamic WEP Key Size 128 bits
    Interval between WPA/WPA2/WPA3 Key Messages 1500 msec
    Delay between EAP-Success and WPA2/WPA3 Unicast Key Exchange 170 msec
    Delay between WPA/WPA2/WPA3 Unicast Key and Group Key Exchange 0 msec
    Time interval after which the PMKSA will be deleted 8 hr(s)
    Delete Keycache upon user deletion Disabled
    WPA/WPA2/WPA3 Key Message Retry Count 1
    Multicast Key Rotation Disabled
    Unicast Key Rotation Disabled
    Reauthentication Enabled
    Opportunistic Key Caching Enabled
    Validate PMKID Disabled
    Use Session Key Disabled
    Use Static Key Disabled
    xSec MTU 1300 bytes
    Termination Disabled
    Termination EAP-Type N/A
    Termination Inner EAP-Type N/A
    Enforce Suite-B 128 bit or more security level Authentication Disabled
    Enforce Suite-B 192 bit security level Authentication Disabled
    Token Caching Disabled
    Token Caching Period 24 hr(s)
    CA-Certificate N/A
    Server-Certificate default
    TLS Guest Access Disabled
    TLS Guest Role guest
    Ignore EAPOL-START after authentication Disabled
    Handle EAPOL-Logoff Disabled
    Ignore EAP ID during negotiation. Disabled
    WPA-Fast-Handover Disabled
    Check certificate common name against AAA server Enabled

     

     

    -

     



  • 11.  RE: Windows 7/10 AD Joined issues

    Posted Jun 11, 2019 08:21 AM

    @cjoseph

    I tried removing the VLAN pool from the user role and letting the VAP assign the VLAN pool and that did not make a difference in the behavior.

     

    One thing to note, this is a Hidden SSID.  Not sure if that makes a difference.



  • 12.  RE: Windows 7/10 AD Joined issues

    Posted Jun 11, 2019 09:28 AM

    A hidden SSID should not make a difference if worked before.

     

    I would:

     

    - Have the computer sit at the ctrl-alt-delete screen and ensure it passed machine authentication

    - Type "show datapath session table <ip address of laptop>" every few seconds to ensure that no traffic is being blocked or treated incorrectly.

    - Login to the laptop and run the same command above to see what the laptop is attempting to do while you are logging in.

     

    Alternatively, I would start a device pcap on the controller and analyze the flow of traffic in wireshark to see during bootup and login what could be happening:

    https://community.arubanetworks.com/t5/Controller-Based-WLANs/HOW-TO-DO-DATAPATH-PACKET-CAPTURE-FOR-WIRELESS-CLIENT-FROM/ta-p/179940

     



  • 13.  RE: Windows 7/10 AD Joined issues

    Posted Jun 12, 2019 09:35 AM

    I had a session yesterday with Aruba ERT about this issue.  He took captures and looked at the show datapath session, auth tracebuf and a number of other things.  Hes going to look those over and get back with me.