Security

last person joined: 19 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

MDAC Issues - Failed association

Jump to Best Answer
  • 1.  MDAC Issues - Failed association

    Posted Nov 30, 2011 12:11 PM

    Im in the process of setting up a mobile provisioning profile for IOS devices that pushes users to a Aurba BYOD SSID performing EAP-TLS termination. The mobile profile downloads to the client fine but when the client connects to the BYOD ssid it fails to connect. I get the following message in the error logs and auth trace  buffer

     

    Nov 30 16:00:16 <localdb 133019> <ERRS> |localdb| User a4:67:06:2a:ab:71 was not found in the database
    Nov 30 16:00:16 <localdb 133006> <ERRS> |localdb| User a4:67:06:2a:ab:71 Failed Authentication
    Nov 30 16:02:34 <localdb 133019> <ERRS> |localdb| User a4:67:06:2a:ab:71 was not found in the database
    Nov 30 16:02:34 <localdb 133006> <ERRS> |localdb| User a4:67:06:2a:ab:71 Failed Authentication
    Nov 30 16:04:34 <localdb 133019> <ERRS> |localdb| User a4:67:06:2a:ab:71 was not found in the database
    Nov 30 16:04:34 <localdb 133006> <ERRS> |localdb| User a4:67:06:2a:ab:71 Failed Authentication
    Nov 30 16:09:26 <authmgr 132152> <ERRS> |authmgr| 802.1x termination is disabled user a4:67:06:2a:ab:71, profile default-psk

    (LGWCAAAWMC02) #
    (LGWCAAAWMC02) #
    (LGWCAAAWMC02) #
    (LGWCAAAWMC02) #show auth-tracebuf ?
    count Show last count number of packets
    failures Show only failures
    mac Filter on a specific STA or AP
    | Output Modifiers
    <cr>

    (LGWCAAAWMC02) #show auth-tracebuf failures

    Auth Trace Buffer
    -----------------


    Nov 30 16:00:16 m-auth resp * a4:67:06:2a:ab:71 d8:c7:c8:12:a2:49 - - failed
    Nov 30 16:02:34 m-auth resp * a4:67:06:2a:ab:71 d8:c7:c8:12:a2:49 - - failed
    Nov 30 16:04:33 m-auth resp * a4:67:06:2a:ab:71 d8:c7:c8:12:9f:c9 - - fail



  • 2.  RE: MDAC Issues - Failed association

    Posted Nov 30, 2011 12:29 PM

    It looks like termination on the SSID is disabled (under the dot1x profile).  It also looks like MAC authentication is enabled (under the AAA profile) and the controller is looking for the MAC address in the internal db.   Can you check those two things?



  • 3.  RE: MDAC Issues - Failed association

    Posted Nov 30, 2011 12:37 PM

    Hi Olino,

     

    thats what i initially thought as it looked like a machine cache error but EAP termination is enabled on the dot.1x profile and is pointing to the root CA and server certificate uploaded from the Amigopod. I can also confirm that mac auth is disabled on the AAA profile.



  • 4.  RE: MDAC Issues - Failed association

    Posted Nov 30, 2011 12:49 PM

    Please do "show ap bss-table | include d8:c7:c8:12:a2:49" to verify that you are trying to connect to the correct SSID.  That bssid is from the failed auth-tracebuf command below.



  • 5.  RE: MDAC Issues - Failed association

    Posted Dec 02, 2011 04:52 AM

    The iPad is connecting to the BYOD SSID and sucessfully authenticating it's EAP certificate, however, it's then sending a machine authentication request that is failing on the controller, you can see this authentication trail on the auth-trace buffer. Machine authentication is disabled on the 802.1x profile. Any help would be greatly appreciated



  • 6.  RE: MDAC Issues - Failed association

    Posted Dec 02, 2011 04:58 AM

    Please open a support case in parallel to this.  Those messages are usually in response to mac authentication, OR enforce machine authentication being enabled.

     



  • 7.  RE: MDAC Issues - Failed association

    Posted Dec 02, 2011 05:10 AM

    TAC case is already opened I was just trying to get a headstart on this while I waited for the escalation engineer. I've just rechecked my config and can confirm machine auth is disabled on the accompanying 802.1x profile.


    @cjoseph wrote:

    Please open a support case in parallel to this.  Those messages are usually in response to mac authentication, OR enforce machine authentication being enabled.

     


     



  • 8.  RE: MDAC Issues - Failed association

    Posted Dec 02, 2011 05:21 AM

    The parameter that needs to be unchecke is "Enforce Machine Authentication" in the 802.1x profile.



  • 9.  RE: MDAC Issues - Failed association

    Posted Dec 02, 2011 05:34 AM

    This option is unchecked



  • 10.  RE: MDAC Issues - Failed association
    Best Answer

    Posted Dec 02, 2011 05:53 AM

    The auth-tracebuf says that it is failing machine authentication.

     

    I would type "show station-table" to find out what AAA profile it is attempting to connect to.  Then I would type "show aaa profile <name>" to  make sure that there is no mac authentication profile, OR mac authentication server group in it.  From that output I would get the 802.1x profile and type "show aaa authentication dot1x <name of that profile>" to make sure that enforce machine authentication is not checked and "Check certificate Common name" are not enabled.

     

    You could be looking at the wrong AAA profile.

     

    Remember, in this forum we do not have all the info we need to figure out everything due to privacy issues, so we are just guessing based on the information presented.

     



  • 11.  RE: MDAC Issues - Failed association

    Posted Aug 24, 2019 02:00 AM

    The first time you run the MDAC Component Checker, allow it to determine the version of MDAC on the machine. It will either report a single version of MDAC, a mixture of MDAC versions, or it will be unable to determine the version on the computer.