Wireless Access

last person joined: 2 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

WPA2 Enterprise on IAP

  • 1.  WPA2 Enterprise on IAP

    Posted 13 days ago
    We have configured WPA2 Enterprise on IAP 325. But user got fail connections.
    Authentication using external Radius. Shared key already same configure on Server.
    How to check aaa authentication and create best configuration for IAP.

    ------------------------------
    Idham Khaidir
    ------------------------------


  • 2.  RE: WPA2 Enterprise on IAP

    Posted 13 days ago
    Hi,

    Do you have access to the Radius Server to check its configuration? Is the Radius server sending a reject?
    What is the output of show auth-tracebuf mac  <MAC OF DEVICE>

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 3.  RE: WPA2 Enterprise on IAP

    Posted 13 days ago
    Hi Ayydam,

    Please find below,

    00:4e:35:ca:2b:e8# sh ap debug auth-trace-buf

    Auth Trace Buffer
    -----------------


    Jan 1 01:11:16 rad-resp <- c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 17 -
    Jan 1 01:11:16 eap-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 3 6
    Jan 1 01:11:16 eap-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 3 166
    Jan 1 01:11:16 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 18 387
    Jan 1 01:11:16 rad-resp <- c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 18 -
    Jan 1 01:11:16 eap-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 4 1096
    Jan 1 01:11:16 eap-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 4 6
    Jan 1 01:11:16 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 19 227
    Jan 1 01:11:16 rad-resp <- c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 19 -
    Jan 1 01:11:16 eap-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 5 1096
    Jan 1 01:11:16 eap-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 5 6
    Jan 1 01:11:16 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 20 227
    Jan 1 01:11:16 rad-resp <- c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 20 -
    Jan 1 01:11:16 eap-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 6 1096
    Jan 1 01:11:16 eap-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 6 6
    Jan 1 01:11:16 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 21 227
    Jan 1 01:11:16 rad-resp <- c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 21 -
    Jan 1 01:11:16 eap-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 7 1096
    Jan 1 01:11:16 eap-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 7 6
    Jan 1 01:11:16 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 22 227
    Jan 1 01:11:16 rad-resp <- c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 22 -
    Jan 1 01:11:16 eap-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 8 865
    Jan 1 01:11:16 eap-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 8 207
    Jan 1 01:11:16 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 23 428
    Jan 1 01:11:16 rad-resp <- c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 23 -
    Jan 1 01:11:16 eap-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 9 61
    Jan 1 01:11:16 eap-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 9 39
    Jan 1 01:11:16 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 24 260
    Jan 1 01:11:16 rad-reject <- c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 24 -
    Jan 1 01:11:16 eap-failure <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 9 4 server rejected
    Jan 1 01:11:23 station-up * c8:21:58:9e:0a:93 00:4e:35:22:be:90 - - wpa2 aes
    Jan 1 01:11:23 eap-id-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 1 5
    Jan 1 01:11:23 eap-start -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 - -
    Jan 1 01:11:23 eap-id-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 1 5
    Jan 1 01:11:28 eap-id-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 1 5
    Jan 1 01:11:33 eap-id-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 2 5
    Jan 1 01:11:38 eap-id-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 2 5
    Jan 1 01:11:40 eap-id-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 2 21 wireless\gallery
    Jan 1 01:11:40 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 25 211
    Jan 1 01:11:40 rad-resp <- c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 25 -
    Jan 1 01:11:40 eap-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 3 6
    Jan 1 01:11:40 eap-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 3 166
    Jan 1 01:11:40 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 26 381
    Jan 1 01:11:40 rad-resp <- c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 26 -
    Jan 1 01:11:40 eap-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 4 1096
    Jan 1 01:11:40 eap-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 4 6
    Jan 1 01:11:40 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 27 221
    Jan 1 01:11:40 rad-resp <- c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 27 -
    Jan 1 01:11:40 eap-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 5 1096
    Jan 1 01:11:40 eap-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 5 6

    Auth Trace Buffer
    -----------------


    Jan 1 01:11:40 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 28 221
    Jan 1 01:11:40 rad-resp <- c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 28 -
    Jan 1 01:11:40 eap-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 6 1096
    Jan 1 01:11:40 eap-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 6 6
    Jan 1 01:11:40 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 29 221
    Jan 1 01:11:40 rad-resp <- c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 29 -
    Jan 1 01:11:40 eap-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 7 1096
    Jan 1 01:11:40 eap-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 7 6
    Jan 1 01:11:40 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 30 221
    Jan 1 01:11:40 rad-resp <- c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 30 -
    Jan 1 01:11:40 eap-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 8 865
    Jan 1 01:11:40 eap-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 8 207
    Jan 1 01:11:40 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 31 422
    Jan 1 01:11:40 rad-resp <- c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 31 -
    Jan 1 01:11:40 eap-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 9 61
    Jan 1 01:11:40 eap-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 9 39
    Jan 1 01:11:40 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 32 254
    Jan 1 01:11:40 rad-reject <- c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 32 -
    Jan 1 01:11:40 eap-failure <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 9 4 server rejected
    Jan 1 02:07:06 station-up * c8:21:58:9e:0a:93 00:4e:35:22:be:91 - - wpa2 aes
    Jan 1 02:07:06 eap-id-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:91 1 5
    Jan 1 02:07:06 eap-start -> c8:21:58:9e:0a:93 00:4e:35:22:be:91 - -
    Jan 1 02:07:06 eap-id-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:91 1 5
    Jan 1 02:07:11 eap-id-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:91 1 5
    Jan 1 02:07:16 eap-id-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:91 2 5
    Jan 1 02:07:20 eap-id-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:91 2 27 wireless\idham.khaidir
    Jan 1 02:07:20 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:91 2 222
    Jan 1 02:07:20 rad-reject <- c8:21:58:9e:0a:93 00:4e:35:22:be:91/warid 2 -
    Jan 1 02:07:20 eap-failure <- c8:21:58:9e:0a:93 00:4e:35:22:be:91 2 4 server rejected
    Jan 1 02:07:27 station-up * c8:21:58:9e:0a:93 00:4e:35:22:be:90 - - wpa2 aes
    Jan 1 02:07:27 eap-id-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 1 5
    Jan 1 02:07:27 eap-start -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 - -
    Jan 1 02:07:27 eap-id-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 1 5
    Jan 1 02:07:32 eap-id-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 1 5
    Jan 1 02:07:37 eap-id-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 2 5
    Jan 1 02:07:42 eap-id-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 2 5
    Jan 1 02:07:43 eap-id-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 2 27 wireless\idham.khaidir
    Jan 1 02:07:43 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 33 223
    Jan 1 02:07:43 rad-resp <- c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 33 -
    Jan 1 02:07:43 eap-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 3 6
    Jan 1 02:07:43 eap-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 3 166
    Jan 1 02:07:43 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 34 387
    Jan 1 02:07:44 rad-resp <- c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 34 -
    Jan 1 02:07:44 eap-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 4 1096
    Jan 1 02:07:44 eap-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 4 6
    Jan 1 02:07:44 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 35 227
    Jan 1 02:07:44 rad-resp <- c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 35 -
    Jan 1 02:07:44 eap-req <- c8:21:58:9e:0a:93 00:4e:35:22:be:90 5 1096
    Jan 1 02:07:44 eap-resp -> c8:21:58:9e:0a:93 00:4e:35:22:be:90 5 6
    Jan 1 02:07:44 rad-req -> c8:21:58:9e:0a:93 00:4e:35:22:be:90/dhcp-svr 36 227

    ------------------------------
    Idham Khaidir
    ------------------------------



  • 4.  RE: WPA2 Enterprise on IAP

    Posted 13 days ago
    Jan 1 02:07:20 eap-failure <- c8:21:58:9e:0a:93 00:4e:35:22:be:91 2 4 server rejected  <--------------

    Find out what the radius server says in the logs for this reject and take it from there.


    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 5.  RE: WPA2 Enterprise on IAP

    Posted 13 days ago
    Hi,

    Also, can you please check the time in your setup.. Try to use NTP if possible..

    The logs show as Jan 1..

    ------------------------------
    Ayman Mukaddam
    ------------------------------



  • 6.  RE: WPA2 Enterprise on IAP

    Posted 12 days ago
    We have test
    00:4e:35:ca:2b:e8# aaa test-server dhcp-svr username gallery password Skl2014 auth-type pap
    Radius server dhcp-svr test successfully
    But we have tested SSID failed.

    ------------------------------
    Idham Khaidir
    ------------------------------



  • 7.  RE: WPA2 Enterprise on IAP

    Posted 12 days ago
    You are testing with PAP authentication. You will need to set up and configure your RADIUS server to do EAP (EAP-TLS preferred) authentication for wireless clients.

    What type of RADIUS server are you using? Please look up the documentation on how to configure that server for wireless client authentication.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
    ------------------------------



  • 8.  RE: WPA2 Enterprise on IAP

    Posted 11 days ago
    We are using NPS on Windows server 2003. If we test using Controller with radius it's working fine.

    ------------------------------
    Idham Khaidir
    ------------------------------



  • 9.  RE: WPA2 Enterprise on IAP

    Posted 11 days ago
    What does the radius server event viewer message say when it fails?  That will determine what your problem is.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------