Wireless Access

last person joined: 3 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Dropping the radius packet for Station

Jump to Best Answer
This thread has been viewed 2 times
  • 1.  Dropping the radius packet for Station

    Posted Jan 30, 2013 06:38 PM
      |   view attached

    Hello all, I am a newbie in Aruba and seeking for help in this forum 

     

    First of all, I''ve got a pair of controller (master/local) with Symantec NAC Lan Forcer connection

     

    However, when I try to connect to the wireless network, a radius packet drop log message can see in controller's log.

     

    *Dropping the radius packet for Station 74:e5:0b:xx:xx:xx xx:xx:xx:xx:xx:xx doing 802.1x*

     

    Can anyone help me a bit on it?

     

    Thanks,

    Simon

    Attachment(s)

    txt
    Log.txt   10 KB 1 version


  • 2.  RE: Dropping the radius packet for Station
    Best Answer

    Posted Jan 30, 2013 06:57 PM

    You need to enable debugging for that client:

     

    config t
    logging level debug user-debug <mac address of client>

     

     

    Then you need to type:

     

    show log user-debug all

     

     

     

    ..to see the detail.



  • 3.  RE: Dropping the radius packet for Station

    Posted Jan 31, 2013 04:14 AM
      |   view attached

    Thank you for your kind reply

     

    I found the log message as below:

     

    (CSTWCMS01) (config) #show log user-debug all
    Jan 31 14:58:28 :501095:  <NOTI> |stm|  Assoc request @ 14:58:28.228745: 20:68:9d:3b:f5:3a (SN 3927): AP 10.242.182.102-24:de:c6:81:ec:b0-CSTAPOS02
    Jan 31 14:58:28 :501100:  <NOTI> |stm|  Assoc success @ 14:58:28.235012: 20:68:9d:3b:f5:3a: AP 10.242.182.102-24:de:c6:81:ec:b0-CSTAPOS02
    Jan 31 14:58:28 :501065:  <DBUG> |stm|  Sending STA 20:68:9d:3b:f5:3a message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0x1e, wmm:1, rsn_cap:28
    Jan 31 14:58:28 :522035:  <INFO> |authmgr|  MAC=20:68:9d:3b:f5:3a Station UP: BSSID=24:de:c6:81:ec:b0 ESSID=CSTY5X VLAN=30 AP-name=CSTAPOS02
    Jan 30 22:50:28 :500511:  <DBUG> |mobileip|  Station 20:68:9d:3b:f5:3a, 0.0.0.0: Received association on ESSID: CSTY5X Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name CSTAPOS02 Group VAP_1 BSSID 24:de:c6:81:ec:b0, phy g, VLAN 30
    Jan 31 14:58:28 :500010:  <NOTI> |mobileip|  Station 20:68:9d:3b:f5:3a, 0.0.0.0: Mobility trail, on switch 10.242.182.3, VLAN 30, AP CSTAPOS02, CSTY5X/24:de:c6:81:ec:b0/g

    Would you please kindly have a look on it ?

    Many thanks
    Simon

    Attachment(s)

    txt
    user-debug.txt   186 KB 1 version


  • 4.  RE: Dropping the radius packet for Station

    Posted Jan 31, 2013 05:17 AM

    There is nothing in those logs out of the ordinary.  Did that specific client have a problem at that time?  

     



  • 5.  RE: Dropping the radius packet for Station

    Posted Jan 31, 2013 06:01 AM

    Yes, user cannot gain access to wireless network.

     

    Let me describe the connection flow:

     

    1. Client attempt to gain access through Aruba

    2. Aruba contact Symantec lan enforcer (SNAC), PEAP

    3. Client device with agent (assign VLAN A)

    4. Agentless (assign VLAN B)

     

    Attachment(s)



  • 6.  RE: Dropping the radius packet for Station

    Posted Jan 31, 2013 06:06 AM

    There are quite a few other things in play here.  I do not know specifically about the interaction with Symantec NAC enforcer.  I am sure there is much more to this.

     

    Maybe someone else on the list can help or you should open a support case.  Your first log looks like your client did not get an ip address.

     



  • 7.  RE: Dropping the radius packet for Station

    Posted Jan 31, 2013 06:23 AM

    Thank you for your advise. By the way, base on result of " show aaa authentication-server radius statistics", is that mean the 1st and 2nd radius server are unreachable?



  • 8.  RE: Dropping the radius packet for Station

    Posted Jan 31, 2013 06:33 AM

    It could mean that the servers were never used or never responded.