Network Management

 View Only
last person joined: 2 days ago 

Keep an informative eye on your network with HPE Aruba Networking network management solutions
Expand all | Collapse all

Aruba switches can't login using AD admin credentails

This thread has been viewed 24 times
  • 1.  Aruba switches can't login using AD admin credentails

    Posted May 14, 2024 12:49 PM

    I use my domain admin account to login to Aruba 2930F switches.  We also have a Manager account for backup.  We also have Duo MFA.

    So when I login using my domain AD credentials, it asks for Duo prompt, and it logs me in.

    But I'm not able to login using my AD credentials now for some reason.  I can only login using the local Manager account.  Its not a Duo issue because other Duo services are working.

    No configuration changes were made on the switches.  How can I troubleshoot this?



  • 2.  RE: Aruba switches can't login using AD admin credentails

    Posted May 14, 2024 12:50 PM

    We did change our domain suffix from .local to .com so we can use Azure AD.  But even if I change my domain account suffix to .local, it won't work.




  • 3.  RE: Aruba switches can't login using AD admin credentails

    Posted May 15, 2024 03:19 PM

    I opened a ticket with Duo, and looking at the logs, Duo is allowing the login, but it looks like the IP of the switch also accepts, but is on a loop.

    Any ideas?




  • 4.  RE: Aruba switches can't login using AD admin credentails

    Posted May 15, 2024 03:26 PM

    This is the log from Duo Proxy showing the connections

    10.0.0.3 is an Aruba 2930F

    2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] Got response for id 68 from ('10.0.0.15', 1812); code 11
    2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] (('10.0.0.3', 1812), Useradmin, 142): Returning response code 11: AccessChallenge
    2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] (('10.0.0.3', 1812), Useradmin, 142): Sending response
    2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] Packet dump - sent to 10.0.0.3:
    2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] b'\x0b\x8e\x066\xee:9S\xac\x99\xf3\xa4eR\r\xfc\x1c\xa3_\x95\x1b\x06\x00\x00\x00\x1eO\xff\x01\x03\x05\xd8\x19@\xeah\xec\x14\xb6\x8f\xc3\xd9\x8f\xd2N\xdb]\xf2\xc1t\x0e\x11qwT\xd1\xed\xd5#\xf5\x9b4\xd2q0\xd8\x13\x9a\x18\xdb\xe2d\x8f,\x86@\x10!\x97Y9\xecB\xe8"\xfa\xed\x81R\xa8\xb4v\xa4\xee\xc3\xfd@\xeaE\xebS=\x14\x0b\xf6*\x9f\x12q\x17u\xd1\xa9\xa2\xd4E?=^\xbeX[\x13JqDwA\xed\xf0\x83\xfa\xdbi\xd9\xc0\xa2\x96\x854\xd8\x8f\xa6d\x84l`] }/o\xbb\xb9\xc4+L!\xbc\x0c\xd2\xe2\x07\x85\xbbQZ>\x03(\xad\x98\xaa\x06\xf4\xde\x12\x92\x04T\x8b1z\xe2\xd7,\x83\xbe\xe7\xca\x00\xa1\xb6\xf0\x1a\xac\x16\x14\x9f\xad\xbd5\xa34\xc8\xb6iEg\xda\x87\xc8\x1a\xef\xee\xc2<\x1b\x8e\x8d\xc2\xf5\xf4\xf5A\xbdD[\xe9\x1f/\xde\xdc;\xfc\xf5wNT\xeeT\x15\xfc\xa2z\xb4\x94\xe8\x89G\x00\x04\x8e0\x82\x04\x8a0\x82\x03r\xa0\x03\x02\x01\x02\x02\x10}MB\xa9+C\x1d~dS\xe7\xc1\x9aO\xff\x8dXw0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000W1\x0b0\t\x06\x03U\x04\x06\x13\x02BE1\x190\x17\x06\x03U\x04\n\x13\x10GlobalSign nv-sa1\x100\x0e\x06\x03U\x04\x0b\x13\x07Root CA1\x1b0\x19\x06\x03U\x04\x03\x13\x12GlobalSign Root CA0\x1e\x17\r221012034943Z\x17\r271012000000Z0L1\x0b0\t\x06\x03U\x04\x06\x13\x02BE1\x190\x17\x06\x03U\x04\n\x13\x10GlobalSign nv-sa1"0 \x06\x03U\x04\x03\x13\x19AlphaSSL CA - SHA256 - G40\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xad$)O\xff\x95f\x15\x88?3\x87\x03x\xcf\xd5\x0c$\xb81S\xf3\xff\x83"l\x99\x95+|\xe5JY\xc2\xae\xc6\xd1*\x9d\xfa\x7f .Q\xc8g*P\x91\xa7yVD\xfb8\xb5>0\x8e\xfc\x94.\xcbW\x0ciS_D\xc6V\x96/\xae\xc07%\x86\xf1q\xf1\xdc\x02EB\x86a\xb86\xefQ\xe3sE\x0c\x90\xb3\xa5\xd2\xe7\x03z\xb89E\xd0\x17\xf5\x02\xd0\x94Aj\xc6\x18\xb1\x98\xc3 \xb5\xc5:\xf3\x82\xb1J\xa4D\xac!s*\x92U\x06N\xc8|\x8b\xb0\xcaf\x14TU\xf8+<\xb2T\x91\xb6\xcbR\xb2\xd8\xe3o\x8aD(\xb0}+\xc1\x96\x80\xb9>\x00\xd8\x9e=\xe81\x9dZM\xed\xd6~M\xe5\xd4\x8e\x03\xdd\x12\x9a\'\x83\xd4\xd6\xa1\xd7\x84rN\x81\xed\x9b\x8cb\x06\x97\xa3,h\x13~\x04\x1d\xac\xaf\xa1\'\xc5}1\x9c\xc2\x1b{\r\xa8!\xf3\x85\xa0\xba\xac\xe3\xbb\xe1\xfca\xf8$\xdd*\xaa]\x96\x04w\xc3=P\xe6\xdd\xbf\x86C\x16:7\xf2\xd7O\xff\x02\x03\x01\x00\x01\xa3\x82\x01[0\x82\x01W0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14O\xcb\xac\xa8\xc2\xef\xab\xdd\x83ok\xbf\xce\x98=\\X%v\x150\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14`{f\x1aE\r\x97\xca\x89P/}\x04\xcd4\xa8\xff\xfc\xfdK0z\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04n0l0-\x06\x08+\x06\x01\x05\x05\x070\x01\x86!http://ocsp.globalsign.com/rootr10;\x06\x08+\x06\x01\x05\x05\x070\x02\x86/http://secure.globalsign.com/cacO\xffert/root-r1.crt03\x06\x03U\x1d\x1f\x04,0*0(\xa0&\xa0$\x86"http://crl.globalsign.com/root.crl0!\x06\x03U\x1d \x04\x1a0\x180\x08\x06\x06g\x81\x0c\x01\x02\x010\x0c\x06\n+\x06\x01\x04\x01\xa02\n\x01\x030\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x1a%\xf6sd\x88@\xa9Y\x07\xa7C\xba\x15?Qa\xbd\x15\xff-d\xdd\xcdz]2j\x7fHB\xe7\x10\x98h9\xef\xb7\xeb\xa14v\xdf-Xh>{0\x1c\x0c\xf7\x86`\xf9\xa9\xf3y\xc0T\xb7\x83\xa68\xbb6\xab\xbc\x95\xd0|\xf8o\xc1\xe9OF\x07\xc8\xb6\x0c2\x00\xa9+\x05\x12\xf7\x0cmf\xf9\x81\x9d\xbf\x0edMr\'\xc6\x8b\xd1J\x02\xe1n\xdb\x0c\x9f\xb7\x8b8\x0c|3/`\x89\xdb8\xcc\x95C\x8c\xdd\x16\x84\xd5\xccO\xe9n:\xcf\x8e\x9b\xa3\x02\x0f\xd1\xbb\xbey\x00\xb5(\x82\xfc\xe3\x9f\x1c\xeft\xd9\xfe2#f\xb8\xf0\xaf\xa0)\xa0\x1f\xdeR\x12\x15x\xdd\xdfjpCmK\xa4\xcd\xeex\x81\xb2u\xa2~\xd7\xfc\xfc\x9e\xff\x82\xed%\x13\xe5\xb1\xe8\xcf\xb7\x18Sn\xcbR\xf8u\x9fe\x926p\xba\xfd\x0c\x05J\x83\xfa\x80\xd2\x9a\xe0\xf3\x8e\xfe\x83\xb5\xdf\x18\xe1\xac\xb4G\'\xfd8p\xa3\x1bD\x02\xed%d$=\xa7\t\xf1"U\x84\x1d\x91\xec\x12\x0c\x00\x01I\x03\x00\x17A\x04\xe6w\xfb\x99c\x0c\xb5\x18w\xcc\x1b\x1c\xc6\xa1\xbd\xefSAu\xf1\x9c\\7G\xd6Z\xd2\x080\xc2K\xa89E\xc0)Gyl\x19<\x94\x1e\xce\x9fe\xd3~\xd9\xb7\xff\xael\x844\xd2\xf4\xec\xa7\xb2[\xbe\xd3/\x04\x01\x01\x00;Q\x1a\xa2U\x96\xf1\xb2cyH]\xd9\xfc\xe4\xab\xcd!\xe9\x19\r\xff\xcf\xa9.9(\xaf\x18&`o\x08%\x00\x00\x017\x00\x01\x17\x00\xfe\x80\x00\x00\x00\x00\x00\x004c\xac\xc5\x8c\x82.T\x00\x00\x00\x04\x9b\xbd\xc0\xa2P\x12*\x9d\xa0O\xd8\x90F\x1aZ\x8d\xd9\xde\xbctM\xf3'
    2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] Packet dump - received from 10.0.0.3:
    2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] b'\x01\x8f\x00\x9cj\xcc\xaf\xf3"v\xd2\xcc\x92\x0c\xcb\x02\x9c\x1f\xcf\x80\x01\x0fUseradmin\x04\x06\n\x00\x00\x03 \x0fRidge-Core-48=\x06\x00\x00\x00\x05\x06\x06\x00\x00\x00\x07\x18&`o\x08%\x00\x00\x017\x00\x01\x17\x00\xfe\x80\x00\x00\x00\x00\x00\x004c\xac\xc5\x8c\x82.T\x00\x00\x00\x04\x9b\xbd\xc0\xa2O\x08\x02\x03\x00\x06\x19\x00P\x12\x8a\x83/\xb6\xe7\x98\xf3\xec\x81\xf7\xa7\x9el\x81\xe5\xaf\x1a\x0c\x00\x00\x017\t\x06\x0b\x00\x00\x00\x1f\x0c10.0.0.166'
    2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] Sending request from 10.0.0.3 to radius_server_auto
