Thanks for the reply. This is fixed. It turned out to be an expired certificate, and wrong NPS policy setting.
Renewed certificate and correct NPS policy settings.
Original Message:
Sent: May 30, 2024 08:12 AM
From: Herman Robers
Subject: Aruba switches can't login using AD admin credentails
I can't really read the NPS/IAS logs... so no clue what is going on. I would change the login from the switch to PAP, or remove the (P)EAP as the error you show suggests that the EAP is not recognized/DLL is missing.
If that doesn't work, you may try with Aruba TAC to find a solution as I don't know NPS/IAS good enough to help you.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: May 29, 2024 02:51 PM
From: t.antony
Subject: Aruba switches can't login using AD admin credentails
This is the switch config for radius, and this was working before.
I have 2 Domain Controllers (10.0.0.15, 10.0.0.16) with NPS roles, and another server (10.0.0.17) as my radius server (Duo).
The AD authentication is handled by either DCs.
radius-server host 10.0.0.15radius-server host 10.0.0.16radius-server host 10.0.0.17 key "hostkey"radius-server key "radiuskey"snmp-server community "companySNMP" operatorsnmp-server contact "IT" location "Office"aaa server-group radius "8021x" host 10.0.0.15aaa server-group radius "8021x" host 10.0.0.16aaa server-group radius "mgmt" host 10.0.0.17aaa authentication login privilege-modeaaa authentication console login peap-mschapv2 server-group "mgmt" localaaa authentication telnet login peap-mschapv2 server-group "mgmt" localaaa authentication web login peap-mschapv2 server-group "mgmt" localaaa authentication ssh login peap-mschapv2 server-group "mgmt" localaaa authentication port-access eap-radius server-group "8021x"aaa port-access authenticator active
I noticed that I'm getting this in the Windows event viewer when I try to login.
Eap method DLL path name validation failed. Error: typeId=254, authorId=311, vendorId=14122, vendorType=1
This is the log from Duo when I tried to login. Same time as from the event viewer error above.
"REI-DC01","IAS",05/26/2024,18:57:16,1,"admin","company\admin",,"10.0.0.166",,,"Ridge-Core-48","10.0.0.3",,0,"10.0.0.17","REI-Util01",,,5,,,7,5,"SwitchRadiusAuth",0,"311 1 10.0.0.15 05/26/2024 22:33:05 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,184549376,,,,,"SwitchAdminAuthCRP",1,,,,
"REI-DC01","IAS",05/26/2024,18:57:16,11,,"company\admin",,,,,,,,0,"10.0.0.17","REI-Util01",,,,,,,5,"SwitchRadiusAuth",0,"311 1 10.0.0.15 05/26/2024 22:33:05 1",60,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"SwitchAdminAuthCRP",1,,,,
"REI-DC01","IAS",05/26/2024,18:57:16,1,"admin","company\admin",,"10.0.0.166",,,"Ridge-Core-48","10.0.0.3",,0,"10.0.0.17","REI-Util01",,,5,,,7,5,"SwitchRadiusAuth",0,"311 1 10.0.0.15 05/26/2024 22:33:05 2",,,,"",,,,,,,,,,,,,,,,,,,,,,,,,184549376,,,,,"SwitchAdminAuthCRP",1,,,,
"REI-DC01","IAS",05/26/2024,18:57:16,3,,"company\admin",,,,,,,,0,"10.0.0.17","REI-Util01",,,,,,,5,"SwitchRadiusAuth",22,"311 1 10.0.0.15 05/26/2024 22:33:05 2",,,,"",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"SwitchAdminAuthCRP",1,,,,
Original Message:
Sent: May 28, 2024 07:27 AM
From: Herman Robers
Subject: Aruba switches can't login using AD admin credentails
What is your switch configuration?
Do you only have the Duo as authentication server? Radius?
Which server is expected to handle the AD authentication?
Does your RADIUS server return the IETF Service-Type = 6 (Administrative User) attribute?
This may be easier to resolve with your partner/support to have an interactive session and live-troubleshoot.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: May 16, 2024 12:21 PM
From: t.antony
Subject: Aruba switches can't login using AD admin credentails
Any recommendations?
Original Message:
Sent: May 15, 2024 03:31 PM
From: t.antony
Subject: Aruba switches can't login using AD admin credentails
The account I use to login to switches is still in the previous .local format, so I'm confused why that's not working now. Do I need to make any change in the switch config?
Original Message:
Sent: May 15, 2024 03:25 PM
From: t.antony
Subject: Aruba switches can't login using AD admin credentails
This is the log from Duo Proxy showing the connections
10.0.0.3 is an Aruba 2930F
2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] Got response for id 68 from ('10.0.0.15', 1812); code 11
2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] (('10.0.0.3', 1812), Useradmin, 142): Returning response code 11: AccessChallenge
2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] (('10.0.0.3', 1812), Useradmin, 142): Sending response
2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] Packet dump - sent to 10.0.0.3:
2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] b'\x0b\x8e\x066\xee:9S\xac\x99\xf3\xa4eR\r\xfc\x1c\xa3_\x95\x1b\x06\x00\x00\x00\x1eO\xff\x01\x03\x05\xd8\x19@\xeah\xec\x14\xb6\x8f\xc3\xd9\x8f\xd2N\xdb]\xf2\xc1t\x0e\x11qwT\xd1\xed\xd5#\xf5\x9b4\xd2q0\xd8\x13\x9a\x18\xdb\xe2d\x8f,\x86@\x10!\x97Y9\xecB\xe8"\xfa\xed\x81R\xa8\xb4v\xa4\xee\xc3\xfd@\xeaE\xebS=\x14\x0b\xf6*\x9f\x12q\x17u\xd1\xa9\xa2\xd4E?=^\xbeX[\x13JqDwA\xed\xf0\x83\xfa\xdbi\xd9\xc0\xa2\x96\x854\xd8\x8f\xa6d\x84l`] }/o\xbb\xb9\xc4+L!\xbc\x0c\xd2\xe2\x07\x85\xbbQZ>\x03(\xad\x98\xaa\x06\xf4\xde\x12\x92\x04T\x8b1z\xe2\xd7,\x83\xbe\xe7\xca\x00\xa1\xb6\xf0\x1a\xac\x16\x14\x9f\xad\xbd5\xa34\xc8\xb6iEg\xda\x87\xc8\x1a\xef\xee\xc2<\x1b\x8e\x8d\xc2\xf5\xf4\xf5A\xbdD[\xe9\x1f/\xde\xdc;\xfc\xf5wNT\xeeT\x15\xfc\xa2z\xb4\x94\xe8\x89G\x00\x04\x8e0\x82\x04\x8a0\x82\x03r\xa0\x03\x02\x01\x02\x02\x10}MB\xa9+C\x1d~dS\xe7\xc1\x9aO\xff\x8dXw0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000W1\x0b0\t\x06\x03U\x04\x06\x13\x02BE1\x190\x17\x06\x03U\x04\n\x13\x10GlobalSign nv-sa1\x100\x0e\x06\x03U\x04\x0b\x13\x07Root CA1\x1b0\x19\x06\x03U\x04\x03\x13\x12GlobalSign Root CA0\x1e\x17\r221012034943Z\x17\r271012000000Z0L1\x0b0\t\x06\x03U\x04\x06\x13\x02BE1\x190\x17\x06\x03U\x04\n\x13\x10GlobalSign nv-sa1"0 \x06\x03U\x04\x03\x13\x19AlphaSSL CA - SHA256 - G40\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xad$)O\xff\x95f\x15\x88?3\x87\x03x\xcf\xd5\x0c$\xb81S\xf3\xff\x83"l\x99\x95+|\xe5JY\xc2\xae\xc6\xd1*\x9d\xfa\x7f .Q\xc8g*P\x91\xa7yVD\xfb8\xb5>0\x8e\xfc\x94.\xcbW\x0ciS_D\xc6V\x96/\xae\xc07%\x86\xf1q\xf1\xdc\x02EB\x86a\xb86\xefQ\xe3sE\x0c\x90\xb3\xa5\xd2\xe7\x03z\xb89E\xd0\x17\xf5\x02\xd0\x94Aj\xc6\x18\xb1\x98\xc3 \xb5\xc5:\xf3\x82\xb1J\xa4D\xac!s*\x92U\x06N\xc8|\x8b\xb0\xcaf\x14TU\xf8+<\xb2T\x91\xb6\xcbR\xb2\xd8\xe3o\x8aD(\xb0}+\xc1\x96\x80\xb9>\x00\xd8\x9e=\xe81\x9dZM\xed\xd6~M\xe5\xd4\x8e\x03\xdd\x12\x9a\'\x83\xd4\xd6\xa1\xd7\x84rN\x81\xed\x9b\x8cb\x06\x97\xa3,h\x13~\x04\x1d\xac\xaf\xa1\'\xc5}1\x9c\xc2\x1b{\r\xa8!\xf3\x85\xa0\xba\xac\xe3\xbb\xe1\xfca\xf8$\xdd*\xaa]\x96\x04w\xc3=P\xe6\xdd\xbf\x86C\x16:7\xf2\xd7O\xff\x02\x03\x01\x00\x01\xa3\x82\x01[0\x82\x01W0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14O\xcb\xac\xa8\xc2\xef\xab\xdd\x83ok\xbf\xce\x98=\\X%v\x150\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14`{f\x1aE\r\x97\xca\x89P/}\x04\xcd4\xa8\xff\xfc\xfdK0z\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04n0l0-\x06\x08+\x06\x01\x05\x05\x070\x01\x86!http://ocsp.globalsign.com/rootr10;\x06\x08+\x06\x01\x05\x05\x070\x02\x86/http://secure.globalsign.com/cacO\xffert/root-r1.crt03\x06\x03U\x1d\x1f\x04,0*0(\xa0&\xa0$\x86"http://crl.globalsign.com/root.crl0!\x06\x03U\x1d \x04\x1a0\x180\x08\x06\x06g\x81\x0c\x01\x02\x010\x0c\x06\n+\x06\x01\x04\x01\xa02\n\x01\x030\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x1a%\xf6sd\x88@\xa9Y\x07\xa7C\xba\x15?Qa\xbd\x15\xff-d\xdd\xcdz]2j\x7fHB\xe7\x10\x98h9\xef\xb7\xeb\xa14v\xdf-Xh>{0\x1c\x0c\xf7\x86`\xf9\xa9\xf3y\xc0T\xb7\x83\xa68\xbb6\xab\xbc\x95\xd0|\xf8o\xc1\xe9OF\x07\xc8\xb6\x0c2\x00\xa9+\x05\x12\xf7\x0cmf\xf9\x81\x9d\xbf\x0edMr\'\xc6\x8b\xd1J\x02\xe1n\xdb\x0c\x9f\xb7\x8b8\x0c|3/`\x89\xdb8\xcc\x95C\x8c\xdd\x16\x84\xd5\xccO\xe9n:\xcf\x8e\x9b\xa3\x02\x0f\xd1\xbb\xbey\x00\xb5(\x82\xfc\xe3\x9f\x1c\xeft\xd9\xfe2#f\xb8\xf0\xaf\xa0)\xa0\x1f\xdeR\x12\x15x\xdd\xdfjpCmK\xa4\xcd\xeex\x81\xb2u\xa2~\xd7\xfc\xfc\x9e\xff\x82\xed%\x13\xe5\xb1\xe8\xcf\xb7\x18Sn\xcbR\xf8u\x9fe\x926p\xba\xfd\x0c\x05J\x83\xfa\x80\xd2\x9a\xe0\xf3\x8e\xfe\x83\xb5\xdf\x18\xe1\xac\xb4G\'\xfd8p\xa3\x1bD\x02\xed%d$=\xa7\t\xf1"U\x84\x1d\x91\xec\x12\x0c\x00\x01I\x03\x00\x17A\x04\xe6w\xfb\x99c\x0c\xb5\x18w\xcc\x1b\x1c\xc6\xa1\xbd\xefSAu\xf1\x9c\\7G\xd6Z\xd2\x080\xc2K\xa89E\xc0)Gyl\x19<\x94\x1e\xce\x9fe\xd3~\xd9\xb7\xff\xael\x844\xd2\xf4\xec\xa7\xb2[\xbe\xd3/\x04\x01\x01\x00;Q\x1a\xa2U\x96\xf1\xb2cyH]\xd9\xfc\xe4\xab\xcd!\xe9\x19\r\xff\xcf\xa9.9(\xaf\x18&`o\x08%\x00\x00\x017\x00\x01\x17\x00\xfe\x80\x00\x00\x00\x00\x00\x004c\xac\xc5\x8c\x82.T\x00\x00\x00\x04\x9b\xbd\xc0\xa2P\x12*\x9d\xa0O\xd8\x90F\x1aZ\x8d\xd9\xde\xbctM\xf3'
2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] Packet dump - received from 10.0.0.3:
2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] b'\x01\x8f\x00\x9cj\xcc\xaf\xf3"v\xd2\xcc\x92\x0c\xcb\x02\x9c\x1f\xcf\x80\x01\x0fUseradmin\x04\x06\n\x00\x00\x03 \x0fRidge-Core-48=\x06\x00\x00\x00\x05\x06\x06\x00\x00\x00\x07\x18&`o\x08%\x00\x00\x017\x00\x01\x17\x00\xfe\x80\x00\x00\x00\x00\x00\x004c\xac\xc5\x8c\x82.T\x00\x00\x00\x04\x9b\xbd\xc0\xa2O\x08\x02\x03\x00\x06\x19\x00P\x12\x8a\x83/\xb6\xe7\x98\xf3\xec\x81\xf7\xa7\x9el\x81\xe5\xaf\x1a\x0c\x00\x00\x017\t\x06\x0b\x00\x00\x00\x1f\x0c10.0.0.166'
2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] Sending request from 10.0.0.3 to radius_server_auto
2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] Received new request id 143 from ('10.0.0.3', 1812)
2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] (('10.0.0.3', 1812), Useradmin, 143): Valid response to challenge issued at id 142
2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] Sending proxied request for id 143 to ('10.0.0.15', 1812) with id 244
