Wireless Access

 View Only
Expand all | Collapse all

AD LDAP authentication 6.4.3.4 times out

This thread has been viewed 3 times
  • 1.  AD LDAP authentication 6.4.3.4 times out

    Posted Oct 21, 2015 11:43 PM

    Hello ,

     

    I'd like to use a captive portal and authenticate the users using the external LDAP .

    We have two domains one is the Novell and the other is a Windows one , two LDAP servers Novell's

    Edirectory and Windows AD. I am able to authenticate the users against the Edirectory no problem yet the authentication against the AD fails . I know for sure the credentials that I use the admin DN and passwords plus base search DN work since I am able to browse the directory using the LDAP browser plus the same credentials (and base DN) work fine on our old controller  sw version 5.0.4.7.However exactly the same settings ( to the tee) do not work on 7210 sw version 6.4.3.4.

    Test aaa servers returns aaa server timeout ( I can ping the server and all, as a matter of fact the old controller sits on the same vlan and accesses the same AD , I am testing it using the clear text pap authentication)

     

    Is there a bug in the 6.4.3.4 code ? or am I missing something in my config ? Is there someone out there with the similar setup that works ?

     

    Any help will be greatly appreciated

     

    Regards

     

    Kris

     

     

     



  • 2.  RE: AD LDAP authentication 6.4.3.4 times out

    Posted Oct 22, 2015 03:38 AM

    What is the ArubaOS configuration for the LDAP server that times out?

     



  • 3.  RE: AD LDAP authentication 6.4.3.4 times out

    Posted Oct 22, 2015 06:24 PM
      |   view attached

    Hello cjoseph,

     

    below is the server configuration

     

    LDAP Server "LDAPName"
    ---------------------
    Parameter Value
    --------- -----
    Host 172.16.30.11
    Admin-DN CN=Admin,OU=AdminOU,DC=xxxx,DC=xxx,DC=xxx
    Admin-Passwd ********
    Allow Clear-Text Enabled
    Auth Port 389
    Base-DN DC=xxx,DC=xxx,DC=xxx
    Filter (objectClass=person)
    Key Attribute sAMAccountName
    Timeout 20 sec
    Mode Enabled
    Preferred Connection Type clear-text
    maximum number of non-admin connections 4

     

    It is set to clear text simple for troubleshooting purposes (wireshark)

    The screen shot of packet capture attached. Looks to me the aruba controller never sends a bind request with admin credentials after the server sends the response "In order to perform this operation........" the controller just waits for 20 seconds and than sends the ubind requests and bindrequest this time with the admin credentials,  the server responds success the controller displays server timed out.

     

    Thank you for your response

     

    Regards,

     

    Kris

     

     

     

     



  • 4.  RE: AD LDAP authentication 6.4.3.4 times out

    Posted Oct 22, 2015 06:48 PM

    It is not clear from the packet capture or the configuration what is wrong.  You should open a support case.

     



  • 5.  RE: AD LDAP authentication 6.4.3.4 times out

    Posted Oct 22, 2015 06:59 PM

    We haven't bought ArubaCare yet so I guess we do not have access to Aruba TAC yet.

    I will do it as soon as we get it.

     

    Thank you again

     

    Regards

     

    Kris



  • 6.  RE: AD LDAP authentication 6.4.3.4 times out

    Posted Oct 22, 2015 07:01 PM

    Okay.  Your base-dn should be OU=AdminOU,DC=xxxx,DC=xxx,DC=xxx



  • 7.  RE: AD LDAP authentication 6.4.3.4 times out

    Posted Oct 22, 2015 07:30 PM

    It works only for the users that are in AdminOU container , it fails for all the other users.

    As I mentioned in the first post we have Alcatel Lucent branded Aruba controller model

    OAW-4324 software version 5.0.4.7 and it has been working fine for couple of years now I mean exactly the same settings.

     

    Regards,

     

    Kris

     

     



  • 8.  RE: AD LDAP authentication 6.4.3.4 times out

    Posted Oct 22, 2015 08:59 PM

    I thought you said it was not working at all?  Is the adminou the highest container?  Maybe your Base-DN is incorrect and your search should start somewhere else...

     



  • 9.  RE: AD LDAP authentication 6.4.3.4 times out

    Posted Oct 22, 2015 09:30 PM

    Just to clarify things. We have two Aruba controllers,  an old one OAW-4324 (soon to be retired)

     and 7210 replacement of the OAW-4324 . The AD LDAP server that is used to authenticate users works fine with OAW-4324 . Now the same LDAP settings for the new controller don't work I mean those two controllers point to the same LDAP server, the settings are the same (same admin CN and password , the same search base  DN) and on the old controller (production) the configuration has been working  fine yet it is not working on 7210 with the latest stable software release.

    To answer your question all the user  containers  are under the  domain of the DC=xxx,DC=xxx,DC=xxx they all hierarchically on the same level so the admin OU is on the same level as users1 OU and so on.

    Since I am not much of the LDAP AD guy not sure if my answer to your question makes any sens

     

    Regards

     

    Kris



  • 10.  RE: AD LDAP authentication 6.4.3.4 times out

    Posted Oct 23, 2015 05:47 AM
    Your answer makes sense, I was checking to see if there is anything else that would explain the behavior, bit there does not seem to be anything


  • 11.  RE: AD LDAP authentication 6.4.3.4 times out

    Posted Oct 23, 2015 02:42 PM

    Big thanks for your help. Once I get access to TAC I will open the case.

     

     

     

     



  • 12.  RE: AD LDAP authentication 6.4.3.4 times out

    Posted Oct 23, 2015 03:31 PM

    As a last resort, you can try " aaa query-user" command to see if it will return attributes for a user:

     

    http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/aaa_query_user.htm