    2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] Received new request id 143 from ('10.0.0.3', 1812)
    2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] (('10.0.0.3', 1812), Useradmin, 143): Valid response to challenge issued at id 142
    2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] Sending proxied request for id 143 to ('10.0.0.15', 1812) with id 244
    2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] Packet dump - sent to 10.0.0.15:
    2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] b'\x01\xf4\x00\x9cj\xcc\xaf\xf3"v\xd2\xcc\x92\x0c\xcb\x02\x9c\x1f\xcf\x80\x01\x0fUseradmin\x04\x06\n\x00\x00\x03 \x0fRidge-Core-48=\x06\x00\x00\x00\x05\x06\x06\x00\x00\x00\x07\x18&`o\x08%\x00\x00\x017\x00\x01\x17\x00\xfe\x80\x00\x00\x00\x00\x00\x004c\xac\xc5\x8c\x82.T\x00\x00\x00\x04\x9b\xbd\xc0\xa2O\x08\x02\x03\x00\x06\x19\x00P\x12k\x7f\xcc\x90\xcf\x94D\xd6D\x93H\x7f]To\xe6\x1a\x0c\x00\x00\x017\t\x06\x0b\x00\x00\x00\x1f\x0c10.0.0.166'
    2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] Packet dump - received from 10.0.0.15:
    2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] b'\x0b\xf4\x01b{\x1dx\x06\xbd\xba\xed\x90\xed"\x95h\x0f{\x95y\x1b\x06\x00\x00\x00\x1eO\xff\x01\x04\x01\x0c\x19\x00\xd0\xd3e\xd0\x89C\x92\xfa>Fi\xe4\xf7D\xa7\x97>bF~t\xcf\x8c\xc4\x14\x82\xfc\xd5L\xebUzG\x9f\x90!\x9e\rE\x86\xd1\x97\xf2HGJ\xca\x80:\xd9\x94A\x87\x96\xbc\x8e!\x082pM\xbb\xec\xeb\xa0 g\x97\x81\xae\xf1?\x9d\xea\xde\xdc\xe7\x1bVN\xa4f\xb7zsS\xa7\xf1\x11:\xc1\xfa-\x93F\xcc\xa5\xa6ZYXk\xeag\x0c4\x14I\xfd9[\xbc\x110\xb0\x1e\xad\x1b~\xd8U(\xd87\x0er\xf88M2\x0f\x98\x7fh/}\xf9\xd0\x9dy2.\x9d}\xf7\xdd\xa4\xff\xf0\x04&\xd4b\xe7\xe9QH)j\x19\x90]\x0c\x9d\x13\x0c\xb7\xc1\xe24b\x81a\xf1\x16\xdfQW\xc9\xccNer1\x8eK\x14\x9a\x0b\xe3\xa9\xd8Gm\xf7-\x85\xaa\xf1g\xad\xf1\xc7}\xc5FP\xe0\xfc\xd0\x0f\xab\x92q\x91\x9c\x84e\xfb\x89\xf1\xa6\xf1\xec\x04\x96\xb7\xa8\r\x00\x00\x1a\x03\x01\x02@\x00\x12\x04\x01\x05\x01\x02\x01\x04\x03\x05O\x11\x03\x02\x03\x02\x02\x06\x01\x06\x03\x00\x00\x0e\x00\x00\x00\x18&`o\x08%\x00\x00\x017\x00\x01\x17\x00\xfe\x80\x00\x00\x00\x00\x00\x004c\xac\xc5\x8c\x82.T\x00\x00\x00\x04\x9b\xbd\xc0\xa2P\x12\xedI\x0fD\x1ef\x0c\x87\xe1\xee\x9exF\xda:\x9d'
    ``




  • 5.  RE: Aruba switches can't login using AD admin credentails

    Posted May 15, 2024 03:31 PM

    The account I use to login to switches is still in the previous .local format, so I'm confused why that's not working now.  Do I need to make any change in the switch config?




  • 6.  RE: Aruba switches can't login using AD admin credentails

    Posted May 16, 2024 12:22 PM

    Any recommendations?  




  • 7.  RE: Aruba switches can't login using AD admin credentails

    EMPLOYEE
    Posted 25 days ago

    What is your switch configuration?

    Do you only have the Duo as authentication server? Radius?

    Which server is expected to handle the AD authentication?

    Does your RADIUS server return the IETF Service-Type = 6 (Administrative User) attribute?

    This may be easier to resolve with your partner/support to have an interactive session and live-troubleshoot.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: Aruba switches can't login using AD admin credentails

    Posted 23 days ago

    This is the switch config for radius,  and this was working before.  

    I have 2 Domain Controllers (10.0.0.15, 10.0.0.16) with NPS roles, and another server (10.0.0.17) as my radius server (Duo).

    The AD authentication is handled by either DCs.

    radius-server host 10.0.0.15
    radius-server host 10.0.0.16
    radius-server host 10.0.0.17 key "hostkey"
    radius-server key "radiuskey"
    
    snmp-server community "companySNMP" operator
    snmp-server contact "IT" location "Office"
    aaa server-group radius "8021x" host 10.0.0.15
    aaa server-group radius "8021x" host 10.0.0.16
    aaa server-group radius "mgmt" host 10.0.0.17
    aaa authentication login privilege-mode
    aaa authentication console login peap-mschapv2 server-group "mgmt" local
    aaa authentication telnet login peap-mschapv2 server-group "mgmt" local
    aaa authentication web login peap-mschapv2 server-group "mgmt" local
    aaa authentication ssh login peap-mschapv2 server-group "mgmt" local
    aaa authentication port-access eap-radius server-group "8021x"
    aaa port-access authenticator active

    I noticed that I'm getting this in the Windows event viewer when I try to login.

    Eap method DLL path name validation failed. Error: typeId=254, authorId=311, vendorId=14122, vendorType=1

    This is the log from Duo when I tried to login. Same time as from the event viewer error above.

    • 10.0.0.166 is my computer
    • 10.0.0.3 is the switch
    • 10.0.0.17 is the radius server, where Duo Proxy is installed
    • The 2 DCs where NPS is 10.0.0.15 & 10.0.0.16 I expect them to be here, but I don't see it.

    "REI-DC01","IAS",05/26/2024,18:57:16,1,"admin","company\admin",,"10.0.0.166",,,"Ridge-Core-48","10.0.0.3",,0,"10.0.0.17","REI-Util01",,,5,,,7,5,"SwitchRadiusAuth",0,"311 1 10.0.0.15 05/26/2024 22:33:05 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,184549376,,,,,"SwitchAdminAuthCRP",1,,,,

    "REI-DC01","IAS",05/26/2024,18:57:16,11,,"company\admin",,,,,,,,0,"10.0.0.17","REI-Util01",,,,,,,5,"SwitchRadiusAuth",0,"311 1 10.0.0.15 05/26/2024 22:33:05 1",60,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"SwitchAdminAuthCRP",1,,,,

    "REI-DC01","IAS",05/26/2024,18:57:16,1,"admin","company\admin",,"10.0.0.166",,,"Ridge-Core-48","10.0.0.3",,0,"10.0.0.17","REI-Util01",,,5,,,7,5,"SwitchRadiusAuth",0,"311 1 10.0.0.15 05/26/2024 22:33:05 2",,,,"",,,,,,,,,,,,,,,,,,,,,,,,,184549376,,,,,"SwitchAdminAuthCRP",1,,,,

    "REI-DC01","IAS",05/26/2024,18:57:16,3,,"company\admin",,,,,,,,0,"10.0.0.17","REI-Util01",,,,,,,5,"SwitchRadiusAuth",22,"311 1 10.0.0.15 05/26/2024 22:33:05 2",,,,"",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"SwitchAdminAuthCRP",1,,,,




  • 9.  RE: Aruba switches can't login using AD admin credentails

    EMPLOYEE
    Posted 23 days ago

    I can't really read the NPS/IAS logs... so no clue what is going on. I would change the login from the switch to PAP, or remove the (P)EAP as the error you show suggests that the EAP is not recognized/DLL is missing.

    If that doesn't work, you may try with Aruba TAC to find a solution as I don't know NPS/IAS good enough to help you.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 10.  RE: Aruba switches can't login using AD admin credentails

    Posted 18 days ago

    Thanks for the reply.  This is fixed.  It turned out to be an expired certificate, and wrong NPS policy setting.

    Renewed certificate and correct NPS policy settings.