Security

Reply
Highlighted
Contributor I

802.1x authentication fail

Hi everyone,

 

We have a controller running 8.5.0.0

 

#show auth-tracebuf

Jul 22 16:59:10 station-up * 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2 - - wpa2 aes
Jul 22 16:59:10 eap-id-req <- 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2 1 5
Jul 22 16:59:10 eap-start -> 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2 - -
Jul 22 16:59:10 eap-id-req <- 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2 1 5
Jul 22 16:59:15 eap-id-req <- 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2 1 5
Jul 22 16:59:19 eap-id-resp -> 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2 1 17 user1
Jul 22 16:59:19 rad-req -> 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2 3 208 10.80.98.250
Jul 22 16:59:19 rad-reject <- 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2/dot1x_NPS 3 44
Jul 22 16:59:19 eap-failure <- 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2 1 4 server rejected
Jul 22 16:59:19 station-down * 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2 - -

 

I don't know why the radius server reject the client.And I don't think the problem is on radius server,because we have another controller running 6.5 using the same  server ,and everything is fine.

 

 

#show log

Jul 22 16:59:19 authmgr[3707]: <522258> <3707> <DBUG> |authmgr| "VDR - Add to history of user user 74:e5:0b:e7:95:ae vlan 94 derivation_type Current VLAN updated index 5.
Jul 22 16:59:19 authmgr[3707]: <522260> <3707> <DBUG> |authmgr| "VDR - Cur VLAN updated 74:e5:0b:e7:95:ae mob 0 inform 1 remote 0 wired 0 defvlan 94 exportedvlan 0 curvlan 94.
Jul 22 16:59:19 authmgr[3707]: <522287> <3707> <DBUG> |authmgr| Auth GSM : MAC_USER publish for mac 74:e5:0b:e7:95:ae bssid 9c:8c:d8:95:2b:c2 vlan 94 type 1 data-ready 0 HA-IP n.a
Jul 22 16:59:19 authmgr[3707]: <522289> <3707> <DBUG> |authmgr| Auth GSM : MAC_USER mu_delete publish for mac 74:e5:0b:e7:95:ae bssid 9c:8c:d8:95:2b:c2 vlan 94 type 1 data-ready 0 deauth-reason 50 HA-IP n.a
Jul 22 16:59:19 authmgr[3707]: <522290> <4779> <DBUG> |authmgr| Auth GSM : MAC_USER delete for mac 74:e5:0b:e7:95:ae
Jul 22 16:59:19 authmgr[3707]: <522296> <4779> <DBUG> |authmgr| Auth GSM : USER_STA delete event for user 74:e5:0b:e7:95:ae age 0 deauth_reason 50
Jul 22 16:59:19 authmgr[3707]: <522301> <3707> <DBUG> |authmgr| Auth GSM : USER publish for uuid 204c033c9b840000000b000b mac 74:e5:0b:e7:95:ae name role logon devtype wired 0 authtype 0 subtype 0 encrypt-type 10 conn-port 8448 fwd-mode 0 roam 0 repkey -1
Jul 22 16:59:19 authmgr[3707]: <522303> <4779> <DBUG> |authmgr| Auth GSM : USER delete for mac 74:e5:0b:e7:95:ae uuid 204c033c9b840000000b000b
Jul 22 16:59:19 dot1x-proc:2[4372]: <522275> <4372> <WARN> |dot1x-proc:2| User Authentication failed. username=user1 userip=0.0.0.0 usermac=74:e5:0b:e7:95:ae authmethod=802.1x servername=dot1x_NPS serverip=10.80.0.103 apname=9c:8c:d8:c1:52:bc bssid=9c:8c:d8:95:2b:c2
Jul 22 16:59:19 stm[3131]: <501000> <DBUG> |AP 9c:8c:d8:c1:52:bc@10.80.98.50 stm| Station 74:e5:0b:e7:95:ae: Clearing state
Jul 22 16:59:19 stm[3131]: <501105> <NOTI> |AP 9c:8c:d8:c1:52:bc@10.80.98.50 stm| Deauth from sta: 74:e5:0b:e7:95:ae: AP 10.80.98.50-9c:8c:d8:95:2b:c2-9c:8c:d8:c1:52:bc Reason Response to EAP Challenge Failed
Jul 22 16:59:19 stm[3727]: <501000> <5522> <DBUG> |stm| Station 74:e5:0b:e7:95:ae: Clearing state
Jul 22 16:59:19 stm[3727]: <501080> <5522> <NOTI> |stm| Deauth to sta: 74:e5:0b:e7:95:ae: Ageout AP 10.80.98.50-9c:8c:d8:95:2b:c2-9c:8c:d8:c1:52:bc Response to EAP Challenge Failed
Jul 22 16:59:19 stm[3727]: <501106> <5522> <NOTI> |stm| Deauth to sta: 74:e5:0b:e7:95:ae: Ageout AP 10.80.98.50-9c:8c:d8:95:2b:c2-9c:8c:d8:c1:52:bc wifi_deauth_sta

Thank you for any answers...

Guru Elite

Re: 802.1x authentication fail

You need to see what the radius server log says, because that could be contributing to your issue.  It says server reject, so you need to look at that.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor I

Re: 802.1x authentication fail

Which radius server are you using?

 

can share the radius logs of this authentification failure?

Mathias Troncoso-Aballay
ACMP, ACCP, ACSA | Aruba Partner Ambassador
Contributor I

Re: 802.1x authentication fail

Thank you for your reply.

We are using windows NPS  as radius server

Yeah . I found the solution .It is because terminate on the radius server.

And radius server didn't have a certificate.

While I request the certificate on radius server , then clients can pass the authentication

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: