Wireless Access

Hi

Im currently working on wireless 802.1x authentication using aruba controller based and windows server 2012 R2 as backend Radius + AD (by another vendor). I have configured the controller as attach.  Im using single SSID with dynamically vlan assignment to each different group of users.

When I try to test the authentication, this is the few error log that I get fro aruba controller: (Full log I have attached it in attachement area). I Just want to know what seem to be the problem, whether it on Server side or Wireless Infra side?

Apr 3 18:17:02 authmgr[1647]: <132197> <ERRS> |authmgr| Maximum number of retries was attempted for station 00:21:5d:89:b3:86 9c:1c:12:94:1c:00, deauthenticating the station 
Apr 3 18:17:15 sapd[1598]: <127000> <ERRS> |AP 9c:1c:12:c1:3f:56@10.99.0.35 sapd| |ids-ap| AP(9c:1c:12:93:f5:60): Rogue AP: An AP classified an access point(BSSID 40:01:c6:d0:e8:40 and SSID on CHANNEL 3) as rogue because it matched the MAC (40:01:c6:a5:4b:81) with IP (10.99.0.100). 
Apr 3 18:17:16 authmgr[1647]: <132207> <ERRS> |authmgr| RADIUS reject for station SMRstudenttest1 00:21:5d:89:b3:86 from server SMR2NPSSRV1. 
Apr 3 18:17:16 authmgr[1647]: <132053> <ERRS> |authmgr| Dropping the radius packet for Station 00:21:5d:89:b3:86 9c:1c:12:94:1c:00 doing 802.1x

Apr 3 18:17:31 authmgr[1647]: <132207> <ERRS> |authmgr| RADIUS reject for station smrstudenttest1 f4:f9:51:73:25:22 from server SMR2NPSSRV1. 
Apr 3 18:17:31 authmgr[1647]: <132053> <ERRS> |authmgr| Dropping the radius packet for Station f4:f9:51:73:25:22 9c:1c:12:94:1c:10 doing 802.1x 
Apr 3 18:17:37 authmgr[1647]: <132207> <ERRS> |authmgr| RADIUS reject for station smtstudenttest1 3c:d0:f8:0f:87:59 from server SMR2NPSSRV1. 
Apr 3 18:17:37 authmgr[1647]: <132053> <ERRS> |authmgr| Dropping the radius packet for Station 3c:d0:f8:0f:87:59 9c:1c:12:94:1c:00 doing 802.1x 

Attachment(s)

Aruba 3400 Controller Log.txt   20 KB 1 version

You need to look in the event viewer of your radius server to see why it is rejecting the client.

On the Radius server are you getting an event ID 13 - check radius source interface on controller.  6272 - Can't authenticate against AD.

Are you using EAP TLS?

If so ,you need to open the Network policy that you created and go to settings in inside there click add and add a value for framed MTU and put this value in it 1344

Cheers

Carlos

Hi Carlos,

What u mean here is server policy?

Open the NPS console

On the Network policy

On settings you need to put this value

When you using EAP TLS most of the times you need to add this fixed Framed MTU

The Framed MTU is something you need because in some cases, switches, routers or firewalls. etc  drop packets because they are configured to discard packets that require fragmentation.  And if you dont configure this it will drop it and you will see it will not work... so just configure it! so that way the EAP payloads maximum size is reduced.

I tell you this because on the logs i was looking that the 802.1x packets were being drop...

Anyways this is just for EAP TLS... On EAP PEAP you should not need this...

Cheers

Carlos

Thanks Carlos, by the way the server part is from another vendor so I cant do much. But will inform the vendor on this.

I will try it out when Im onsite with the server vendor.

Cheers.

which is the vendor brand of the RAdius server? well if its possible to know?

Cheers

Carlos

They using windows server 2012 r2 as NPS+AD+Domain

@hinz85

Your best option to troubleshoot this is to have the server team provide you with a copy of an Event Log entry from the NPS server at the time of failure that you can share with us.  This will give you an indication of what the problem is.  The controller just sees a reject; with no further explanation.   The results of the logs may show any number of things; for example:

• RADIUS client not defined
• RADIUS shared secret mismatch
• No policy defined to match the request (see Carlos' response)
• The user does not have Dial-in/VPN enabled on the AD account (this can be worked around in the Network Policy on NPS)
• Invalid user
• Invalid password
• Authentication type mismatch
• etc....

Without a log entry, we really can't give much insight into what could be happening.

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

Enter this into powershell as, run as an administrator.

Under Server Manager-Diagnostics-EventViewer-Custom Views-Server Roles- Network Policy Server

You will now see all NPS server related events in that folder.

Hi,

Thanks for all the reply. Now the authentication look like working fine. But Im not sure about macbook, because prev I tried it with macbook it didnt work. The server is rejecting it because of some format unregconize. For now, I already tested it with Ipad, Iphone, android, and windows, seem working fine. Unfortunately we do not have a macbook to test :smileysad:

Anyway, thanks for all the helps

Thanks for the update; when you do get a Macbook; have a look at the NPS logs mentioned above and that should give you a starting point of where to troubleshoot.

Im having the same issues with AP's connecting to a 6000 controller running version 6.4.4.16. The AP's are also running the same version. Does anyone know if this is still an issue? Im hesistant to adjust MTU settings on my NPS server since this issue is only affecting a few devices & I have many AP's on the controller that dont experience this.

Here are the errors on my logs...

Jan 20 01:50:46 2018 Aruba6000 localdb[2233]: <133019> <ERRS> <Aruba6000 172.25.6.9>  User 00:90:07:88:6c:79 was not found in the database
Jan 20 01:50:46 2018 Aruba6000 localdb[2233]: <133006> <ERRS> <Aruba6000 172.25.6.9>  User 00:90:07:88:6c:79 Failed Authentication

Jan 20 10:58:07 2018 Aruba6000 authmgr[2195]: <522275> <ERRS> <Aruba6000 172.25.6.9>  User Authentication failed. username=autotruck\TB128LOU_1265476002 userip=0.0.0.0 usermac=00:90:07:88:6c:79 authmethod=802.1x servername=MTLDC13-Radius serverip=192.168.150.52 apname=AP-SIMPSONVILLE-FLR1-IDF-N-26 bssid=84:d4:7e:2e:56:22
Jan 20 10:58:07 2018 Aruba6000 authmgr[2195]: <132207> <ERRS> <Aruba6000 172.25.6.9>  RADIUS reject for station autotruck\TB128LOU_1265476002 00:90:07:88:6c:79 from server MTLDC13-Radius.

Jan 20 10:58:07 2018 Aruba6000 authmgr[2195]: <132053> <ERRS> <Aruba6000 172.25.6.9>  Dropping the radius packet for Station 00:90:07:88:6c:79 84:d4:7e:2e:56:22 doing 802.1x

You need to look on the Event Viewer in NPS to see why it is sending back rejects.  The mac address rejects could mean that you have "Enforce Machine Authentication" enabled in your 802.1x profile.  You should uncheck it.

Colin I am finding that Enforce Machine Authentication is enabled on my 802.1x profile. The problem I have with disabling it is that the Virtual AP that is using the profile is being used on about 100 other AP Groups at sites all over the country. Disabling is would do so for my entire wireless enviorment. Could you tell me what type of consequenses this would have? Just so you know the site below is using Certificate Based Authentication with the NPS server. Im not sure how that factors in. Here's my config....

wlan virtual-ap "EmployeeX-VAP"
   aaa-profile "EmployeeX-dot1x-aaa-profile"
   ssid-profile "EmployeeX-802.1x-SSID-Profile"
   vlan 1
   forward-mode bridge
   broadcast-filter all
   blacklist-time 0
   no mobile-ip

aaa profile "EmployeeX-dot1x-aaa-profile"
   authentication-dot1x "EmployeeX-dot1x-auth-profile"
   dot1x-default-role "EmployeeX-Employee-Authenticated"
   dot1x-server-group "EmployeeX-Radius"
   user-derivation-rules "BlacklistDevicesEmployeeX"

aaa authentication dot1x "EmployeeX-dot1x-auth-profile"
   machine-authentication enable
   machine-authentication machine-default-role "EmployeeX-802.1X-authd-employee"
   machine-authentication user-default-role "EmployeeX-802.1X-authd-employee"
   reauthentication

ap-group "ATG-Simpsonville-Indoor"
   virtual-ap "Scanner-VAP"
   virtual-ap "GuestWireless-VAP"
   virtual-ap "EmployeeX-VAP"
   dot11a-radio-profile "ARI-A-Indoor-Radio-Profile"
   dot11g-radio-profile "ARI-G-Indoor-Radio-Profile"

ap-group "ATG-Simpsonville-Outdoor"
   virtual-ap "ATG-Scanner-X-VAP"
   virtual-ap "EmployeeX-VAP"
   dot11a-radio-profile "ARI-A-Outdoor-Radio-Profile"
   dot11g-radio-profile "ARI-G-Outdoor-Radio-Profile"
   ap-system-profile "ARI-AP-System-Profile"

Let us be specific:.  What is your real problem?  From the error messages, it seems that for some clients, they are being rejected.  The controller is simply taking the rejection from your NPS server.  You need to look in the eventviewer in NPS for those rejections and find out why they are being rejected by NPS, first.  The enforce machine authentication is secondary, but it would certainly treat users of non-domain machines different.  First, pick a specific client you are having problems with and only look at the logs pertaining to that client on NPS and the controller...

The problem is that the ipads will be connected to their ssid and everything works fine but after a period of time the ipads will drop connection. The ipads are stationary and never physically move. This was never a problem until recently when we decided to use cert based authentication on the tablets.

The NPS server admin could not find wrong anything in the event logs even though the 6000 controller is sending these radius error logs. Our plans now are to create a test virtual ap along with new profiles & put a new ssid out of the AP's so the tablets can connect. The new ssid will have Enorced Machine Authentication disabled. We are also preparing a new NPS instance for this and will adjust the framed MTU to 1384 if disabling the feature alone doesnt work. Do you think these are the right steps to take? Do you suggest anything to try?

If a device passes authentication, it should stay connected, period.  The rejects were from devices that simply did not get on and that should not fix itself.  The enforce machine authentication configuration has the same role for default 802.1x as well as user authentication, so that should not make a difference.

When a device that is stationary disconnects, that could mean that the power on APs are too high, so the IOS device would try to connect to other APs.  It could also mean that you did not enable "Drop Broadcast and Unknown Multicast" on your Virtual APs and the excess traffic is causing clients to disconnect.

Thanks Colin. I did verify that Drop Broadcast & Unknown Multicast is checked. Could you share some recommended settings & configurations for power & how to utilize them?

For every location it is individual.  You want the transmit power to be in the range of the client.  For an ipad, between 12 and 18 should be good.

Colin is that 12 &18 dBm for min-tx-power & max-tx-power? Im trying to find where in the config these settings need to be verified. Thanks.

Thanks for the reply. What you meant by radius source inteface on controller is the port interface on aruba that connected to network?