Security

Authentication is OK when I try from the controller to IAS server, but client can not get authentication on their laptops

can somebody help

Are you doing Captive Portal or WPA2-AES?  Did you look in the IAS Eventviewer under "System" to see the failures?

Hi

I'm doing WPA2-AES, i can not see any error on  IAS event viewer logs

can you check the attached show auth-tracebuf output maybe you can get something

Attachment(s)

ARUBA.pdf   11 KB 1 version

sorry i'm using wpa-tkip

Your using "Termination" and you should uncheck it by going to:

configuration> security> authentication>l2 Authentication> 802.1x profiles.  Find the 802.1x profile that corresponds to your WLAN and make sure that "Termination" is unchecked.  

it is ticked already and when i trying to connect i got small log in window keep asking me  for username and password then error massage for either username or password error

in case if i un-ticked it, i'll not get this login small window and i could not connect, it keep showing me (trying to connecting)

how i can know whether my  IAS server has a certificate or not.

Your IAS server needs to have a certificate and that would be in the remote access policy under Edit Profile> Authentication> EAP Methods> Edit PEAP.

If you don't have a certificate or cannot obtain one, leave Termination Checked, but on your client wireless definition, uncheck "Validate Server Certificate"

i was doing 2nd scenario

Termination is Checked and  in client wireless definition the "Validate Server Certificate" is unchecked by applying GPO

but I lost authentication

from the auth-tracebuf, it looks like you are doing "machine authentication", which does not work with termination enabled.  You would need to put a certificate on the radius server and uncheck termination for that to work.

i'm kind of lost, i could not do the CA on the IAS server 2008,

i lost guest captive porter window for the Guest SSID as well

can you tell me how i can rollback and remove "machine authentication"

i wonna do termination with domain credential only

Okay.  If you cannot do the CA on Windows 2008, leave termination on.

In your auth-tracebuf, I see your computer trying to authenticate with host/VDLSIT01046.veti.ac.ae which means it is using the computer credentials, NOT the user credentials to login.  Machine credentials or machine authentication does not work with termination.  If you are using group policy to configure that client, make sure in the group policy under the IEEE 802.1x tab, the authentication mode is "user authentication'", otherwise it will not work.

it was authentecate as "user or computer authentecation " howaver when i changed it to user only i got no authentecation as well,

after restarting the controller i got the below output, is that mean no authentecate requests ? or what?

(VEDC-Wireless-Controller) #show auth-tracebuf

Warning: user-debug is enabled on one or more specific MAC addresses;                                                                     

only those MAC addresses appear in the trace buffer.

Auth Trace Buffer -----------------

(VEDC-Wireless-Controller) #

(VEDC-Wireless-Controller) #

(VEDC-Wireless-Controller) #

What you need to do is add the mac address of that client to the user-debug.  The command only shows mac addresses that have been added.  Add that client like this:

config t

logging level debugging user-debug mac <mac address of client>

It should then show up in the auth-tracebuf

I'm getting  the attached output, my username is v90000204

so the authentication in username not computer

any suggestion please

Attachment(s)

ARUBA Cont.pdf   5 KB 1 version

It looks like the radius server is responding with mschap failure.  What does the eventviewer on the radius server say?

on the Network Policy  and access service on IAS server i got this information, note that i have no problem in my username and password

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: NULL SID

Account Name: VETI\v90000204

Account Domain: VETI

Fully Qualified Account Name: VETI\v90000204

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: 000B8661973C

Calling Station Identifier: 00225F399E65

NAS:

NAS IPv4 Address: 10.25.2.42

NAS IPv6 Address: -

NAS Identifier: 10.25.2.42

NAS Port-Type: Wireless - IEEE 802.11

NAS Port: 0

RADIUS Client:

Client Friendly Name: WLC1

Client IP Address: 10.25.20.4

Authentication Details:

Connection Request Policy Name: Use Windows authentication for all users

Network Policy Name: -

Authentication Provider: Windows

Authentication Server: VEDC-BC01.veti.ac.ae

Authentication Type: MS-CHAPv2

EAP Type: -

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Reason Code: 16

Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

on the windows log system i got this informations

The Network Policy Server service entered the running state.

The Network Policy Server service entered the stopped state.

The Portable Device Enumerator Service service entered the stopped state.

The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.

The Portable Device Enumerator Service service entered the running state.

The Group Policy settings for the user were processed successfully. New settings from 2 Group Policy objects were detected and applied.

User Logon Notification for Customer Experience Improvement Program

The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.

on the windows log security i got

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: NULL SID

Account Name: VETI\v90000204

Account Domain: VETI

Fully Qualified Account Name: VETI\v90000204

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: 000B8661973C

Calling Station Identifier: 00225F399E65

NAS:

NAS IPv4 Address: 10.25.2.42

NAS IPv6 Address: -

NAS Identifier: 10.25.2.42

NAS Port-Type: Wireless - IEEE 802.11

NAS Port: 0

RADIUS Client:

Client Friendly Name: WLC1

Client IP Address: 10.25.20.4

Authentication Details:

Connection Request Policy Name: Veti

Network Policy Name: -

Authentication Provider: Windows

Authentication Server: VEDC-BC01.veti.ac.ae

Authentication Type: MS-CHAPv2

EAP Type: -

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Reason Code: 16

Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Your eventviewer message is lacking critical information needed to figure this out.  If you cannot post the eventviewer message in its entirety, you probably should open a support case so that they can look at it.  If your fqdn is listed as just "VETI\v90000204" that means it did not find your user in active directory.

Again, you probably changed a few things, but they are critical to figuring this issue out, so you might want to open a support case.