Wireless Access

last person joined: 20 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Server Fail through not failing through

Jump to Best Answer
  • 1.  Server Fail through not failing through

    Posted Oct 08, 2019 10:13 AM

    POC of Server fail through in lab..

     

    AAA Fastconnect / EAP Termination enabled on the MCs.

     

    Created NPS server with bogus rules and receive the failure.

     

    Logs show the failure from the MC but it never makes the next step on moving it to Clearpass..no access trackers logs. 

     

    If I move Clearpass to the top of the list in the Server group authentication happens successfully.

     

    Any gotchas I'm not aware about when configuring Fail-Through other than EAP-Termination? 



  • 2.  RE: Server Fail through not failing through

    Posted Oct 08, 2019 10:17 AM

    MC logs

     

    Oct 8 06:02:37 authmgr[5595]: <124003> <5595> <INFO> |authmgr| Authentication result=Authentication failed(1), method=802.1x, server=fail, user=e8:4e:06:6d:a7:c7
    Oct 8 06:02:37 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| In aal_authenticate
    Oct 8 06:02:37 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| Select server for method=802.1x, user=hrtest, essid=ACMX-dot1x, server-group=ACMX-8021x, last_srv <>
    Oct 8 06:02:37 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| aal_authenticate (1250)(INC) : os_reqs 1, s fail type 2 inservice 1 markedD 0
    Oct 8 06:02:37 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| aal_authenticate (1260)(INC) : os_auths 1, s fail type 2 inservice 1 markedD 0 sg_name ACMX-8021x
    Oct 8 06:02:37 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| server_cbh (257)(DEC) : os_reqs 0, s fail type 2 inservice 1 markedD 0
    Oct 8 06:02:37 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| server_cbh (638)(DEC) : os_auths 0, s fail type 2 inservice 1 markedD 0 sg_name ACMX-8021x
    Oct 8 06:02:37 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| unknown user=0.0.0.0, method=802.1x
    Oct 8 06:02:37 authmgr[5595]: <124038> <5595> <INFO> |authmgr| Reused server fail for method=802.1x; user=hrtest, essid=ACMX-dot1x, domain=<>, server-group=ACMX-8021x
    Oct 8 06:02:37 authmgr[5595]: <124097> <5595> <DBUG> |authmgr| Setting authserver 'fail' for user 0.0.0.0, client 802.1x.
    Oct 8 06:02:37 authmgr[5595]: <124546> <5595> <DBUG> |authmgr| aal_authenticate user:hrtest vpnflags:0.
    Oct 8 06:02:37 authmgr[5595]: <124547> <5595> <DBUG> |authmgr| aal_authenticate server_group:default.
    Oct 8 06:02:37 authmgr[5595]: <124607> <5595> <DBUG> |authmgr| server_cbh(): response=1 from Auth server 'fail for client:4 proto:4 eap-type:0'.
    Oct 8 06:02:37 authmgr[5595]: <124612> <5595> <DBUG> |authmgr| AuthSurv_onAuthFailed(authsurv:0): Entered, proto:4 eap-type:0x0 for username:'hrtest' auth-server:'fail' server-group:'ACMX-8021x' AnyRadLdapInOOS:'DontCare'.
    Oct 8 06:02:44 authmgr[5595]: <121031> <5595> <DBUG> |authmgr| |aaa| [rc_sequence.c:117] seq_num_timeout_handler: Freed 0 entries



  • 3.  RE: Server Fail through not failing through

    Posted Oct 08, 2019 10:20 AM

    Looking at my own logs...

     

    server-group=ACMX-8021x, last_srv <>

     

    I'm going to create a new server group for testing.  "last_srv" makes it sound like its not going through the list



  • 4.  RE: Server Fail through not failing through
    Best Answer

    Posted Oct 08, 2019 10:28 AM

    Yep making a new server group fixed it..can I give myself kudos? :D

     

    Oct 8 06:11:47 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| server_cbh (957)(INC) : os_reqs 1, s Clearpass type 2 inservice 1 markedD 0
    Oct 8 06:11:47 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| sta_add_l3: mac e8:4e:06:6d:a7:c7 ip 10.60.10.205
    Oct 8 06:11:47 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| unknown user=0.0.0.0, method=802.1x
    Oct 8 06:11:47 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| user_download: User 10.60.10.205 Router Acl(0)
    Oct 8 06:11:47 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| user_download: User N/A Router Acl(0)
    Oct 8 06:11:47 authmgr[5595]: <124038> <5595> <INFO> |authmgr| Selected server Clearpass for method=802.1x; user=hrtest, essid=ACMX-dot1x, domain=<>, server-group=AAA-FAIL-THROUGH
    Oct 8 06:11:47 authmgr[5595]: <124038> <5595> <INFO> |authmgr| Selected server fail for method=802.1x; user=hrtest, essid=ACMX-dot1x, domain=<>, server-group=AAA-FAIL-THROUGH
    Oct 8 06:11:47 authmgr[5595]: <124097> <5595> <DBUG> |authmgr| Setting authserver 'Clearpass' for user 0.0.0.0, client 802.1x.
    Oct 8 06:11:47 authmgr[5595]: <124105> <5595> <DBUG> |authmgr| MM: mac=e8:4e:06:6d:a7:c7, state=1, name=hrtest, role=authenticated, dev_type=Win 10, ip=10.60.10.205, new_rec=1.