Controllerless Networks

HI there.

 

I have two IAP 135, running version 6.3.1.4

The IAPs have been configured with the following static ip address:

  - IAP 1: 192.168.10.4

  - IAP 2: 192.168.10.5

  - Virtual Controller IP: 192.168.10.3

 

Every thing works great, except for the radius authentication.

Our radius servers are two windows 2008r2 running NPS. It also works very fine and it has been used for lot a authentications on other devices.

 

The problem is: The IAPs GUI keeps alerting that the radius servers are down ( messages attached ): "Authentication Server Radius1-ServerSync is down", but they are not, they are up and responding very well.

Because of that, a lot of authentications fail without even hit the radius servers.

To make it work, I have to wait ( for the radius dead time ), and try again a lot of times.

When the authentication request hits the radius servers, it works. But the a lot of those auth requests doesnt even reach the NPS server. And again, the radius servers are up and working great.

 

The IAPs logs shows the message: ( attached )

 

Hope you guys can help me again.

 

Thanks a lot

 

 

 

searching on this community, found release note with the message I am getting

http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/Recent-IAP-Firmware-Releases/td-p/81774/page/2

 

Is my problem a known bug ?

What do you have setup as the radius client IP address in NPS ?

Do you have enabled dynamic radius proxy ?

Make sure that key matches on both sides ? And you are able to ping from the IAP to NPS and viceversa ?

Hello Victor,

 

 

thanks for the quick reply.

At NPS server I have created 3 clients:

 - AP1 -> 192.168.10.4

 - AP2 -> 192.168.10.5

 - APVC -> 192.168.10.3

 

I've created those 3 because I tried with and without dynamic radius proxy.

From the NPS servers I can ping IAP and vice versa, with no packet drop.

 

The radius key are correct because, as told before, if wait for the dead time, and try several times, than the packet hits the NPS server and the authentication completes.

 

To make sure that the NPS server are ok and responding fine, I installed a radius client tester (NTRadPing - free tool ) on a computer ( at the same network of the IAP ).

 

As shown at the attached picture, all request complets ok.

That proves that the radius service are ok.

 

Any other ideas ?

 

Thanks again

Enabled dynamic radius proxy and use as you radius client IP address the VC ip address

 

 

I was already done.

 

I started a packet capture at NPS server, with wireshark.

Notice that even even no log is generated at event viewer, I could see some communication between the NPS and the IAP.

 

i saw that the IAP send the access-request

and the NPS answers with an access-challange

 

this proccess starts over, and over again.

 

I fill tries later, the IAP replied the challang and than the NPS server sends the access-accept.

 

Does this information help ?

If you are using it to do a 802.1X session you need a cert install on the NPS server or do the termination on the VC

Hello Victor,

 

I current server certificate was requested from NPSs servers to the local domain CA.

 

I tried to enable termination, but got the following error ( image 1 ).

I also checked that when termination is enabled, I`m able to choose only one radius server ( image 2)

 

 

That's normal to get that message , just click on conectar. 

 

This is the process in 802.1X/PEAP where you validate the radius certificate , one thing you could do to avoid is install the certificate ahead of time through a GPO or manually in the laptop(s)

Hello Victor.

 

The problem was solved updating to 6.4.0.3

I think it was a bug.

 

dot1x working great now

 

Thanks

Good to know it's working , thanks for the update