Security

last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

802.1x authentication fail

This thread has been viewed 39 times

  • 1.  802.1x authentication fail

    Posted Jul 22, 2019 11:13 AM

    Hi everyone,

     

    We have a controller running 8.5.0.0

     

    #show auth-tracebuf

    Jul 22 16:59:10 station-up * 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2 - - wpa2 aes
    Jul 22 16:59:10 eap-id-req <- 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2 1 5
    Jul 22 16:59:10 eap-start -> 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2 - -
    Jul 22 16:59:10 eap-id-req <- 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2 1 5
    Jul 22 16:59:15 eap-id-req <- 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2 1 5
    Jul 22 16:59:19 eap-id-resp -> 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2 1 17 user1
    Jul 22 16:59:19 rad-req -> 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2 3 208 10.80.98.250
    Jul 22 16:59:19 rad-reject <- 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2/dot1x_NPS 3 44
    Jul 22 16:59:19 eap-failure <- 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2 1 4 server rejected
    Jul 22 16:59:19 station-down * 74:e5:0b:e7:95:ae 9c:8c:d8:95:2b:c2 - -

     

    I don't know why the radius server reject the client.And I don't think the problem is on radius server,because we have another controller running 6.5 using the same  server ,and everything is fine.

     

     

    #show log

    Jul 22 16:59:19 authmgr[3707]: <522258> <3707> <DBUG> |authmgr| "VDR - Add to history of user user 74:e5:0b:e7:95:ae vlan 94 derivation_type Current VLAN updated index 5.
    Jul 22 16:59:19 authmgr[3707]: <522260> <3707> <DBUG> |authmgr| "VDR - Cur VLAN updated 74:e5:0b:e7:95:ae mob 0 inform 1 remote 0 wired 0 defvlan 94 exportedvlan 0 curvlan 94.
    Jul 22 16:59:19 authmgr[3707]: <522287> <3707> <DBUG> |authmgr| Auth GSM : MAC_USER publish for mac 74:e5:0b:e7:95:ae bssid 9c:8c:d8:95:2b:c2 vlan 94 type 1 data-ready 0 HA-IP n.a
    Jul 22 16:59:19 authmgr[3707]: <522289> <3707> <DBUG> |authmgr| Auth GSM : MAC_USER mu_delete publish for mac 74:e5:0b:e7:95:ae bssid 9c:8c:d8:95:2b:c2 vlan 94 type 1 data-ready 0 deauth-reason 50 HA-IP n.a
    Jul 22 16:59:19 authmgr[3707]: <522290> <4779> <DBUG> |authmgr| Auth GSM : MAC_USER delete for mac 74:e5:0b:e7:95:ae
    Jul 22 16:59:19 authmgr[3707]: <522296> <4779> <DBUG> |authmgr| Auth GSM : USER_STA delete event for user 74:e5:0b:e7:95:ae age 0 deauth_reason 50
    Jul 22 16:59:19 authmgr[3707]: <522301> <3707> <DBUG> |authmgr| Auth GSM : USER publish for uuid 204c033c9b840000000b000b mac 74:e5:0b:e7:95:ae name role logon devtype wired 0 authtype 0 subtype 0 encrypt-type 10 conn-port 8448 fwd-mode 0 roam 0 repkey -1
    Jul 22 16:59:19 authmgr[3707]: <522303> <4779> <DBUG> |authmgr| Auth GSM : USER delete for mac 74:e5:0b:e7:95:ae uuid 204c033c9b840000000b000b
    Jul 22 16:59:19 dot1x-proc:2[4372]: <522275> <4372> <WARN> |dot1x-proc:2| User Authentication failed. username=user1 userip=0.0.0.0 usermac=74:e5:0b:e7:95:ae authmethod=802.1x servername=dot1x_NPS serverip=10.80.0.103 apname=9c:8c:d8:c1:52:bc bssid=9c:8c:d8:95:2b:c2
    Jul 22 16:59:19 stm[3131]: <501000> <DBUG> |AP 9c:8c:d8:c1:52:bc@10.80.98.50 stm| Station 74:e5:0b:e7:95:ae: Clearing state
    Jul 22 16:59:19 stm[3131]: <501105> <NOTI> |AP 9c:8c:d8:c1:52:bc@10.80.98.50 stm| Deauth from sta: 74:e5:0b:e7:95:ae: AP 10.80.98.50-9c:8c:d8:95:2b:c2-9c:8c:d8:c1:52:bc Reason Response to EAP Challenge Failed
    Jul 22 16:59:19 stm[3727]: <501000> <5522> <DBUG> |stm| Station 74:e5:0b:e7:95:ae: Clearing state
    Jul 22 16:59:19 stm[3727]: <501080> <5522> <NOTI> |stm| Deauth to sta: 74:e5:0b:e7:95:ae: Ageout AP 10.80.98.50-9c:8c:d8:95:2b:c2-9c:8c:d8:c1:52:bc Response to EAP Challenge Failed
    Jul 22 16:59:19 stm[3727]: <501106> <5522> <NOTI> |stm| Deauth to sta: 74:e5:0b:e7:95:ae: Ageout AP 10.80.98.50-9c:8c:d8:95:2b:c2-9c:8c:d8:c1:52:bc wifi_deauth_sta

    Thank you for any answers...



  • 2.  RE: 802.1x authentication fail
    Best Answer

    EMPLOYEE
    Posted Jul 22, 2019 12:26 PM

    You need to see what the radius server log says, because that could be contributing to your issue.  It says server reject, so you need to look at that.



  • 3.  RE: 802.1x authentication fail

    Posted Jul 23, 2019 02:23 PM

    Which radius server are you using?

     

    can share the radius logs of this authentification failure?



  • 4.  RE: 802.1x authentication fail

    Posted Jul 23, 2019 08:32 PM

    Thank you for your reply.

    We are using windows NPS  as radius server

    Yeah . I found the solution .It is because terminate on the radius server.

    And radius server didn't have a certificate.

    While I request the certificate on radius server , then clients can pass the authentication



  • 5.  RE: 802.1x authentication fail

    Posted Feb 05, 2020 09:45 AM

    Hi would you mind to articulate your answer a bit better please? It's not clear the meaning of your post. 

    Thanks