Wireless Access

last person joined: 8 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Cant' authenticated when the controller relocate to another building

  • 1.  Cant' authenticated when the controller relocate to another building

    Posted Oct 25, 2012 09:44 AM

    User can't get 802.1x authentication and IP address when the controller relocate to another building (Data center B)but at the same location, but when controller at the original building (Data Center A) user can get 802.1x authentication.  May i know on Aruba controller have any command line can show the activity or log during the user try to get 802.1x authentication?

     

    According the my customer info, they said the network VLAN configure should be the same for both data center.

     

    Please advise



  • 2.  RE: Cant' authenticated when the controller relocate to another building

    Posted Oct 25, 2012 11:05 AM
    Authentication comes from the controller that he access point is connected to. Does the user have both controllers listed as radius clients in your server?

    He should check the event viewer on the radius server. He should also type "show auth-tracebuf" on the command line of the controller having the issue.


  • 3.  RE: Cant' authenticated when the controller relocate to another building

    Posted Oct 25, 2012 12:29 PM

    ok, i will try "show auth-tracebuf" command line.

     

    Radius server already have radius client which for the controller.

     

    When the laptop connect to SSID with 802.1x authentication, the user stuck at "Logon- Control" role it does not go to "Authenticated" role.



  • 4.  RE: Cant' authenticated when the controller relocate to another building

    Posted Oct 28, 2012 10:13 PM

    Hi here is output from the "Show Auth-tracebuf"

     

    What is the meaning of m-auth resp"?


    Oct 29 18:02:40 station-up * 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 - - wpa2 aes
    Oct 29 18:02:40 eap-id-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 1 5
    Oct 29 18:02:41 eap-start -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 - -
    Oct 29 18:02:41 eap-id-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 1 5
    Oct 29 18:02:41 eap-id-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 1 10 chtin
    Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 122 184
    Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 122 90
    Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 2 6
    Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 2 112
    Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 123 324
    Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 123 1188
    Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 3 1096
    Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 3 6
    Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 124 218
    Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 124 1188
    Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 4 1096
    Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 4 6
    Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 125 218
    Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 125 1188
    Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 5 1096
    Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 5 6
    Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 126 218
    Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 126 252
    Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 6 168
    Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 6 348
    Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 127 562
    Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 127 153
    Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 7 69
    Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 7 6
    Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65408 218
    Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65408 127
    Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 8 43
    Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 8 80
    Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65409 292
    Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65409 143
    Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 9 59
    Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 9 80
    Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65410 292
    Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65410 159
    Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 10 75
    Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 10 144
    Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65411 356
    Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65411 175
    Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 11 91
    Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 11 80
    Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65412 292
    Oct 29 18:02:41 rad-resp <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65412 191
    Oct 29 18:02:41 eap-req <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 13 107
    Oct 29 18:02:41 eap-resp -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 13 80
    Oct 29 18:02:41 rad-req -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65413 292
    Oct 29 18:02:41 rad-accept <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8/kch-dc02 65413 318
    Oct 29 18:02:41 eap-success <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 13 4
    Oct 29 18:02:41 station-data-ready * 00:1f:e1:cf:0f:a4 00:00:00:00:00:00 1 -
    Oct 29 18:02:41 m-auth req * 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 - -
    Oct 29 18:02:41 station-data-ready * 00:1f:e1:cf:0f:a4 00:00:00:00:00:00 1 -
    Oct 29 18:02:41 m-auth resp * 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 - - failed
    Oct 29 18:02:41 wpa2-key1 <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 - 117
    Oct 29 18:02:42 wpa2-key1 <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 - 117
    Oct 29 18:02:42 wpa2-key2 -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 - 117
    Oct 29 18:02:42 wpa2-key3 <- 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 - 151
    Oct 29 18:02:42 wpa2-key4 -> 00:1f:e1:cf:0f:a4 d8:c7:c8:ec:0b:e8 - 95



  • 5.  RE: Cant' authenticated when the controller relocate to another building

    Posted Oct 28, 2012 10:17 PM

    That means you have "Enforce Machine Authentication" configured in the 802.1x profile and your machine is not one that passed machine authentication, so it will probably be assigned the machine authentication user role.  That role might be assigned to a VLAN that is not present on the second controller, and that might be your problem.