Hello all, I am a newbie in Aruba and seeking for help in this forum
First of all, I''ve got a pair of controller (master/local) with Symantec NAC Lan Forcer connection
However, when I try to connect to the wireless network, a radius packet drop log message can see in controller's log.
*Dropping the radius packet for Station 74:e5:0b:xx:xx:xx xx:xx:xx:xx:xx:xx doing 802.1x*
Can anyone help me a bit on it?
You need to enable debugging for that client:
logging level debug user-debug <mac address of client>
Then you need to type:
show log user-debug all
..to see the detail.
Thank you for your kind reply
I found the log message as below:
(CSTWCMS01) (config) #show log user-debug all
Jan 31 14:58:28 :501095: <NOTI> |stm| Assoc request @ 14:58:28.228745: 20:68:9d:3b:f5:3a (SN 3927): AP 10.242.182.102-24:de:c6:81:ec:b0-CSTAPOS02
Jan 31 14:58:28 :501100: <NOTI> |stm| Assoc success @ 14:58:28.235012: 20:68:9d:3b:f5:3a: AP 10.242.182.102-24:de:c6:81:ec:b0-CSTAPOS02
Jan 31 14:58:28 :501065: <DBUG> |stm| Sending STA 20:68:9d:3b:f5:3a message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0x1e, wmm:1, rsn_cap:28
Jan 31 14:58:28 :522035: <INFO> |authmgr| MAC=20:68:9d:3b:f5:3a Station UP: BSSID=24:de:c6:81:ec:b0 ESSID=CSTY5X VLAN=30 AP-name=CSTAPOS02
Jan 30 22:50:28 :500511: <DBUG> |mobileip| Station 20:68:9d:3b:f5:3a, 0.0.0.0: Received association on ESSID: CSTY5X Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name CSTAPOS02 Group VAP_1 BSSID 24:de:c6:81:ec:b0, phy g, VLAN 30
Jan 31 14:58:28 :500010: <NOTI> |mobileip| Station 20:68:9d:3b:f5:3a, 0.0.0.0: Mobility trail, on switch 10.242.182.3, VLAN 30, AP CSTAPOS02, CSTY5X/24:de:c6:81:ec:b0/gWould you please kindly have a look on it ?Many thanksSimon
There is nothing in those logs out of the ordinary. Did that specific client have a problem at that time?
Yes, user cannot gain access to wireless network.
Let me describe the connection flow:
1. Client attempt to gain access through Aruba
2. Aruba contact Symantec lan enforcer (SNAC), PEAP
3. Client device with agent (assign VLAN A)
4. Agentless (assign VLAN B)
There are quite a few other things in play here. I do not know specifically about the interaction with Symantec NAC enforcer. I am sure there is much more to this.
Maybe someone else on the list can help or you should open a support case. Your first log looks like your client did not get an ip address.
Thank you for your advise. By the way, base on result of " show aaa authentication-server radius statistics", is that mean the 1st and 2nd radius server are unreachable?
It could mean that the servers were never used or never responded.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.