Authentication is OK when I try from the controller to IAS server, but client can not get authentication on their laptops
can somebody help
Are you doing Captive Portal or WPA2-AES? Did you look in the IAS Eventviewer under "System" to see the failures?
I'm doing WPA2-AES, i can not see any error on IAS event viewer logs
can you check the attached show auth-tracebuf output maybe you can get something
sorry i'm using wpa-tkip
Your using "Termination" and you should uncheck it by going to:
configuration> security> authentication>l2 Authentication> 802.1x profiles. Find the 802.1x profile that corresponds to your WLAN and make sure that "Termination" is unchecked.
it is ticked already and when i trying to connect i got small log in window keep asking me for username and password then error massage for either username or password error
in case if i un-ticked it, i'll not get this login small window and i could not connect, it keep showing me (trying to connecting)
how i can know whether my IAS server has a certificate or not.
Your IAS server needs to have a certificate and that would be in the remote access policy under Edit Profile> Authentication> EAP Methods> Edit PEAP.
If you don't have a certificate or cannot obtain one, leave Termination Checked, but on your client wireless definition, uncheck "Validate Server Certificate"
i was doing 2nd scenario
Termination is Checked and in client wireless definition the "Validate Server Certificate" is unchecked by applying GPO
but I lost authentication
from the auth-tracebuf, it looks like you are doing "machine authentication", which does not work with termination enabled. You would need to put a certificate on the radius server and uncheck termination for that to work.
i'm kind of lost, i could not do the CA on the IAS server 2008,
i lost guest captive porter window for the Guest SSID as well
can you tell me how i can rollback and remove "machine authentication"
i wonna do termination with domain credential only
Okay. If you cannot do the CA on Windows 2008, leave termination on.
In your auth-tracebuf, I see your computer trying to authenticate with host/VDLSIT01046.veti.ac.ae which means it is using the computer credentials, NOT the user credentials to login. Machine credentials or machine authentication does not work with termination. If you are using group policy to configure that client, make sure in the group policy under the IEEE 802.1x tab, the authentication mode is "user authentication'", otherwise it will not work.
it was authentecate as "user or computer authentecation " howaver when i changed it to user only i got no authentecation as well,
after restarting the controller i got the below output, is that mean no authentecate requests ? or what?
(VEDC-Wireless-Controller) #show auth-tracebuf
Warning: user-debug is enabled on one or more specific MAC addresses;
only those MAC addresses appear in the trace buffer.
Auth Trace Buffer -----------------
What you need to do is add the mac address of that client to the user-debug. The command only shows mac addresses that have been added. Add that client like this:
logging level debugging user-debug mac <mac address of client>
It should then show up in the auth-tracebuf
I'm getting the attached output, my username is v90000204
so the authentication in username not computer
any suggestion please
It looks like the radius server is responding with mschap failure. What does the eventviewer on the radius server say?
on the Network Policy and access service on IAS server i got this information, note that i have no problem in my username and password
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
Security ID: NULL SID
Account Name: VETI\v90000204
Account Domain: VETI
Fully Qualified Account Name: VETI\v90000204
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 000B8661973C
Calling Station Identifier: 00225F399E65
NAS IPv4 Address: 10.25.2.42
NAS IPv6 Address: -
NAS Identifier: 10.25.2.42
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
Client Friendly Name: WLC1
Client IP Address: 10.25.20.4
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: VEDC-BC01.veti.ac.ae
Authentication Type: MS-CHAPv2
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
on the windows log system i got this informations
The Network Policy Server service entered the running state.
The Network Policy Server service entered the stopped state.
The Portable Device Enumerator Service service entered the stopped state.
The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.
The Portable Device Enumerator Service service entered the running state.
The Group Policy settings for the user were processed successfully. New settings from 2 Group Policy objects were detected and applied.
User Logon Notification for Customer Experience Improvement Program
The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.
on the windows log security i got
Connection Request Policy Name: Veti
Your eventviewer message is lacking critical information needed to figure this out. If you cannot post the eventviewer message in its entirety, you probably should open a support case so that they can look at it. If your fqdn is listed as just "VETI\v90000204" that means it did not find your user in active directory.
Again, you probably changed a few things, but they are critical to figuring this issue out, so you might want to open a support case.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.