Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Windows 7 802.1x via Wired port on RAP109

This thread has been viewed 0 times

  • 1.  Windows 7 802.1x via Wired port on RAP109

    Posted Nov 10, 2013 09:24 PM

    Hi

    Hoping someone can point me in the right direction here.

     

    I am using a 3400 with a RAP109.  I have setup the wireless using 802.1x auth however I am having an issue setting this up with wired 802.1x

     

    I have followed the RAP Network setup guide step-by-step using the RAP in split-tunnel mode, with the same NPS as wireless. However 802.1x never authenticates.  The port is set as untrusted, the 802.1X Authentication Profile has Termination with eap-peap and eap-mschapv2

     

    The user always get initial role of ‘denyall’, testing by setting this to ‘authenticated’ works.  I am using the same 802.1X Authentication Default Role as the wireless profile

     

    On the radius server I have setup a new Connection Request Policy with NAS Port Type (VPN or Ethernet) using Microsoft PEAP with MS-CHAP-v2.  Also Network Policy with NAS Port Type (VPN or Ethernet) with Domain Computers or Domain Users.

     

    Thanks in advance.


    #3400


  • 2.  RE: Windows 7 802.1x via Wired port on RAP109

    EMPLOYEE
    Posted Nov 10, 2013 09:27 PM
    If you want to use Windows machine authentication, you will need to turn
    termination off in the AAA profile.


  • 3.  RE: Windows 7 802.1x via Wired port on RAP109

    Posted Nov 10, 2013 09:30 PM

    I was wanting to have user authentication to be consistent with the wireless profile.



  • 4.  RE: Windows 7 802.1x via Wired port on RAP109

    EMPLOYEE
    Posted Nov 11, 2013 07:21 AM

    Can you turn on user-debug and then post the output for that device after attempting to authenticate?

     

    (config) #logging level debugging user-debug <mac-addr>

     

    (controller) #show log user-debug all | include <mac-addr>



  • 5.  RE: Windows 7 802.1x via Wired port on RAP109

    EMPLOYEE
    Posted Nov 11, 2013 10:17 AM

    What does the logs look like on NPS?



  • 6.  RE: Windows 7 802.1x via Wired port on RAP109

    Posted Nov 11, 2013 08:26 PM

    I am not getting anything on NPS however controller logs output is as below:

     

    Nov 12 11:18:04 :522035:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0 Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/a VLAN=17 AP-name=24:de:c6:cb:65:6a
    Nov 12 11:18:04 :522077:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0 ingress 0x0x10031 (tunnel 49), u_encr 1, m_encr 1, slotport 0x0x31 wired, type: remote, FW mode: 3, AP IP: 172.17.0.10 mdie 0 ft_complete 0
    Nov 12 11:18:04 :522212:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0 IP=0.0.0.0:  MAC auth start: entry-type=L2, bssid=01:80:c2:00:00:03, essid=  sg=HB_mac_auth.
    Nov 12 11:18:04 :522042:  <NOTI> |authmgr|  User Authentication Failed: username=60eb69f50ef0 MAC=60:eb:69:f5:0e:f0 IP=0.0.0.0 auth method=MAC auth server=
    Nov 12 11:18:04 :522190:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0 IP=0.0.0.0: MAC auth fail: entry-type=L2, bssid=01:80:c2:00:00:03.
    Nov 12 11:18:04 :522035:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0 Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/a VLAN=17 AP-name=24:de:c6:cb:65:6a
    Nov 12 11:18:04 :522077:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0 ingress 0x0x10031 (tunnel 49), u_encr 1, m_encr 1, slotport 0x0x2001 wired, type: remote, FW mode: 3, AP IP: 172.17.0.10 mdie 0 ft_complete 0
    Nov 12 11:18:04 :522078:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0, wired: 1, vlan:17 ingress:0x0x10031 (tunnel 49), ingress:0x0x10031 new_aaa_prof: HB_Remote_Wired-aaa_prof, stored profile: HB_Remote_Wired-aaa_prof stored wired: 1 stored essid:  , stored-ingress: 0x0x10031
    Nov 12 11:18:04 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:60:eb:69:f5:0e:f0, pmkid_present:False, pmkid:N/A
    Nov 12 11:18:04 :522144:  <DBUG> |authmgr|  L2 entry updated from RAP:172.17.0.10, Wired user IP:0.0.0.0, MAC : 60:eb:69:f5:0e:f0, VLAN:17, BSSID:24:de:c6:cb:65:6b.
    Nov 12 11:18:05 :522035:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0 Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/a VLAN=17 AP-name=24:de:c6:cb:65:6a
    Nov 12 11:18:05 :522077:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0 ingress 0x0x10031 (tunnel 49), u_encr 1, m_encr 1, slotport 0x0x2001 wired, type: remote, FW mode: 3, AP IP: 172.17.0.10 mdie 0 ft_complete 0
    Nov 12 11:18:05 :522078:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0, wired: 1, vlan:17 ingress:0x0x10031 (tunnel 49), ingress:0x0x10031 new_aaa_prof: HB_Remote_Wired-aaa_prof, stored profile: HB_Remote_Wired-aaa_prof stored wired: 1 stored essid:  , stored-ingress: 0x0x10031
    Nov 12 11:18:05 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:60:eb:69:f5:0e:f0, pmkid_present:False, pmkid:N/A
    Nov 12 11:18:05 :522049:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0,IP=0.0.0.0 User role updated, existing Role=denyall/none, new Role=denyall/denyall, reason=First IP user created
    Nov 12 11:18:05 :522006:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0 IP=10.1.36.127 User entry added: reason=Auth Request
    Nov 12 11:18:05 :522049:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0,IP=10.1.36.127 User role updated, existing Role=denyall/denyall, new Role=denyall/denyall, reason=RAP New user with no l3 auth or authenticated station
    Nov 12 11:18:05 :522049:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0,IP=10.1.36.127 User role updated, existing Role=denyall/denyall, new Role=denyall/denyall, reason=User not authenticated for inheriting attributes
    Nov 12 11:18:05 :522146:  <DBUG> |authmgr|  Adding AP Wired User (split) 60:eb:69:f5:0e:f0 to STM stats tree.
    Nov 12 11:18:05 :522096:  <DBUG> |authmgr|  60:eb:69:f5:0e:f0: Sending STM new Role ACL : 59, and Vlan info: 17, action : 18, AP IP: 172.17.0.10, flags : 0
    Nov 12 11:18:05 :522035:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0 Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/a VLAN=17 AP-name=24:de:c6:cb:65:6a
    Nov 12 11:18:05 :522077:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0 ingress 0x0x10031 (tunnel 49), u_encr 1, m_encr 1, slotport 0x0x2001 wired, type: remote, FW mode: 3, AP IP: 172.17.0.10 mdie 0 ft_complete 0
    Nov 12 11:18:05 :522078:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0, wired: 1, vlan:17 ingress:0x0x10031 (tunnel 49), ingress:0x0x10031 new_aaa_prof: HB_Remote_Wired-aaa_prof, stored profile: HB_Remote_Wired-aaa_prof stored wired: 1 stored essid: , stored-ingress: 0x0x10031
    Nov 12 11:18:05 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:60:eb:69:f5:0e:f0, pmkid_present:False, pmkid:N/A
    Nov 12 11:18:05 :522049:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0,IP=10.1.36.127 User role updated, existing Role=denyall/denyall, new Role=denyall/denyall, reason=RAP New user with no l3 auth or authenticated station
    Nov 12 11:18:05 :522049:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0,IP=10.1.36.127 User role updated, existing Role=denyall/denyall, new Role=denyall/denyall, reason=User not authenticated for inheriting attributes
    Nov 12 11:18:05 :522146:  <DBUG> |authmgr|  Adding AP Wired User (split) 60:eb:69:f5:0e:f0 to STM stats tree.
    Nov 12 11:18:05 :522096:  <DBUG> |authmgr|  60:eb:69:f5:0e:f0: Sending STM new Role ACL : 59, and Vlan info: 17, action : 18, AP IP: 172.17.0.10, flags : 0
    Nov 12 11:18:05 :522035:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0 Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/a VLAN=17 AP-name=24:de:c6:cb:65:6a
    Nov 12 11:18:05 :522077:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0 ingress 0x0x10031 (tunnel 49), u_encr 1, m_encr 1, slotport 0x0x2001 wired, type: remote, FW mode: 3, AP IP: 172.17.0.10 mdie 0 ft_complete 0
    Nov 12 11:18:05 :522078:  <DBUG> |authmgr|  MAC=60:eb:69:f5:0e:f0, wired: 1, vlan:17 ingress:0x0x10031 (tunnel 49), ingress:0x0x10031 new_aaa_prof: HB_Remote_Wired-aaa_prof, stored profile: HB_Remote_Wired-aaa_prof stored wired: 1 stored essid: , stored-ingress: 0x0x10031
    Nov 12 11:18:05 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:60:eb:69:f5:0e:f0, pmkid_present:False, pmkid:N/A
    Nov 12 11:18:05 :522049:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0,IP=10.1.36.127 User role updated, existing Role=denyall/denyall, new Role=denyall/denyall, reason=RAP New user with no l3 auth or authenticated station
    Nov 12 11:18:05 :522049:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0,IP=10.1.36.127 User role updated, existing Role=denyall/denyall, new Role=denyall/denyall, reason=User not authenticated for inheriting attributes
    Nov 12 11:18:05 :522146:  <DBUG> |authmgr|  Adding AP Wired User (split) 60:eb:69:f5:0e:f0 to STM stats tree.
    Nov 12 11:18:05 :522096:  <DBUG> |authmgr|  60:eb:69:f5:0e:f0: Sending STM new Role ACL : 59, and Vlan info: 17, action : 18, AP IP: 172.17.0.10, flags : 0
    Nov 12 11:18:30 :522030:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0 Station deauthenticated: BSSID=24:de:c6:cb:65:6b, ESSID=
    Nov 12 11:18:30 :522049:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0,IP=N/A User role updated, existing Role=denyall/denyall, new Role=denyall/denyall, reason=Station is L2 deauthenticated
    Nov 12 11:18:30 :522010:  <NOTI> |authmgr|  MAC=60:eb:69:f5:0e:f0 IP=10.1.36.127 User de-authenticated: name=60eb69f50ef0, cause=unknown
    Nov 12 11:18:30 :522049:  <INFO> |authmgr|  MAC=60:eb:69:f5:0e:f0,IP=10.1.36.127 User role updated, existing Role=denyall/denyall, new Role=denyall/denyall, reason=User de-authenticated with a role
    Nov 12 11:18:30 :522096:  <DBUG> |authmgr|  60:eb:69:f5:0e:f0: Sending STM new Role ACL : 59, and Vlan info: 17, action : 10, AP IP: 172.17.0.10, flags : 0
    Nov 12 11:18:30 :501074:  <WARN> |stm|  wifi_deauth_sta: bad data, dropping. mac: 60:eb:69:f5:0e:f0 bssid: 01:80:c2:00:00:03



