ArubaOS and Controllers

New Contributor

PAP Radius Authentication Issues


Attempting to authenticate to our current IAS Radius using captive portal aaa profile:

aaa authentication captive-portal "TRFT-STAFF-cp_prof"
default-role "CaptivePortal-Staff-User"
server-group "TRFT-STAFF"
redirect-pause 5

aaa server-group "TRFT-STAFF"
auth-server ccs-ias

aaa authentication-server radius "ccs-ias"
host ""
key ****

I am of the impression that the secret key is matched correctly between the Aruba and the IAS server due to it successfully authenticating our machines.

By default, the aaa captive-portal profile will use PAP, but can be forced to use CHAP by using the following command in the aaa profile.

Use CHAP protocol. You should not use this option
unless instructed to do so by an Aruba
disabled (PAP
is used)

Testing the authentication from the console:

(CCSWL01) # aaa test-server mschapv2 ccs-ias z1 ****

Authentication Successful

(CCSWL01) # aaa test-server pap ccs-ias z1 ****

Authentication failed

(CCSWL01) #

Feb 24 13:51:36 :124011: |authmgr| Test authenticating user z1:****** using server ccs-ias
Feb 24 13:51:36 :124004: |authmgr| User z1 MAC=00:00:00:00:00:00 not found
Feb 24 13:51:36 :124004: |authmgr| Auth server 'ccs-ias' response=0
Feb 24 13:51:36 :124019: |authmgr| Test server response: Authentication Successful
Feb 24 13:51:39 :124004: |authmgr| Rx message 14001/5221, length 235 from
Feb 24 13:51:39 :124011: |authmgr| Test authenticating user z1:****** using server ccs-ias
Feb 24 13:51:39 :124004: |authmgr| Auth server 'ccs-ias' response=1
Feb 24 13:51:39 :124019: |authmgr| Test server response: Authentication failed

Plus in the IAS Event log:

User z1 was denied access.
Fully-Qualified-User-Name = *********/Departments/User Groups/Departmental User Groups/TRFT Users/Generic Accounts/z1
NAS-IP-Address =
NAS-Identifier =
Called-Station-Identifier = 000B860BED00
Calling-Station-Identifier = F81EDFE96C5D
Client-Friendly-Name = CCSWL01
Client-IP-Address =
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 0
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = Trusted WLAN Users
Authentication-Type = PAP
EAP-Type =
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

The authentication is set on the IAS policy to PAP. Can we get PAP to work?


I’ve been banging my head against the wall for a while now! ;-)


Guru Elite

Re: PAP Radius Authentication Issues

What options do you have enabled on the Trusted WLAN Users policy? Are you limiting users by group?

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba VIA ASE Solution - Configure VIA VPN
Search Airheads
Showing results for 
Search instead for 
Did you mean: