Security

Im in the process of setting up a mobile provisioning profile for IOS devices that pushes users to a Aurba BYOD SSID performing EAP-TLS termination. The mobile profile downloads to the client fine but when the client connects to the BYOD ssid it fails to connect. I get the following message in the error logs and auth trace  buffer

Nov 30 16:00:16 <localdb 133019> <ERRS> |localdb| User a4:67:06:2a:ab:71 was not found in the database
Nov 30 16:00:16 <localdb 133006> <ERRS> |localdb| User a4:67:06:2a:ab:71 Failed Authentication
Nov 30 16:02:34 <localdb 133019> <ERRS> |localdb| User a4:67:06:2a:ab:71 was not found in the database
Nov 30 16:02:34 <localdb 133006> <ERRS> |localdb| User a4:67:06:2a:ab:71 Failed Authentication
Nov 30 16:04:34 <localdb 133019> <ERRS> |localdb| User a4:67:06:2a:ab:71 was not found in the database
Nov 30 16:04:34 <localdb 133006> <ERRS> |localdb| User a4:67:06:2a:ab:71 Failed Authentication
Nov 30 16:09:26 <authmgr 132152> <ERRS> |authmgr| 802.1x termination is disabled user a4:67:06:2a:ab:71, profile default-psk

(LGWCAAAWMC02) #
(LGWCAAAWMC02) #
(LGWCAAAWMC02) #
(LGWCAAAWMC02) #show auth-tracebuf ?
count Show last count number of packets
failures Show only failures
mac Filter on a specific STA or AP
| Output Modifiers
<cr>

(LGWCAAAWMC02) #show auth-tracebuf failures

Auth Trace Buffer
-----------------

Nov 30 16:00:16 m-auth resp * a4:67:06:2a:ab:71 d8:c7:c8:12:a2:49 - - failed
Nov 30 16:02:34 m-auth resp * a4:67:06:2a:ab:71 d8:c7:c8:12:a2:49 - - failed
Nov 30 16:04:33 m-auth resp * a4:67:06:2a:ab:71 d8:c7:c8:12:9f:c9 - - fail

It looks like termination on the SSID is disabled (under the dot1x profile).  It also looks like MAC authentication is enabled (under the AAA profile) and the controller is looking for the MAC address in the internal db.   Can you check those two things?

Hi Olino,

thats what i initially thought as it looked like a machine cache error but EAP termination is enabled on the dot.1x profile and is pointing to the root CA and server certificate uploaded from the Amigopod. I can also confirm that mac auth is disabled on the AAA profile.

Please do "show ap bss-table | include d8:c7:c8:12:a2:49" to verify that you are trying to connect to the correct SSID.  That bssid is from the failed auth-tracebuf command below.

The iPad is connecting to the BYOD SSID and sucessfully authenticating it's EAP certificate, however, it's then sending a machine authentication request that is failing on the controller, you can see this authentication trail on the auth-trace buffer. Machine authentication is disabled on the 802.1x profile. Any help would be greatly appreciated

Please open a support case in parallel to this.  Those messages are usually in response to mac authentication, OR enforce machine authentication being enabled.

TAC case is already opened I was just trying to get a headstart on this while I waited for the escalation engineer. I've just rechecked my config and can confirm machine auth is disabled on the accompanying 802.1x profile.

---

@cjoseph wrote:

Please open a support case in parallel to this.  Those messages are usually in response to mac authentication, OR enforce machine authentication being enabled.

 

---

The parameter that needs to be unchecke is "Enforce Machine Authentication" in the 802.1x profile.

This option is unchecked

The auth-tracebuf says that it is failing machine authentication.

I would type "show station-table" to find out what AAA profile it is attempting to connect to.  Then I would type "show aaa profile <name>" to  make sure that there is no mac authentication profile, OR mac authentication server group in it.  From that output I would get the 802.1x profile and type "show aaa authentication dot1x <name of that profile>" to make sure that enforce machine authentication is not checked and "Check certificate Common name" are not enabled.

You could be looking at the wrong AAA profile.

Remember, in this forum we do not have all the info we need to figure out everything due to privacy issues, so we are just guessing based on the information presented.

The first time you run the MDAC Component Checker, allow it to determine the version of MDAC on the machine. It will either report a single version of MDAC, a mixture of MDAC versions, or it will be unable to determine the version on the computer.