Security

Reply
Guru Elite

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

Could you also post the output from the following commands?

 

show aaa authentication-server radius


show aaa server-group


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

The authentication fails, the NPS logs show no attempt for authentication and the "show auth-tracebuf" displays

 

Aug 22 12:47:32  eapol-pkt-drop         *  2c:76:8a:db:65:10  01:80:c2:00:00:03        -    -   received eapol-pkt before assos
Aug 22 12:47:37  eapol-pkt-drop         *  2c:76:8a:db:65:10  01:80:c2:00:00:03        -    -   received eapol-pkt before assos
Aug 22 12:47:42  eapol-pkt-drop         *  2c:76:8a:db:65:10  01:80:c2:00:00:03        -    -   received eapol-pkt before assos

Contributor II

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

(BTUH-ARUBA1) # show aaa authentication-server radius

 

RADIUS Server List

------------------

Name                      References  Profile Status

----                      ----------  --------------

Amigopod                  2

CPPM                      1

itvwnps01                 1

itvwnps01-btuhcorp-nasid  1

itvwnps01-btuhmob-nasid   1

itvwnps01-testa-nasid     1

Wired                     1

Total:7

 

 

(BTUH-ARUBA1) #show aaa server-group

 

Server Group List

-----------------

Name                              References  Profile Status

----                              ----------  --------------

RADIUS             0

RADIUS.BTUH-CORP   1

RADIUS.BTUH-Mob    1

RADIUS.mob-secure  0

RADIUS.TestA       1

BTUH-Guest                        1

BYOD                              3

default                           8

internal                          1           Predefined

RAMSEY-Guest                      1

Wired                             1

Total:11

(BTUH-ARUBA1) #

 

Guru Elite

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG


@Broaders wrote:

The authentication fails, the NPS logs show no attempt for authentication and the "show auth-tracebuf" displays

 

Aug 22 12:47:32  eapol-pkt-drop         *  2c:76:8a:db:65:10  01:80:c2:00:00:03        -    -   received eapol-pkt before assos
Aug 22 12:47:37  eapol-pkt-drop         *  2c:76:8a:db:65:10  01:80:c2:00:00:03        -    -   received eapol-pkt before assos
Aug 22 12:47:42  eapol-pkt-drop         *  2c:76:8a:db:65:10  01:80:c2:00:00:03        -    -   received eapol-pkt before assos


Okay,

 

Try this on the commandline:

 

config t
aaa authentication wired
profile default

 Then unplug, then re-plug the wired port and display the show auth-tracebuf again

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor II

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

No difference, controller shows the same again

 

Aug 22 12:54:49  eapol-pkt-drop         *  2c:76:8a:db:65:10  01:80:c2:00:00:03        -    -   received eapol-pkt before assos
Aug 22 12:54:54  eapol-pkt-drop         *  2c:76:8a:db:65:10  01:80:c2:00:00:03        -    -   received eapol-pkt before assos
Aug 22 12:54:59  eapol-pkt-drop         *  2c:76:8a:db:65:10  01:80:c2:00:00:03        -    -   received eapol-pkt before assos

Guru Elite

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

Do you have the forwarding mode of that wired port set to bridged or tunneled?

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor II

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

Tunneled

Guru Elite

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

Can you print the output of "show aaa authentication wired"?

 

Type "show aaa profile" to find the profile that you are using for that port.

 

Next, do this:

 

config t

aaa authentication wired <name of that profile>

 

Try to plug the port in and out again and print the show auth-tracebuf

 

 

If that doesn't work, you might have to open a case.  It should work.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor II

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

Nope no difference.

 

FYI this is the output when I enable Termination for the Profile. Completes successfully

 

Aug 22 13:27:26  station-up             *  2c:76:8a:db:65:10  01:80:c2:00:00:03        -    -   open system
Aug 22 13:27:26  station-up             *  2c:76:8a:db:65:10  01:80:c2:00:00:03        -    -   wired station
Aug 22 13:27:26  station-term-start     *  2c:76:8a:db:65:10  01:80:c2:00:00:03        101  -
Aug 22 13:27:26  eap-term-start        ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -
Aug 22 13:27:26  station-term-start     *  2c:76:8a:db:65:10  01:80:c2:00:00:03        101  -
Aug 22 13:27:31  client-finish         ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -
Aug 22 13:27:31  server-finish         <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -
Aug 22 13:27:31  server-finish-ack     ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -
Aug 22 13:27:31  inner-eap-id-req      <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -
Aug 22 13:27:31  inner-eap-id-resp     ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -   Domain\Username
Aug 22 13:27:31  eap-mschap-chlg       <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -
Aug 22 13:27:31  eap-mschap-response   ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  9    49
Aug 22 13:27:31  mschap-request        ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  9    -   Domain\Username
Aug 22 13:27:31  mschap-response       <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -   Domain\Username
Aug 22 13:27:31  eap-mschap-success    <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -
Aug 22 13:27:31  eap-mschap-success-ack->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -
Aug 22 13:27:31  eap-tlv-rslt-success  <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -
Aug 22 13:27:31  eap-tlv-rslt-success  ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -
Aug 22 13:27:31  station-data-ready     *  2c:76:8a:db:65:10  00:00:00:00:00:00        101  -
Aug 22 13:27:31  station-data-ready_ack *  2c:76:8a:db:65:10  00:00:00:00:00:00        101  -
Aug 22 13:27:31  eap-success           <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -

 

When termination is disabled I just get

 

Aug 22 13:24:21  eapol-pkt-drop         *  2c:76:8a:db:65:10  01:80:c2:00:00:03        -    -   received eapol-pkt before assos
Aug 22 13:24:26  eapol-pkt-drop         *  2c:76:8a:db:65:10  01:80:c2:00:00:03        -    -   received eapol-pkt before assos
Aug 22 13:24:31  eapol-pkt-drop         *  2c:76:8a:db:65:10  01:80:c2:00:00:03        -    -   received eapol-pkt before assos

Guru Elite

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

Do you have a trusted certificate configured on that laptops wired profile?

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: