Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Having some 802.1x Authentication issues

This thread has been viewed 41 times

  • 1.  Having some 802.1x Authentication issues

    Posted Nov 25, 2015 09:19 AM

    Hi All

     

    Been pulling my hair out with this one. Implementing Radius and 802.1x auth is not succeeding.

    Aruba Controller version 6.4.2.3

    MS 2003 Server  for Radius/IAS (I know its old...)

     

    Signing in from my android device it just never connects - from the radius server I can see it is granting access (confirmed with performing AAA test from controller.

     

    I have tried the following from googling around the web:

    PMKID disabled and enabled with no difference.

    Prohibit-IP-SPoofing enabled and disabled with no difference.

    Set Interval between WPA/WPA2 Key Messages fromm 1000 to 3000 with no difference.

     

    I see the following from the Logs on the controller for my Androids MAC address.  Seeing  messages for "MIC failed in WPA key Message 2".

     

    Nov 25 16:00:32  authmgr[2056]: <524124> <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:ec:1f:72:eb:ea:d3, pmkid_present:False, pmkid:N/A
Nov 25 16:00:32  authmgr[2056]: <522308> <DBUG> |authmgr|  Device Type index derivation for ec:1f:72:eb:ea:d3 : dhcp (0,0,0) oui (0,0) ua (5,1,1) derived Android(1)
Nov 25 16:00:32  authmgr[2056]: <522299> <DBUG> |authmgr|  Auth GSM : DEV_ID_CACHE publish for mac ec:1f:72:eb:ea:d3 dev-id Android index 1
Nov 25 16:00:32  authmgr[2056]: <522050> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3,IP=N/A User data downloaded to datapath, new Role=logon/2, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300
Nov 25 16:00:32  authmgr[2056]: <522242> <DBUG> |authmgr|  MAC=ec:1f:72:eb:ea:d3 Station Created Update MMS: BSSID=9c:1c:12:0f:7d:d4 ESSID=Test-SSID VLAN=2 AP-name=B-Block_GndFlr_Networks
Nov 25 16:00:32  authmgr[2056]: <522301> <DBUG> |authmgr|  Auth GSM : USER publish for uuid 332 mac ec:1f:72:eb:ea:d3 name  role logon devtype Android wired 0 authtype 0 subtype 0  encrypt-type 10 conn-port 8448 fwd-mode 0
Nov 25 16:00:32  authmgr[1719]: <522038> <INFO> |authmgr|  username=hendrik MAC=ec:1f:72:eb:ea:d3 IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=2003-Radius
Nov 25 16:00:32  authmgr[1719]: <124003> <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=802.1x, server=2003-Radius, user=ec:1f:72:eb:ea:d3 
Nov 25 16:00:32  authmgr[1719]: <522044> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3 Station authenticate(start): method=802.1x, role=logon///logon, VLAN=2/2, Derivation=0/0, Value Pair=1, flags=0x8 
Nov 25 16:00:32  authmgr[1719]: <522049> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3,IP=N/A User role updated, existing Role=logon/none, new Role=authenticated/none, reason=Station Authenticated with auth type: 4
Nov 25 16:00:32  authmgr[1719]: <522050> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3,IP=N/A User data downloaded to datapath, new Role=authenticated/73, bw Contract=0/0, reason=Download driven by user role setting, idle-timeout=300
Nov 25 16:00:32  authmgr[1719]: <522301> <DBUG> |authmgr|  Auth GSM : USER publish for uuid 332 mac ec:1f:72:eb:ea:d3 name hendrik role authenticated devtype Android wired 0 authtype 4 subtype 0  encrypt-type 10 conn-port 8448 fwd-mode 0
Nov 25 16:00:32  authmgr[1719]: <522258> <DBUG> |authmgr|  "VDR - Add to history of user user ec:1f:72:eb:ea:d3 vlan 0 derivation_type Reset Dot1x VLANs index 4.
Nov 25 16:00:32  authmgr[1719]: <522254> <DBUG> |authmgr|  VDR - mac ec:1f:72:eb:ea:d3 rolename NULL fwdmode 0 derivation_type Dot1x Aruba VSA vp present.
Nov 25 16:00:32  authmgr[1719]: <522254> <DBUG> |authmgr|  VDR - mac ec:1f:72:eb:ea:d3 rolename NULL fwdmode 0 derivation_type Dot1x MSFT Attributes vp present.
Nov 25 16:00:32  authmgr[1719]: <522254> <DBUG> |authmgr|  VDR - mac ec:1f:72:eb:ea:d3 rolename NULL fwdmode 0 derivation_type Dot1x Server Rule vp present.
Nov 25 16:00:32  authmgr[1719]: <522259> <DBUG> |authmgr|  "VDR - Do Role Based VLAN Derivation user ec:1f:72:eb:ea:d3 role authenticated authtype 4 rolehow default for authentication type 802.1x.
Nov 25 16:00:32  authmgr[1719]: <522254> <DBUG> |authmgr|  VDR - mac ec:1f:72:eb:ea:d3 rolename authenticated fwdmode 0 derivation_type User Dot1x Role Contained vp not present.
Nov 25 16:00:32  authmgr[1719]: <522258> <DBUG> |authmgr|  "VDR - Add to history of user user ec:1f:72:eb:ea:d3 vlan 0 derivation_type Reset Role Based VLANs index 5.
Nov 25 16:00:32  authmgr[1719]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for ec:1f:72:eb:ea:d3 vlan 2 fwdmode 0 derivation_type Current VLAN updated.
Nov 25 16:00:32  authmgr[1719]: <522258> <DBUG> |authmgr|  "VDR - Add to history of user user ec:1f:72:eb:ea:d3 vlan 2 derivation_type Current VLAN updated index 6.
Nov 25 16:00:32  authmgr[1719]: <522260> <DBUG> |authmgr|  "VDR - Cur VLAN updated ec:1f:72:eb:ea:d3 mob 0 inform 0 remote 0 wired 0 defvlan 2 exportedvlan 0 curvlan 2.
Nov 25 16:00:32  authmgr[1719]: <522029> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3 Station authenticate: method=802.1x, role=authenticated///logon, VLAN=2/2, Derivation=1/1, Value Pair=1 
Nov 25 16:00:32  authmgr[1719]: <522301> <DBUG> |authmgr|  Auth GSM : USER publish for uuid 332 mac ec:1f:72:eb:ea:d3 name hendrik role authenticated devtype Android wired 0 authtype 4 subtype 9  encrypt-type 10 conn-port 8448 fwd-mode 0
Nov 25 16:00:33  authmgr[1719]: <522053> <DBUG> |authmgr|  PMK Cache getting updated for ec:1f:72:eb:ea:d3, (def, cur, vhow) = (2, 2, 1) with vlan=0 vlanhow=0 essid=Test-SSID role=authenticated rhow=1
Nov 25 16:00:33  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:33  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:33  authmgr[1719]: <524139> <DBUG> |authmgr|  add_pmkcache():864: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:33  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:33  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:33  authmgr[1719]: <524140> <DBUG> |authmgr|  add_pmkcache_ft():955: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:33  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:33  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:33  authmgr[1719]: <132094> <WARN> |authmgr|  MIC failed in WPA2 Key Message 2 from Station ec:1f:72:eb:ea:d3 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:36  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:36  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:36  authmgr[1719]: <524140> <DBUG> |authmgr|  add_pmkcache_ft():955: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:36  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:36  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:36  authmgr[1719]: <132094> <WARN> |authmgr|  MIC failed in WPA2 Key Message 2 from Station ec:1f:72:eb:ea:d3 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:39  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:39  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:39  authmgr[1719]: <524140> <DBUG> |authmgr|  add_pmkcache_ft():955: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:39  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:39  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:39  authmgr[1719]: <132094> <WARN> |authmgr|  MIC failed in WPA2 Key Message 2 from Station ec:1f:72:eb:ea:d3 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:42  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:42  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:42  authmgr[1719]: <524140> <DBUG> |authmgr|  add_pmkcache_ft():955: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:42  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:42  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:42  authmgr[1719]: <132094> <WARN> |authmgr|  MIC failed in WPA2 Key Message 2 from Station ec:1f:72:eb:ea:d3 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:45  authmgr[1719]: <132086> <INFO> |authmgr|  WPA 2 Key exchange failed to complete, de-authenticating the station ec:1f:72:eb:ea:d3 associated with AP 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:45  authmgr[1719]: <522289> <DBUG> |authmgr|  Auth GSM : MAC_USER mu_delete publish for mac ec:1f:72:eb:ea:d3 bssid 9c:1c:12:0f:7d:d4 vlan 2 type 1 data-ready 0 deauth-reason 49
Nov 25 16:00:45  stm[2159]: <501106> <NOTI> |stm|  Deauth to sta: ec:1f:72:eb:ea:d3: Ageout AP 10.254.253.107-9c:1c:12:0f:7d:d4-B-Block_GndFlr_Networks wifi_deauth_sta
Nov 25 16:00:45  authmgr[2056]: <522296> <DBUG> |authmgr|  Auth GSM : USER_STA delete event for user ec:1f:72:eb:ea:d3 age 0 deauth_reason 49

    Any suggestions on what I am doing wrong or missing is more than welcome.

     



  • 2.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Nov 25, 2015 09:23 AM

    1.  NEVER change the 802.1x settings/timers  Please set them back to the defaults

    2.  Find out what error message if any that the Radius Server has in its event logs

    3.  On the controller side, type "show auth-tracebuf mac <mac address of client>" to see what is happening

     



  • 3.  RE: Having some 802.1x Authentication issues

    Posted Nov 27, 2015 04:31 AM

    Hi Collin

     

    Reverted the Timers back to their original settings

    Got the following output from the trace-buf command

     

    Nov 27 11:05:38  station-up             *  ec:1f:72:eb:ea:d3  6c:f3:7f:db:8f:52              -    -     wpa2 psk aes
Nov 27 11:05:38  wpa2-key1             <-  ec:1f:72:eb:ea:d3  6c:f3:7f:db:8f:52              -    117   
Nov 27 11:05:39  wpa2-key2             ->  ec:1f:72:eb:ea:d3  6c:f3:7f:db:8f:52              -    117   
Nov 27 11:05:39  wpa2-key3             <-  ec:1f:72:eb:ea:d3  6c:f3:7f:db:8f:52              -    151   
Nov 27 11:05:39  wpa2-key4             ->  ec:1f:72:eb:ea:d3  6c:f3:7f:db:8f:52              -    95    
Nov 27 11:05:59  station-down           *  ec:1f:72:eb:ea:d3  6c:f3:7f:db:8f:52              -    -     
Nov 27 11:05:59  station-up             *  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d1              -    -     wpa2 psk aes
Nov 27 11:05:59  wpa2-key1             <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d1              -    117   
Nov 27 11:05:59  wpa2-key2             ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d1              -    117   
Nov 27 11:05:59  wpa2-key3             <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d1              -    151   
Nov 27 11:05:59  wpa2-key4             ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d1              -    95    
Nov 27 11:16:23  station-down           *  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d1              -    -     
Nov 27 11:16:25  station-up             *  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    -     wpa2 aes
Nov 27 11:16:25  station-term-start     *  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              2    -     
Nov 27 11:16:26  client-finish         ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    -     
Nov 27 11:16:26  server-finish         <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    61    
Nov 27 11:16:26  server-finish-ack     ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    -     
Nov 27 11:16:26  inner-eap-id-req      <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    35    
Nov 27 11:16:26  inner-eap-id-resp     ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    -     hendrik
Nov 27 11:16:26  eap-mschap-chlg       <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    67    
Nov 27 11:16:26  eap-mschap-response   ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   8    49    
Nov 27 11:16:26  mschap-request        ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   8    -     hendrik
Nov 27 11:16:26  mschap-response       <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/2008-Radius  -    -     hendrik
Nov 27 11:16:26  eap-mschap-success    <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    83    
Nov 27 11:16:26  eap-mschap-success-ack->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    -     
Nov 27 11:16:26  eap-tlv-rslt-success  <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    43    
Nov 27 11:16:26  eap-tlv-rslt-success  ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    2     
Nov 27 11:16:26  eap-success           <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4/TCM-802.1X   -    4     
Nov 27 11:16:26  wpa2-key1             <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    117   
Nov 27 11:16:26  wpa2-key2             ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    240   mic failure
Nov 27 11:16:27  wpa2-key1             <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    117   
Nov 27 11:16:27  wpa2-key2             ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    240   mic failure
Nov 27 11:16:28  wpa2-key1             <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    117   
Nov 27 11:16:28  wpa2-key2             ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    240   mic failure
Nov 27 11:16:29  wpa2-key1             <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    117   
Nov 27 11:16:29  wpa2-key2             ->  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    240   mic failure
Nov 27 11:16:30  wpa2-key1             <-  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    117   
Nov 27 11:16:30  station-down           *  ec:1f:72:eb:ea:d3  9c:1c:12:0f:7d:d4              -    -

    I thought the 2003 server was causing a problem and got a 2008 server. Still having the same problem -- Might it be my Aruba config thats a problem and not the Radius server?

     

    On the Radius server I do see an error

    Reason Code:            23
        Reason:                An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

     

    I have deleted the Certs, recreated them, deleted the policies and recreated them - but still getting this error. I am not sure where these EAP logs are - BUT If I am looking at the right logs (in C:\Windows\System32\LogFiles\INI1511)
    I see the following lines

     

    "RADNET","IAS",11/27/2015,11:13:27,1,"hendrik","NETWORKS\hendrik","000B866E1E74","EC1F72EBEAD3",,,,"10.254.253.21",0,0,"10.254.253.21","Aruba-Controller",,,19,,,1,4,"Secure Wireless Connections 2",0,"311 1 10.254.253.22 11/26/2015 13:30:42 203",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections 2",1,,,,
"RADNET","IAS",11/27/2015,11:13:27,2,,"NETWORKS\hendrik",,,,,,,,0,"10.254.253.21","Aruba-Controller",,,,,1,2,4,"Secure Wireless Connections 2",0,"311 1 10.254.253.22 11/26/2015 13:30:42 203",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"0x084E4554574F524B53",,,"Secure Wireless Connections 2",1,,,,
"RADNET","IAS",11/27/2015,11:13:37,1,"hendrik","NETWORKS\hendrik","000B866E1E74","EC1F72EBEAD3",,,,"10.254.253.21",0,0,"10.254.253.21","Aruba-Controller",,,19,,,1,4,"Secure Wireless Connections 2",0,"311 1 10.254.253.22 11/26/2015 13:30:42 204",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections 2",1,,,,
"RADNET","IAS",11/27/2015,11:13:37,2,,"NETWORKS\hendrik",,,,,,,,0,"10.254.253.21","Aruba-Controller",,,,,1,2,4,"Secure Wireless Connections 2",0,"311 1 10.254.253.22 11/26/2015 13:30:42 204",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"0x084E4554574F524B53",,,"Secure Wireless Connections 2",1,,,,

    Also followed steps you recommended another user (he was using instants though) in a different post, but still no luck....  :(

    http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/PEAP-authentication-failure-Reason-code-23/td-p/71530

     

    Some extra details

    Enabnling Termination on the controller makes no difference (I believe for 802.1x it should be disbaled) so currently disabled.

    Running a AAA test for the user against the server does succeed.

     

    Any other advice?

     

     

     



  • 4.  RE: Having some 802.1x Authentication issues
    Best Answer

    EMPLOYEE
    Posted Nov 27, 2015 06:20 AM

    Termination should be off, yes.

     

    Did you generate a server certificate for the IAS server for Server authentication?  Please see the article here;  http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/ta-p/80672

     

    The #1 reason why the AAA test works and authentication does not work is having a proper radius server certificate...

     

     



  • 5.  RE: Having some 802.1x Authentication issues

    Posted Dec 03, 2015 03:05 AM

    Hi

     

    Just an update on this - I followed the steps in th document http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/ta-p/80672 exactly as indiocated. Still had the problem. Created a new domain and server for testing and problem persisted. Added new certificates (computer, Domain Controller and also a few custom Certificates), still had same problem.

     

    Pulled out an old 3400 Controller redid my complete Aruba controlelr configuration on it and it workled like a charm with new test domain and original domain what I started with.

    I believe there might be something I messed up in the Aruba configuration or my 3600 controller is FUBAR.

     

    When I get aproval I am migrating my new configuration (full flash config) from 3400 to the 3600 to see if the problem persists and to see if it is the controller or the config that is faulty.

     

    Will post an update once I have done this.



  • 6.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Dec 03, 2015 05:12 AM

    Hendrik,

     

    If you have support, please open a case.  Most of the configuration is on the radius server and there is very little configuration on the controller.  Since there is little configuration on the controller, I am not sure a flash backup is a good move, or it would just introduce issues into your new configuration.  Again, the bulk of the configuration is on the radius server.



  • 7.  RE: Having some 802.1x Authentication issues

    Posted Dec 22, 2015 01:31 AM

    Hi

     

    Just some feedback - unfortunately the controller is out of support (had many a conversation around renewal with no success).

    Testing with the other controller and config it all works 100%, I think it is something on the original Config that was at fault. The previous admins fiddled with a lot of settings of which is unused or unrequired -possibly something I couldn't spot that was misconfigured.

    But anyway we are running on the new config now with no hickups (using setup steps as indicated - Thx Collin), had a bit of an issue with some of my Remote APs, but was resolved quite easily.



  • 8.  RE: Having some 802.1x Authentication issues

    Posted Nov 09, 2017 07:28 PM

    Hello,

     

    I am having clients get kicked off/lose connection often. The clients are right next to the Airports and bandwidth looks ok. We have a mix of 335's and 225's with about 10 to 30 clients per AP. 

     

    I am getting a lot of RADIUS Authentication Issues almost 3000 a day

     

    Any ideas?

     

    Thank you so much for any and all help. 



  • 9.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Nov 09, 2017 07:47 PM

    Those look like mac authentications to your inter

    @Ollie R wrote:

    Hello,

     

    I am having clients get kicked off/lose connection often. The clients are right next to the Airports and bandwidth looks ok. We have a mix of 335's and 225's with about 10 to 30 clients per AP. 

     

    I am getting a lot of RADIUS Authentication Issues almost 3000 a day

     

    Any ideas?

     

    Thank you so much for any and all help. 

    Those look like mac authentications to the server internal to the controller.  How is your SSID setup to authenticate?



  • 10.  RE: Having some 802.1x Authentication issues

    Posted Nov 13, 2017 01:01 PM
    Sorry for just getting back to this I was off site for a bit. 
     
    The DHCP on the school wireless is handled by Windows servers. The DHCP on the guest wireless is handled by the Aruba system
     
    The authentication for school SSID is WPA2
     
    Thank you for any and all help! 


  • 11.  RE: Having some 802.1x Authentication issues

    Posted Nov 13, 2017 01:08 PM

    There is an option that is called "Cellular handoff assist" that was causing a lot of disconnect/reconnect issues that by disabling, resolved. Did you say you were having problems with clients that get DHCP via the controller? or the Radius server?



  • 12.  RE: Having some 802.1x Authentication issues

    Posted Nov 13, 2017 01:32 PM
      |   view attached

    Thank you for the help!

     

    I will take a look if we have that toggled on. 

    I believe we are having issues with the RADIUS Authentication Issues.

     

    Our clients are getting kicked off the network even when our bandwidth is fine. 

     



  • 13.  RE: Having some 802.1x Authentication issues

    Posted Nov 13, 2017 01:48 PM

    I am not finding "Cellular handoff assist" do you know where it is found? 

     

    Thanks!



  • 14.  RE: Having some 802.1x Authentication issues

    Posted Nov 13, 2017 01:56 PM

    It is under the RF-Management settings Under ARM>Advanced



  • 15.  RE: Having some 802.1x Authentication issues

    Posted Nov 13, 2017 02:01 PM

    Thanks! 

     

    Looking at the settings it looks like I don't have that option. 

    I wonder if I need to upgrade my software to get that choice. 

     

     



  • 16.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Nov 13, 2017 02:25 PM

    Ollie R,

     

    Do you have mac authentication enabled on that SSID?



  • 17.  RE: Having some 802.1x Authentication issues

    Posted Nov 13, 2017 02:34 PM

    No. 

     

    We should not have that set up on the network.



  • 18.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Nov 13, 2017 02:37 PM

    Okay, you either have mac authentication enabled or "Enforce Machine Authentication" enabled.  Why?  Because the username on your Radius Authentication issues is a mac address.



  • 19.  RE: Having some 802.1x Authentication issues

    Posted Nov 13, 2017 02:39 PM

    Should we turn that off then?

     

    Would we have any issues if we did?

     

    Where would I turn off that setting?

     

    Thank you so much for all the help!



  • 20.  RE: Having some 802.1x Authentication issues

    Posted Nov 13, 2017 02:56 PM
      |   view attached

    It looks like we have those settings off. 

     

    Any chance we could have a different issue?

     

    Thank you so much for all the help! I really appreciate your time and help! 

     

    Thank you!



  • 21.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Nov 13, 2017 03:02 PM

    It looks like you have mac authentication enabled.  That is the only other reason why a devices would authenticate via its username to the internal database.



  • 22.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Nov 13, 2017 03:07 PM

    Translation:

     

    You do not seem to have a 802.1x authentication problem.  The failures seem to be mac authentication to the internal database of the IAP.



  • 23.  RE: Having some 802.1x Authentication issues

    Posted Nov 13, 2017 03:11 PM

    Thank you! 

     

    I don't get into those settings often, Would the fix just go through all the AP's and look at the settings, Change if needs be.

     

    Thanks!



  • 24.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Nov 13, 2017 03:20 PM

    The answer is yes, it would go through to all of the APS.  The question is, who enabled it, and is it being used??



  • 25.  RE: Having some 802.1x Authentication issues

    Posted Nov 13, 2017 03:35 PM
      |   view attached

    Thank you for your responses and patients, I have gone through all the APs in instant as well as airwaves and can't find any issues with configuration, I mean things such as authentication enabled on an AP.

     

    I might be looking in the wrong spot tho. Here is how I am looking for the settings.

     

    Is this correct/how things should be?

     

    Thank you so much for all your help! 



  • 26.  RE: Having some 802.1x Authentication issues

    EMPLOYEE


  • 27.  RE: Having some 802.1x Authentication issues

    Posted Nov 13, 2017 04:38 PM

    Thank you for the Link! 

     

    After looking into our settings it looks like we are set up how we should be. 

     

    Would the setting for how many clients can connect to an AP be a cause for clients dropping off the network or would they just use the next closest AP?

     

    Thank you for the Help! 



  • 28.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Nov 13, 2017 05:02 PM

    What exactly are your circumstances?

    When did it start happening?



  • 29.  RE: Having some 802.1x Authentication issues

    Posted Nov 13, 2017 05:57 PM

    The issue is our clients are getting kicked off the network 5-20 times a day.

     

    Not all clients have it as bad as others.

     

    The Staff members are who get kicked off the most with static IP but we see this also with students but not as often.

     

    Out Clients have MacBook Air / MacBook Pro and are running Sierra.

     

    The Client health is 98-100% then they drop the network. The computer will search for networks not find any then the clients will turn off/on the network and reconnect.

     

    The Clients are 15'-40' away from the AP's and the AP's have 15-40 clients. The AP's are 335's 

     

    We have been working on this for about 2 months. It used to be a phantom issue

    with 1 or 2 people a week getting kicked and now in the last week, it has gotten worse with our clients getting kicked off 5-20 times a day but with (good) health and our Bandwith use low.

     

    This issue can happen in many different areas and times of the day. No microwaves are in the area and I am unable to find any interference devices. 

     

     

     

     

     



  • 30.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Nov 13, 2017 09:53 PM

    When you look at your access points, is there a + or a - or an E right after the channel?



  • 31.  RE: Having some 802.1x Authentication issues

    Posted Nov 14, 2017 12:10 PM
      |   view attached

    I don't see anything after the channel. 

     

    What should I see?

     

    Or what would be best?

     

    Thanks!



  • 32.  RE: Having some 802.1x Authentication issues

    Posted Nov 14, 2017 12:30 PM

    Where would the best place be to look for what is after the channel? So far all the places I have looked have nothing after the channel but I am thinking that there should be something after the channel or a place to change the setting.

     

    Thanks! 



  • 33.  RE: Having some 802.1x Authentication issues

    Posted Nov 16, 2017 12:27 PM

    I have been looking for the - or the + and I am still not finding anything for channel settings. 

     

    Would this be for the AirWaves?

     

    Thanks!

     

     



  • 34.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Nov 16, 2017 11:53 PM

    Question:

     

    Did you configure the network or you inherited it from someone else?  That would determine the types of questions I ask next.



  • 35.  RE: Having some 802.1x Authentication issues

    Posted Nov 17, 2017 12:25 PM

    Good question, 

     

    This was an inherited, it has been kind of a beast in the closet but we are trying to get the bugs worked out.

     

    We went from Apple extremes to Aruba 105 and now we have 335's.

    We kind of thought things would be fixed with new Airports but now it looks like it is something else. 

     

    Thank you for all the help!  



  • 36.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Nov 17, 2017 01:12 PM

    Question:

     

    Do you make configuration changes in the Instant GUI config in Airwave, or do you do it directly on the Instant Cluster? (you can only do one or the other)..



  • 37.  RE: Having some 802.1x Authentication issues

    Posted Nov 17, 2017 01:23 PM

    We are using instant as the controlling side of things and we have Airwave in the monitor setting. 

     

    We see we have an update for the instant and will do the update soon. 

     

    Thanks!



  • 38.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Nov 17, 2017 01:33 PM

    If things are working, you should not update.  You could cause more problems due to behavior changes.  You should read the release notes and see if it fixes your issue.  If not, you should not upgrade, or you could cause more issues.



  • 39.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Nov 17, 2017 01:45 PM

    Lastly, you should web into the GUI of your instant cluster (not airwave) and click on Edit on all of your SSIDs.  Under Advanced, check to make sure that Broadcast Filtering is set to ALL or ARP, to maintain performance.



  • 40.  RE: Having some 802.1x Authentication issues

    Posted Nov 17, 2017 01:53 PM
      |   view attached

    Thank you for all the Help! 

     

    I just took a look and we are set as Disabled. 

     

    Would a change to the setting effect users on our network now? aka, kick them off?

     

    Would All Or ARP be better to change to?

     

    Thanks!



  • 41.  RE: Having some 802.1x Authentication issues

    Posted Nov 17, 2017 02:17 PM

    Doing some research on the ARP broadcasting and I am wondering about losing the Bonjour part of things. 

     

    If we enable this will we lose all Bonjour things like ARD? 

     

    I am wondering because it looks like that may have been fixed but I am not 100% sure.

     

    Thanks! 



  • 42.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Nov 17, 2017 05:39 PM

    What do you use Bonjour for?  Turning on Airgroup should allow the Bonjour traffic while broadcast filtering is enabled.



  • 43.  RE: Having some 802.1x Authentication issues

    Posted Nov 17, 2017 05:45 PM

    Thanks! 

     

    We use it to discover computers on the network through Remote Desktop, however, we can also use the local network to do this. That is about it tho so we should be ok if we toggle the ARP setting. and if not we can toggle it back on.

     

    Would I drop clients if I changed this setting?

     

    Thanks!



  • 44.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Nov 17, 2017 05:47 PM

    No, you should not.  You should have broadcast filtering enabled on all of your SSIDs for this to be effective.  Excess broadcasts are the enemy of wireless, especially if you have wired and wireless devices in the same VLAN.



  • 45.  RE: Having some 802.1x Authentication issues

    Posted Nov 20, 2017 12:23 PM

    Thank you for the help! 

     

    We made the changes to the network and things are much smoother now. 

     

    Thank you for all the help!



  • 46.  RE: Having some 802.1x Authentication issues

    Posted Jun 20, 2018 06:26 PM

    Hi Guys, we are having similar issues where users are getting kicked off the wireless. We are using Clearpass for Radius.

     

    Please let me know any recommendations.



  • 47.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Jun 20, 2018 06:28 PM

    Please create a new thread will full details about your environment and issue or open a case with Aruba TAC.



  • 48.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Nov 17, 2017 05:47 PM

    No, you should not.  You should have broadcast filtering enabled on all of your SSIDs for this to be effective.  Excess broadcasts are the enemy of wireless, especially if you have wired and wireless devices in the same VLAN.



  • 49.  RE: Having some 802.1x Authentication issues

    Posted Oct 23, 2017 06:08 PM

    We are experiencing a similar issue after updating to 6.4.4.16 for KRACK vulnerability. Other than upgrade, no config changes, but am seeing dot1 x timeouts after the eap-id-resp from radius.

     

    Oct 23 16:05:20  eap-id-req            <-  68:c4:4d:50:a6:49  94:b4:0f:0e:7a:f7  1  5   

     

    Oct 23 16:05:20  eap-id-resp           ->  68:c4:4d:50:a6:49  94:b4:0f:0e:7a:f7  1  10   mruch

     

    Oct 23 16:05:25  dot1x-timeout          *  68:c4:4d:50:a6:49  94:b4:0f:0e:7a:f7  1  3    server timeout

     

    Oct 23 16:05:25  dot1x-timeout          *  68:c4:4d:50:a6:49  94:b4:0f:0e:7a:f7  2  2    station timeout

     

    Oct 23 16:05:25  eap-id-req            <-  68:c4:4d:50:a6:49  94:b4:0f:0e:7a:f7  2  5   

     

    Oct 23 16:05:25  eap-id-resp           ->  68:c4:4d:50:a6:49  94:b4:0f:0e:7a:f7  2  10   mruch

     

    Oct 23 16:05:30  dot1x-timeout          *  68:c4:4d:50:a6:49  94:b4:0f:0e:7a:f7  2  3    server timeout

     

    Oct 23 16:05:30  dot1x-timeout          *  68:c4:4d:50:a6:49 

    @Hendrik wrote:

    Hi All

     

    Been pulling my hair out with this one. Implementing Radius and 802.1x auth is not succeeding.

    Aruba Controller version 6.4.2.3

    MS 2003 Server  for Radius/IAS (I know its old...)

     

    Signing in from my android device it just never connects - from the radius server I can see it is granting access (confirmed with performing AAA test from controller.

     

    I have tried the following from googling around the web:

    PMKID disabled and enabled with no difference.

    Prohibit-IP-SPoofing enabled and disabled with no difference.

    Set Interval between WPA/WPA2 Key Messages fromm 1000 to 3000 with no difference.

     

    I see the following from the Logs on the controller for my Androids MAC address.  Seeing  messages for "MIC failed in WPA key Message 2".

     

    Nov 25 16:00:32  authmgr[2056]: <524124> <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:ec:1f:72:eb:ea:d3, pmkid_present:False, pmkid:N/A
Nov 25 16:00:32  authmgr[2056]: <522308> <DBUG> |authmgr|  Device Type index derivation for ec:1f:72:eb:ea:d3 : dhcp (0,0,0) oui (0,0) ua (5,1,1) derived Android(1)
Nov 25 16:00:32  authmgr[2056]: <522299> <DBUG> |authmgr|  Auth GSM : DEV_ID_CACHE publish for mac ec:1f:72:eb:ea:d3 dev-id Android index 1
Nov 25 16:00:32  authmgr[2056]: <522050> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3,IP=N/A User data downloaded to datapath, new Role=logon/2, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300
Nov 25 16:00:32  authmgr[2056]: <522242> <DBUG> |authmgr|  MAC=ec:1f:72:eb:ea:d3 Station Created Update MMS: BSSID=9c:1c:12:0f:7d:d4 ESSID=Test-SSID VLAN=2 AP-name=B-Block_GndFlr_Networks
Nov 25 16:00:32  authmgr[2056]: <522301> <DBUG> |authmgr|  Auth GSM : USER publish for uuid 332 mac ec:1f:72:eb:ea:d3 name  role logon devtype Android wired 0 authtype 0 subtype 0  encrypt-type 10 conn-port 8448 fwd-mode 0
Nov 25 16:00:32  authmgr[1719]: <522038> <INFO> |authmgr|  username=hendrik MAC=ec:1f:72:eb:ea:d3 IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=2003-Radius
Nov 25 16:00:32  authmgr[1719]: <124003> <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=802.1x, server=2003-Radius, user=ec:1f:72:eb:ea:d3 
Nov 25 16:00:32  authmgr[1719]: <522044> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3 Station authenticate(start): method=802.1x, role=logon///logon, VLAN=2/2, Derivation=0/0, Value Pair=1, flags=0x8 
Nov 25 16:00:32  authmgr[1719]: <522049> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3,IP=N/A User role updated, existing Role=logon/none, new Role=authenticated/none, reason=Station Authenticated with auth type: 4
Nov 25 16:00:32  authmgr[1719]: <522050> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3,IP=N/A User data downloaded to datapath, new Role=authenticated/73, bw Contract=0/0, reason=Download driven by user role setting, idle-timeout=300
Nov 25 16:00:32  authmgr[1719]: <522301> <DBUG> |authmgr|  Auth GSM : USER publish for uuid 332 mac ec:1f:72:eb:ea:d3 name hendrik role authenticated devtype Android wired 0 authtype 4 subtype 0  encrypt-type 10 conn-port 8448 fwd-mode 0
Nov 25 16:00:32  authmgr[1719]: <522258> <DBUG> |authmgr|  "VDR - Add to history of user user ec:1f:72:eb:ea:d3 vlan 0 derivation_type Reset Dot1x VLANs index 4.
Nov 25 16:00:32  authmgr[1719]: <522254> <DBUG> |authmgr|  VDR - mac ec:1f:72:eb:ea:d3 rolename NULL fwdmode 0 derivation_type Dot1x Aruba VSA vp present.
Nov 25 16:00:32  authmgr[1719]: <522254> <DBUG> |authmgr|  VDR - mac ec:1f:72:eb:ea:d3 rolename NULL fwdmode 0 derivation_type Dot1x MSFT Attributes vp present.
Nov 25 16:00:32  authmgr[1719]: <522254> <DBUG> |authmgr|  VDR - mac ec:1f:72:eb:ea:d3 rolename NULL fwdmode 0 derivation_type Dot1x Server Rule vp present.
Nov 25 16:00:32  authmgr[1719]: <522259> <DBUG> |authmgr|  "VDR - Do Role Based VLAN Derivation user ec:1f:72:eb:ea:d3 role authenticated authtype 4 rolehow default for authentication type 802.1x.
Nov 25 16:00:32  authmgr[1719]: <522254> <DBUG> |authmgr|  VDR - mac ec:1f:72:eb:ea:d3 rolename authenticated fwdmode 0 derivation_type User Dot1x Role Contained vp not present.
Nov 25 16:00:32  authmgr[1719]: <522258> <DBUG> |authmgr|  "VDR - Add to history of user user ec:1f:72:eb:ea:d3 vlan 0 derivation_type Reset Role Based VLANs index 5.
Nov 25 16:00:32  authmgr[1719]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for ec:1f:72:eb:ea:d3 vlan 2 fwdmode 0 derivation_type Current VLAN updated.
Nov 25 16:00:32  authmgr[1719]: <522258> <DBUG> |authmgr|  "VDR - Add to history of user user ec:1f:72:eb:ea:d3 vlan 2 derivation_type Current VLAN updated index 6.
Nov 25 16:00:32  authmgr[1719]: <522260> <DBUG> |authmgr|  "VDR - Cur VLAN updated ec:1f:72:eb:ea:d3 mob 0 inform 0 remote 0 wired 0 defvlan 2 exportedvlan 0 curvlan 2.
Nov 25 16:00:32  authmgr[1719]: <522029> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3 Station authenticate: method=802.1x, role=authenticated///logon, VLAN=2/2, Derivation=1/1, Value Pair=1 
Nov 25 16:00:32  authmgr[1719]: <522301> <DBUG> |authmgr|  Auth GSM : USER publish for uuid 332 mac ec:1f:72:eb:ea:d3 name hendrik role authenticated devtype Android wired 0 authtype 4 subtype 9  encrypt-type 10 conn-port 8448 fwd-mode 0
Nov 25 16:00:33  authmgr[1719]: <522053> <DBUG> |authmgr|  PMK Cache getting updated for ec:1f:72:eb:ea:d3, (def, cur, vhow) = (2, 2, 1) with vlan=0 vlanhow=0 essid=Test-SSID role=authenticated rhow=1
Nov 25 16:00:33  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:33  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:33  authmgr[1719]: <524139> <DBUG> |authmgr|  add_pmkcache():864: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:33  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:33  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:33  authmgr[1719]: <524140> <DBUG> |authmgr|  add_pmkcache_ft():955: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:33  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:33  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:33  authmgr[1719]: <132094> <WARN> |authmgr|  MIC failed in WPA2 Key Message 2 from Station ec:1f:72:eb:ea:d3 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:36  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:36  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:36  authmgr[1719]: <524140> <DBUG> |authmgr|  add_pmkcache_ft():955: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:36  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:36  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:36  authmgr[1719]: <132094> <WARN> |authmgr|  MIC failed in WPA2 Key Message 2 from Station ec:1f:72:eb:ea:d3 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:39  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:39  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:39  authmgr[1719]: <524140> <DBUG> |authmgr|  add_pmkcache_ft():955: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:39  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:39  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:39  authmgr[1719]: <132094> <WARN> |authmgr|  MIC failed in WPA2 Key Message 2 from Station ec:1f:72:eb:ea:d3 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:42  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:42  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:42  authmgr[1719]: <524140> <DBUG> |authmgr|  add_pmkcache_ft():955: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:42  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:42  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:42  authmgr[1719]: <132094> <WARN> |authmgr|  MIC failed in WPA2 Key Message 2 from Station ec:1f:72:eb:ea:d3 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:45  authmgr[1719]: <132086> <INFO> |authmgr|  WPA 2 Key exchange failed to complete, de-authenticating the station ec:1f:72:eb:ea:d3 associated with AP 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:45  authmgr[1719]: <522289> <DBUG> |authmgr|  Auth GSM : MAC_USER mu_delete publish for mac ec:1f:72:eb:ea:d3 bssid 9c:1c:12:0f:7d:d4 vlan 2 type 1 data-ready 0 deauth-reason 49
Nov 25 16:00:45  stm[2159]: <501106> <NOTI> |stm|  Deauth to sta: ec:1f:72:eb:ea:d3: Ageout AP 10.254.253.107-9c:1c:12:0f:7d:d4-B-Block_GndFlr_Networks wifi_deauth_sta
Nov 25 16:00:45  authmgr[2056]: <522296> <DBUG> |authmgr|  Auth GSM : USER_STA delete event for user ec:1f:72:eb:ea:d3 age 0 deauth_reason 49

    Any suggestions on what I am doing wrong or missing is more than welcome.

     

    @Hendrik wrote:

    Hi All

     

    Been pulling my hair out with this one. Implementing Radius and 802.1x auth is not succeeding.

    Aruba Controller version 6.4.2.3

    MS 2003 Server  for Radius/IAS (I know its old...)

     

    Signing in from my android device it just never connects - from the radius server I can see it is granting access (confirmed with performing AAA test from controller.

     

    I have tried the following from googling around the web:

    PMKID disabled and enabled with no difference.

    Prohibit-IP-SPoofing enabled and disabled with no difference.

    Set Interval between WPA/WPA2 Key Messages fromm 1000 to 3000 with no difference.

     

    I see the following from the Logs on the controller for my Androids MAC address.  Seeing  messages for "MIC failed in WPA key Message 2".

     

    Nov 25 16:00:32  authmgr[2056]: <524124> <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:ec:1f:72:eb:ea:d3, pmkid_present:False, pmkid:N/A
Nov 25 16:00:32  authmgr[2056]: <522308> <DBUG> |authmgr|  Device Type index derivation for ec:1f:72:eb:ea:d3 : dhcp (0,0,0) oui (0,0) ua (5,1,1) derived Android(1)
Nov 25 16:00:32  authmgr[2056]: <522299> <DBUG> |authmgr|  Auth GSM : DEV_ID_CACHE publish for mac ec:1f:72:eb:ea:d3 dev-id Android index 1
Nov 25 16:00:32  authmgr[2056]: <522050> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3,IP=N/A User data downloaded to datapath, new Role=logon/2, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300
Nov 25 16:00:32  authmgr[2056]: <522242> <DBUG> |authmgr|  MAC=ec:1f:72:eb:ea:d3 Station Created Update MMS: BSSID=9c:1c:12:0f:7d:d4 ESSID=Test-SSID VLAN=2 AP-name=B-Block_GndFlr_Networks
Nov 25 16:00:32  authmgr[2056]: <522301> <DBUG> |authmgr|  Auth GSM : USER publish for uuid 332 mac ec:1f:72:eb:ea:d3 name  role logon devtype Android wired 0 authtype 0 subtype 0  encrypt-type 10 conn-port 8448 fwd-mode 0
Nov 25 16:00:32  authmgr[1719]: <522038> <INFO> |authmgr|  username=hendrik MAC=ec:1f:72:eb:ea:d3 IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=2003-Radius
Nov 25 16:00:32  authmgr[1719]: <124003> <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=802.1x, server=2003-Radius, user=ec:1f:72:eb:ea:d3 
Nov 25 16:00:32  authmgr[1719]: <522044> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3 Station authenticate(start): method=802.1x, role=logon///logon, VLAN=2/2, Derivation=0/0, Value Pair=1, flags=0x8 
Nov 25 16:00:32  authmgr[1719]: <522049> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3,IP=N/A User role updated, existing Role=logon/none, new Role=authenticated/none, reason=Station Authenticated with auth type: 4
Nov 25 16:00:32  authmgr[1719]: <522050> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3,IP=N/A User data downloaded to datapath, new Role=authenticated/73, bw Contract=0/0, reason=Download driven by user role setting, idle-timeout=300
Nov 25 16:00:32  authmgr[1719]: <522301> <DBUG> |authmgr|  Auth GSM : USER publish for uuid 332 mac ec:1f:72:eb:ea:d3 name hendrik role authenticated devtype Android wired 0 authtype 4 subtype 0  encrypt-type 10 conn-port 8448 fwd-mode 0
Nov 25 16:00:32  authmgr[1719]: <522258> <DBUG> |authmgr|  "VDR - Add to history of user user ec:1f:72:eb:ea:d3 vlan 0 derivation_type Reset Dot1x VLANs index 4.
Nov 25 16:00:32  authmgr[1719]: <522254> <DBUG> |authmgr|  VDR - mac ec:1f:72:eb:ea:d3 rolename NULL fwdmode 0 derivation_type Dot1x Aruba VSA vp present.
Nov 25 16:00:32  authmgr[1719]: <522254> <DBUG> |authmgr|  VDR - mac ec:1f:72:eb:ea:d3 rolename NULL fwdmode 0 derivation_type Dot1x MSFT Attributes vp present.
Nov 25 16:00:32  authmgr[1719]: <522254> <DBUG> |authmgr|  VDR - mac ec:1f:72:eb:ea:d3 rolename NULL fwdmode 0 derivation_type Dot1x Server Rule vp present.
Nov 25 16:00:32  authmgr[1719]: <522259> <DBUG> |authmgr|  "VDR - Do Role Based VLAN Derivation user ec:1f:72:eb:ea:d3 role authenticated authtype 4 rolehow default for authentication type 802.1x.
Nov 25 16:00:32  authmgr[1719]: <522254> <DBUG> |authmgr|  VDR - mac ec:1f:72:eb:ea:d3 rolename authenticated fwdmode 0 derivation_type User Dot1x Role Contained vp not present.
Nov 25 16:00:32  authmgr[1719]: <522258> <DBUG> |authmgr|  "VDR - Add to history of user user ec:1f:72:eb:ea:d3 vlan 0 derivation_type Reset Role Based VLANs index 5.
Nov 25 16:00:32  authmgr[1719]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for ec:1f:72:eb:ea:d3 vlan 2 fwdmode 0 derivation_type Current VLAN updated.
Nov 25 16:00:32  authmgr[1719]: <522258> <DBUG> |authmgr|  "VDR - Add to history of user user ec:1f:72:eb:ea:d3 vlan 2 derivation_type Current VLAN updated index 6.
Nov 25 16:00:32  authmgr[1719]: <522260> <DBUG> |authmgr|  "VDR - Cur VLAN updated ec:1f:72:eb:ea:d3 mob 0 inform 0 remote 0 wired 0 defvlan 2 exportedvlan 0 curvlan 2.
Nov 25 16:00:32  authmgr[1719]: <522029> <INFO> |authmgr|  MAC=ec:1f:72:eb:ea:d3 Station authenticate: method=802.1x, role=authenticated///logon, VLAN=2/2, Derivation=1/1, Value Pair=1 
Nov 25 16:00:32  authmgr[1719]: <522301> <DBUG> |authmgr|  Auth GSM : USER publish for uuid 332 mac ec:1f:72:eb:ea:d3 name hendrik role authenticated devtype Android wired 0 authtype 4 subtype 9  encrypt-type 10 conn-port 8448 fwd-mode 0
Nov 25 16:00:33  authmgr[1719]: <522053> <DBUG> |authmgr|  PMK Cache getting updated for ec:1f:72:eb:ea:d3, (def, cur, vhow) = (2, 2, 1) with vlan=0 vlanhow=0 essid=Test-SSID role=authenticated rhow=1
Nov 25 16:00:33  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:33  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:33  authmgr[1719]: <524139> <DBUG> |authmgr|  add_pmkcache():864: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:33  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:33  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:33  authmgr[1719]: <524140> <DBUG> |authmgr|  add_pmkcache_ft():955: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:33  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:33  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:33  authmgr[1719]: <132094> <WARN> |authmgr|  MIC failed in WPA2 Key Message 2 from Station ec:1f:72:eb:ea:d3 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:36  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:36  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:36  authmgr[1719]: <524140> <DBUG> |authmgr|  add_pmkcache_ft():955: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:36  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:36  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:36  authmgr[1719]: <132094> <WARN> |authmgr|  MIC failed in WPA2 Key Message 2 from Station ec:1f:72:eb:ea:d3 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:39  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:39  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:39  authmgr[1719]: <524140> <DBUG> |authmgr|  add_pmkcache_ft():955: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:39  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:39  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:39  authmgr[1719]: <132094> <WARN> |authmgr|  MIC failed in WPA2 Key Message 2 from Station ec:1f:72:eb:ea:d3 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:42  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:42  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:42  authmgr[1719]: <524140> <DBUG> |authmgr|  add_pmkcache_ft():955: MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 Update:^A
Nov 25 16:00:42  authmgr[1719]: <524129> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:ec:1f:72:eb:ea:d3 GSM: Successfully published Key-cache object.
Nov 25 16:00:42  authmgr[1719]: <524134> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:ec:1f:72:eb:ea:d3 BSS:9c:1c:12:0f:7d:d4 GSM: Successfully published PMK-cache object.
Nov 25 16:00:42  authmgr[1719]: <132094> <WARN> |authmgr|  MIC failed in WPA2 Key Message 2 from Station ec:1f:72:eb:ea:d3 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:45  authmgr[1719]: <132086> <INFO> |authmgr|  WPA 2 Key exchange failed to complete, de-authenticating the station ec:1f:72:eb:ea:d3 associated with AP 9c:1c:12:0f:7d:d4 B-Block_GndFlr_Networks
Nov 25 16:00:45  authmgr[1719]: <522289> <DBUG> |authmgr|  Auth GSM : MAC_USER mu_delete publish for mac ec:1f:72:eb:ea:d3 bssid 9c:1c:12:0f:7d:d4 vlan 2 type 1 data-ready 0 deauth-reason 49
Nov 25 16:00:45  stm[2159]: <501106> <NOTI> |stm|  Deauth to sta: ec:1f:72:eb:ea:d3: Ageout AP 10.254.253.107-9c:1c:12:0f:7d:d4-B-Block_GndFlr_Networks wifi_deauth_sta
Nov 25 16:00:45  authmgr[2056]: <522296> <DBUG> |authmgr|  Auth GSM : USER_STA delete event for user ec:1f:72:eb:ea:d3 age 0 deauth_reason 49

    Any suggestions on what I am doing wrong or missing is more than welcome.

     



    94:b4:0f:0e:7a:f7  3  2    station timeout

     

    Oct 23 16:05:30  eap-id-req            <-  68:c4:4d:50:a6:49  94:b4:0f:0e:7a:f7  3  5   

     

    Oct 23 16:05:35  dot1x-timeout          *  68:c4:4d:50:a6:49  94:b4:0f:0e:7a:f7  3  1    station timeout



  • 50.  RE: Having some 802.1x Authentication issues

    Posted Oct 23, 2017 06:10 PM

    To top that off, it looks like the users are stuck in the "logon" role of authentication. So far, only way around the issue is to delete the user --#aaa users delete (mac)

    or connect to the guest network, then disconnect and "forget" the network all together, then reconnect to the SSID and it works. Very strange. Any ideas?



  • 51.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Oct 23, 2017 11:17 PM

    Please open a TAC case.



  • 52.  RE: Having some 802.1x Authentication issues

    Posted Oct 24, 2017 02:01 AM

    Hi james

    This thread has been marked as solved already - my problem was related to my old controller having old config that was interfeering in some way. Rebuilding solved my problems.This was also on quite old firmware.
    Perhaps a TAC case can help or a new post/thread for your issue specifically.



  • 53.  RE: Having some 802.1x Authentication issues

    Posted Oct 30, 2017 02:16 AM

    Hi James

    Did you get a solution to this error - I am also struggling with it and have had no success from support...



  • 54.  RE: Having some 802.1x Authentication issues

    Posted Oct 30, 2017 08:13 AM

    Hi Tatenda, I turned off 802.1r and OKC and that seems to have resolved the issues we were having. Although, we did not experience the issue until after upgrading to 6.4.4.16 from 6.4.2.19.

    The issue we were seeing was users who were connected at one point, were coming back to the facility, unable to login to the wireless network. The users were getting "stuck" in the "logon" role on the controller. The only work around was to manually delete the users table entry #aaa user delete mac <mac address>. or connect to our guest wireless, and then forget that network and reconnect to the other. Not entirely sure what you're experiencing, under the VAP profile, SSID, 802.1r, disable, seems to have fixed our issues for now.



  • 55.  RE: Having some 802.1x Authentication issues

    Posted Oct 31, 2017 05:58 AM

    Hi

    James thanks for the response, I going to try it out when there is no one to whine about the downtime..



  • 56.  RE: Having some 802.1x Authentication issues

    EMPLOYEE
    Posted Oct 31, 2017 08:23 AM

    Tatenda,

     

    What version of ArubaOS did you upgrade from?



  • 57.  RE: Having some 802.1x Authentication issues

    Posted Oct 31, 2017 02:28 PM

    Hi

    The last working upgrade we installed was 6.4.2.17 - anything that we try to upgrade to above 6.4.2.17 results in inconsitencies with loggingin.

     



  • 58.  RE: Having some 802.1x Authentication issues

    Posted Oct 31, 2017 02:33 PM
    We were on 6.4.2.19 prior to upgrading and had similar issues when users left, they were unable to login. The users were "stuck" in the "logon" role, had to forcefully remove the users account #aaa users delete and they were able to reconnect. This is with a radius server setup on server 2012. What type of setup are you having issues with?

    [cid:image003.png@01CF7666.094321D0]
    www.ascension.org

    James Heyworth B.Sc IT
    Technical Engineering Analyst - Network
    Ascension Information Services
    O: 810-606-6112
    M: 810-922-6047
    James.Heyworth@ascension.org


    One Mission. One Integrated Ministry. One Ascension.



    CONFIDENTIALITY NOTICE:
    This email message and any accompanying data or files is confidential and may contain privileged information intended only for the named recipient(s). If you are not the intended recipient(s), you are hereby notified that the dissemination, distribution, and or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at the email address above, delete this email from your computer, and destroy any copies in any form immediately. Receipt by anyone other than the named recipient(s) is not a waiver of any attorney-client, work product, or other applicable privilege.


  • 59.  RE: Having some 802.1x Authentication issues

    Posted Oct 31, 2017 02:43 PM

    Hi James

    We are running Windows 2008R2.

    We are using the Windows server Radius for authentication

    We are also using the Windows DHCP and DNS servers.

    we have deployed the Aruba 3600 controllers with 104/105 APs

     

    Our problems are inconsistent once we upgrade. For example, I have a macbook that takes about 5-10sec to connect to the network on a normal day. When we upgraded and test connectivity the same laptop took 1m30sec, then 2mins+ and on a different occation it took 3min 30secs..

    When i take the same user name on a similar random device it works fine...