  • 7.  RE: Windows 7 802.1x via Wired port on RAP109

    EMPLOYEE
    Posted Nov 11, 2013 10:19 PM

    It looks like you have mac authentication enabled on that connection (a mac authentication profile attached to the AAA profile).  If mac authentication fails, the authentication does not go any further, and that is why you would see nothing on the NPS:

     

    Nov 12 11:18:04 :522042:  <NOTI> |authmgr|  User Authentication Failed: username=60eb69f50ef0 MAC=60:eb:69:f5:0e:f0 IP=0.0.0.0 auth method=MAC auth server=

     

    You either need to (1) Turn off Mac authentication by changing the mac authentication profile on the aaa profile to N/A or enable l2 faithrough on the AAA profile, which will allow 802.1x to continue, even though mac authentication fails.  



  • 8.  RE: Windows 7 802.1x via Wired port on RAP109

    Posted Nov 11, 2013 11:16 PM

    This is what troubles me as I do have L2 Authentication Fail Through enabled,  I set this when first configuring the AAA profile. I don't know why it isn't proceeding when mac auth fails through.



  • 9.  RE: Windows 7 802.1x via Wired port on RAP109

    EMPLOYEE
    Posted Nov 11, 2013 11:18 PM
    @DL77 wrote:

    This is what troubles me as I do have L2 Authentication Fail Through enabled,  I set this when first configuring the AAA profile. I don't know why it isn't proceeding when mac auth fails through.

    I would turn l2-failthrough off, and turn off mac authentication and get a valid 802.1x authentication before layering anything else on top of it.