2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] Packet dump - sent to 10.0.0.15:
2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] b'\x01\xf4\x00\x9cj\xcc\xaf\xf3"v\xd2\xcc\x92\x0c\xcb\x02\x9c\x1f\xcf\x80\x01\x0fUseradmin\x04\x06\n\x00\x00\x03 \x0fRidge-Core-48=\x06\x00\x00\x00\x05\x06\x06\x00\x00\x00\x07\x18&`o\x08%\x00\x00\x017\x00\x01\x17\x00\xfe\x80\x00\x00\x00\x00\x00\x004c\xac\xc5\x8c\x82.T\x00\x00\x00\x04\x9b\xbd\xc0\xa2O\x08\x02\x03\x00\x06\x19\x00P\x12k\x7f\xcc\x90\xcf\x94D\xd6D\x93H\x7f]To\xe6\x1a\x0c\x00\x00\x017\t\x06\x0b\x00\x00\x00\x1f\x0c10.0.0.166'
2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] Packet dump - received from 10.0.0.15:
2024-05-15T14:19:11-0400 [duoauthproxy.lib.log#info] b'\x0b\xf4\x01b{\x1dx\x06\xbd\xba\xed\x90\xed"\x95h\x0f{\x95y\x1b\x06\x00\x00\x00\x1eO\xff\x01\x04\x01\x0c\x19\x00\xd0\xd3e\xd0\x89C\x92\xfa>Fi\xe4\xf7D\xa7\x97>bF~t\xcf\x8c\xc4\x14\x82\xfc\xd5L\xebUzG\x9f\x90!\x9e\rE\x86\xd1\x97\xf2HGJ\xca\x80:\xd9\x94A\x87\x96\xbc\x8e!\x082pM\xbb\xec\xeb\xa0 g\x97\x81\xae\xf1?\x9d\xea\xde\xdc\xe7\x1bVN\xa4f\xb7zsS\xa7\xf1\x11:\xc1\xfa-\x93F\xcc\xa5\xa6ZYXk\xeag\x0c4\x14I\xfd9[\xbc\x110\xb0\x1e\xad\x1b~\xd8U(\xd87\x0er\xf88M2\x0f\x98\x7fh/}\xf9\xd0\x9dy2.\x9d}\xf7\xdd\xa4\xff\xf0\x04&\xd4b\xe7\xe9QH)j\x19\x90]\x0c\x9d\x13\x0c\xb7\xc1\xe24b\x81a\xf1\x16\xdfQW\xc9\xccNer1\x8eK\x14\x9a\x0b\xe3\xa9\xd8Gm\xf7-\x85\xaa\xf1g\xad\xf1\xc7}\xc5FP\xe0\xfc\xd0\x0f\xab\x92q\x91\x9c\x84e\xfb\x89\xf1\xa6\xf1\xec\x04\x96\xb7\xa8\r\x00\x00\x1a\x03\x01\x02@\x00\x12\x04\x01\x05\x01\x02\x01\x04\x03\x05O\x11\x03\x02\x03\x02\x02\x06\x01\x06\x03\x00\x00\x0e\x00\x00\x00\x18&`o\x08%\x00\x00\x017\x00\x01\x17\x00\xfe\x80\x00\x00\x00\x00\x00\x004c\xac\xc5\x8c\x82.T\x00\x00\x00\x04\x9b\xbd\xc0\xa2P\x12\xedI\x0fD\x1ef\x0c\x87\xe1\xee\x9exF\xda:\x9d'
``
Original Message:
Sent: May 15, 2024 03:19 PM
From: t.antony
Subject: Aruba switches can't login using AD admin credentails
I opened a ticket with Duo, and looking at the logs, Duo is allowing the login, but it looks like the IP of the switch also accepts, but is on a loop.
Any ideas?
Original Message:
Sent: May 14, 2024 12:50 PM
From: t.antony
Subject: Aruba switches can't login using AD admin credentails
We did change our domain suffix from .local to .com so we can use Azure AD. But even if I change my domain account suffix to .local, it won't work.
Original Message:
Sent: May 14, 2024 12:49 PM
From: t.antony
Subject: Aruba switches can't login using AD admin credentails
I use my domain admin account to login to Aruba 2930F switches. We also have a Manager account for backup. We also have Duo MFA.
So when I login using my domain AD credentials, it asks for Duo prompt, and it logs me in.
But I'm not able to login using my AD credentials now for some reason. I can only login using the local Manager account. Its not a Duo issue because other Duo services are working.
No configuration changes were made on the switches. How can I troubleshoot this?