That message in the event logs (invalid Message-Authenticator) is almost certain that the RADIUS shared secret does not match. If you say 're-adding' the key in the NAD, do you mean that it's gone? I've never seen such a thing. I would check the Audit log to see when/who changes the configuration because once entered, it should stay in there.
This may be something to further investigate with support, if you can't find out who/what is changing the configuration.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Apr 09, 2024 12:20 PM
From: Netbuzz
Subject: Aruba CX 6200 Radius server configuration
I am trying to get radius authentication working with clearpass nac solution (mac based only). I am using 6200 cx switch managed thru aruba central.
It works as expected initially. after few hours or for new client authentication on the same port. I am seeing radius authentication error with the following message in clearpass "Failed to decode RADIUS packet - Received packet from <nas-ip> with invalid Message-Authenticator! (Shared secret may be incorrect.). re adding the radius key under the clearpass "devices tab" seems to mitigate the issue. however it re occurs as soon as we connect new client under same port.
Switch configs:
radius-server host 10.0.0.1 key ciphertext <XXXXX>
radius-server host 10.0.0.2 key ciphertext <XXX>
!
!
aaa group server radius cluster_1
server 10.0.0.1
server 10.0.0.2
!
!
radius dyn-authorization enable
aaa configs are applied at interface level too
Has anyone faced this issue ? I have few sites running fine on AOS-S switch so I am leaning towards Aruba CX switch and central configuration.
Any suggestions ? I am running 10.13.1005 version
------------------------------
Thanks,
AK
------------------------------