- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
LDAP can not authenticate when connect to SSID
06-02-2019 06:04 PM - edited 06-02-2019 06:06 PM
when we try to make AAA authentication from controller its working fine.
when user try to connect to SSID that require a LDAP authentication , after make user/pass it canot authenticate or get ip address.
here is the show auth trachbuf | mac add
show auth [K[K[K[K[K[K[K[K[K[K[Kshow auth-tracebuf | o[Kinclude 5thFloorAP[K[K[K[K[K[K[K[K[K[K[K 88:10:8f:df:d8:e8
Jun 2 14:09:57 client-finish -> 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - -
Jun 2 14:09:57 server-finish <- 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - 15616
Jun 2 14:09:57 server-finish-ack -> 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - -
Jun 2 14:09:57 inner-eap-id-req <- 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - 8960
Jun 2 14:09:57 inner-eap-id-resp -> 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - - user@domain.com
Jun 2 14:09:57 eap-gtc-token-req <- 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - 13056
Jun 2 14:09:57 eap-gtc-token-res -> 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - 11
Jun 2 14:09:57 pap-request -> 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - - user@domain.com
Jun 2 14:09:57 station-down * 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0 - -
Jun 2 14:09:57 pap-response <- 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/HQDCO - - user@domain.com
Jun 2 14:09:57 eap-tlv-rslt-failure <- 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - 11008
Jun 2 14:09:57 eap-failure <- 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - 4
Jun 2 14:10:00 station-up * 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0 - - wpa2 aes
Jun 2 14:10:00 station-term-start * 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0 78 -
Jun 2 14:10:00 client-finish -> 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - -
Jun 2 14:10:00 server-finish <- 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - 15616
Jun 2 14:10:00 server-finish-ack -> 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - -
Jun 2 14:10:00 inner-eap-id-req <- 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - 8960
Jun 2 14:10:00 inner-eap-id-resp -> 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - - user@domain.com
Jun 2 14:10:00 eap-gtc-token-req <- 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - 13056
Jun 2 14:10:00 eap-gtc-token-res -> 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - 11
Jun 2 14:10:00 pap-request -> 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - - user@domain.com
i can see this
Jun 2 14:09:57 eap-tlv-rslt-failure <- 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - 11008
Jun 2 14:09:57 eap-failure <- 88:10:8f:df:d8:e8 48:4a:e9:6f:41:c0/test - 4
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: LDAP can not authenticate when connect to SSID
06-02-2019 06:05 PM
note that this is VMC version 8.4
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: LDAP can not authenticate when connect to SSID
06-02-2019 07:14 PM
Did you enable EAP Termination?
Did you install the EAP-GTC supplicant on the device?
Does the device trust the controller's internal certificate?
To be honest, EAP-Terminaton, PEAP with LDAP is not really recommended. A legitimate radius server is recommended.
*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: LDAP can not authenticate when connect to SSID
06-03-2019 12:27 PM - edited 06-03-2019 12:28 PM
Did you enable EAP Termination?
yes enable in profile
Did you install the EAP-GTC supplicant on the device?
yes
Does the device trust the controller's internal certificate?
we have test with trust and without trust but not help
To be honest, EAP-Terminaton, PEAP with LDAP is not really recommended. A legitimate radius server is recommended.
i havenot raduis server in the network
i have asked TAC if the LDAP-AD has any kind of limitation and not recomndadtion but he told me no its easy and no issue while intergration with it .
this is a dot1x profile configuration
(Aruba-VMC) *[mynode] #show aaa authentication dot1x test
802.1X Authentication Profile "test"
------------------------------------
Parameter Value
--------- -----
Max authentication failures 0
Interval between Identity Requests 5 sec
Quiet Period after Failed Authentication 30 sec
Reauthentication Interval 86400 sec
Use Server provided Reauthentication Interval Disabled
Use the termination-action attribute from the Server Disabled
Multicast Key Rotation Time Interval 1800 sec
Unicast Key Rotation Time Interval 900 sec
Authentication Server Retry Interval 5 sec
Authentication Server Retry Count 3
Framed MTU 1100 bytes
Max number of requests sent during an Auth attempt 5
Max Number of Reauthentication Attempts 3
Maximum number of times Held State can be bypassed 0
Dynamic WEP Key Message Retry Count 1
Dynamic WEP Key Size 128 bits
Interval between WPA/WPA2/WPA3 Key Messages 1000 msec
Delay between EAP-Success and WPA2/WPA3 Unicast Key Exchange 0 msec
--More-- (q) quit (u) pageup (/) search (n) repeat Delay between WPA/WPA2/WPA3 Unicast Key and Group Key Exchange 0 msec
Time interval after which the PMKSA will be deleted 8 hr(s)
Delete Keycache upon user deletion Disabled
WPA/WPA2/WPA3 Key Message Retry Count 3
Multicast Key Rotation Disabled
Unicast Key Rotation Disabled
Reauthentication Disabled
Opportunistic Key Caching Enabled
Validate PMKID Enabled
Use Session Key Disabled
Use Static Key Disabled
xSec MTU 1300 bytes
Termination Enabled
Termination EAP-Type eap-peap
Termination Inner EAP-Type eap-gtc
Enforce Suite-B 128 bit or more security level Authentication Disabled
Enforce Suite-B 192 bit security level Authentication Disabled
Token Caching Disabled
Token Caching Period 24 hr(s)
CA-Certificate N/A
Server-Certificate default
TLS Guest Access Disabled
Ignore EAPOL-START after authentication Disabled
--More-- (q) quit (u) pageup (/) search (n) repeat Handle EAPOL-Logoff Disabled
Ignore EAP ID during negotiation. Disabled
WPA-Fast-Handover Disabled
Check certificate common name against AAA server Enabled
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: LDAP can not authenticate when connect to SSID
06-03-2019 12:33 PM
You should try using it with a mobile device, because the restrictions are less. Either way, EAP-Termination with LDAP is not the way to go and the EAP-GTC shim software has not been updated in years, so I would not proceed with that.
If you have Active Directory, a free version of NPS exists in every Windows sever.
*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: LDAP can not authenticate when connect to SSID
06-03-2019 12:45 PM
yes i have test with mobile many times but same issue
connection time-out after write a user name and password
and from auth tracbuf there and error rap-faliure and i dont see any one face this error and all documntation explain the basic configuration that i have attached.
and TAC doesnot hepl me in this error
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: LDAP can not authenticate when connect to SSID
06-03-2019 06:06 PM
TAC probably doesn't know what to do, because nobody uses LDAP anymore for encrypted SSIDs. There are no Windows Clients for GTC and the GTC shim that we had on our website has not been updated for years. Please look into standing up a Windows NPS server (radius).
*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: LDAP can not authenticate when connect to SSID
06-06-2019 03:26 PM - edited 06-06-2019 03:29 PM
did you mean that no one use LDAP with Arbva controller version 8 .
no customer has this soultion any more ?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: LDAP can not authenticate when connect to SSID
06-06-2019 04:12 PM
I mean that very few customers use this solution, because everyone with a Windows Server has can deploy a radius server for free. Also, LDAP+GTC requires that a supplicant be installed on all Windows devices.
*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: LDAP can not authenticate when connect to SSID
06-14-2019 09:08 PM
i have try after download GTC from aruba web site but not help.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator