Wireless Access

Reply
Contributor I

Re: AOS 8.4.0.3 Roaming disconnects


@cjoseph wrote:

@kuairhead wrote:

We can't reproduce the issue currently so very difficult to debug. It seems to happen maybe once every few days but users aren't reporting it to us when it does and we hear about it days later.

 

Interestingly running a AAA test from any of our controllers or mobility master and our old controllers on AOS 6.5 to our FreeRADIUS server we get authentication failed response even though users can successfully auth on the live wireless network. Not sure why this is the case. We have some MS NPS servers that are also in use that the AAA test comes back fine for.

 

Thanks.


If it is something that happens rarely, it will be difficult to figure out, because you would have to wait until it happens to capture the state of the user.

 

AAA test server has a raw authentication that might not have all the attributes your freeradius server is looking for, so it might fail.  The NPS server might not be looking for any more attributes and maybe you should switch back to that to see if your issue continues. The fact that AAA test server is failing at least means that authentication is making it to your radius server(s).

 

 


This is what we suspected as it was responding immediately with reject and the requests from the controllers look a bit different to a user device. It has made it rather annoying to troubleshoot any auth issues because anyone looking at it immediately says auth is failing but in our production wireless it works fine (beside these random disconnects)

Regular Contributor I

Re: AOS 8.4.0.3 Roaming disconnects

What happens when you create a set of new test credentials and try to aaa test those credentials?

 

Have you tried creating a test SSID and using the internal database on the controller to authenticate your users? Is the behaviour the same?

 

Also if i am not wrong, freeRadius is available as a windows .exe file?

What happens when you configure another freeRadius server and add the IP of the new server to test the test SSID with the test credentials?

 

 

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Guru Elite

Re: AOS 8.4.0.3 Roaming disconnects


@kuairhead wrote:

@cjoseph wrote:

@kuairhead wrote:

We can't reproduce the issue currently so very difficult to debug. It seems to happen maybe once every few days but users aren't reporting it to us when it does and we hear about it days later.

 

Interestingly running a AAA test from any of our controllers or mobility master and our old controllers on AOS 6.5 to our FreeRADIUS server we get authentication failed response even though users can successfully auth on the live wireless network. Not sure why this is the case. We have some MS NPS servers that are also in use that the AAA test comes back fine for.

 

Thanks.


If it is something that happens rarely, it will be difficult to figure out, because you would have to wait until it happens to capture the state of the user.

 

AAA test server has a raw authentication that might not have all the attributes your freeradius server is looking for, so it might fail.  The NPS server might not be looking for any more attributes and maybe you should switch back to that to see if your issue continues. The fact that AAA test server is failing at least means that authentication is making it to your radius server(s).

 

 


This is what we suspected as it was responding immediately with reject and the requests from the controllers look a bit different to a user device. It has made it rather annoying to troubleshoot any auth issues because anyone looking at it immediately says auth is failing but in our production wireless it works fine (beside these random disconnects)


You can create something on freeradius that will respond and authenticate to the specific attributes sent by the controller in the AAA test server test, so that you will know if that basic authentication works.  AAA test server was created to get a general response from a radius server, you will just have to tailor your radius server so it can respond to the test.  Everybody can require different attributes, so AAA Test is not expected to work perfectly in every environment.  You can make changes so that the AAA test works in yours...  At minimum it will test connectivity to your radius server.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Guru Elite

Re: AOS 8.4.0.3 Roaming disconnects


@A_RAK wrote:

What happens when you create a set of new test credentials and try to aaa test those credentials?

 

Have you tried creating a test SSID and using the internal database on the controller to authenticate your users? Is the behaviour the same?

 

Also if i am not wrong, freeRadius is available as a windows .exe file?

What happens when you configure another freeRadius server and add the IP of the new server to test the test SSID with the test credentials?

 

 

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.


@kuairhead already wrote that it is not working because the AAA test server is not sending all the attributes required by his radius server.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor I

Re: AOS 8.4.0.3 Roaming disconnects


@cjoseph wrote:

@A_RAK wrote:

What happens when you create a set of new test credentials and try to aaa test those credentials?

 

Have you tried creating a test SSID and using the internal database on the controller to authenticate your users? Is the behaviour the same?

 

Also if i am not wrong, freeRadius is available as a windows .exe file?

What happens when you configure another freeRadius server and add the IP of the new server to test the test SSID with the test credentials?

 

 

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.


@kuairhead already wrote that it is not working because the AAA test server is not sending all the attributes required by his radius server.


As said I would expect no matter the account it would respond with reject. We have tried loads of different accounts that all can access the wifi ok and all get the reject response when doing AAA test but otherwise auth ok and get assigned the role they should get etc in production on an actual wireless device.

 

With regards to test SSID etc I have not tried that but as I have not experienced this issue myself in the 3 or so months the controllers have been live I wouldn't expect to see it on a test SSID and can't ask the hundred or so users in the production environment to use the test SSID so pretty limited there as well unfortunately.

 

We initially suspected the issue was with FreeRADIUS as we didn't have any reports of issues using NPS but we pointed auth back to NPS and we got reports from users so can only assume the issue is configuration of the controllers or AOS 8 behaviour.

 

Thanks.

Guru Elite

Re: AOS 8.4.0.3 Roaming disconnects


 

We initially suspected the issue was with FreeRADIUS as we didn't have any reports of issues using NPS but we pointed auth back to NPS and we got reports from users so can only assume the issue is configuration of the controllers or AOS 8 behaviour.

 

Thanks.


What was the corresponding message on the NPS server?  Did that make you think you had the same issue?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Regular Contributor I

Re: AOS 8.4.0.3 Roaming disconnects


@cjoseph wrote:

@A_RAK wrote:

What happens when you create a set of new test credentials and try to aaa test those credentials?

 

Have you tried creating a test SSID and using the internal database on the controller to authenticate your users? Is the behaviour the same?

 

Also if i am not wrong, freeRadius is available as a windows .exe file?

What happens when you configure another freeRadius server and add the IP of the new server to test the test SSID with the test credentials?

 

 

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.


@kuairhead already wrote that it is not working because the AAA test server is not sending all the attributes required by his radius server.


Ah missed that while typing my reply. I was wondering what happens when the internal database on the controller is used for authentication for a test user in this case. (If this works fine, then could move on to attribute configuration on the freeradius server by narrowing it down to the attributes usually sent by the client as you have mentioned.)

 

Also the reason i have asked to test with a new freeRadius server was to see if the default base FreeRadius server exhibits this behaviour or is it because if something was configured on it.

 

I have seen base freeradius server work fine for some time and they go berserk for a while. In one scenario I had to remove the server completely and re-install the server to make it work fine. Just a quick fix though.

 

 

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Regular Contributor I

Re: AOS 8.4.0.3 Roaming disconnects


@kuairhead wrote:

@cjoseph wrote:

@A_RAK wrote:

What happens when you create a set of new test credentials and try to aaa test those credentials?

 

Have you tried creating a test SSID and using the internal database on the controller to authenticate your users? Is the behaviour the same?

 

Also if i am not wrong, freeRadius is available as a windows .exe file?

What happens when you configure another freeRadius server and add the IP of the new server to test the test SSID with the test credentials?

 

 

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.


@kuairhead already wrote that it is not working because the AAA test server is not sending all the attributes required by his radius server.


As said I would expect no matter the account it would respond with reject. We have tried loads of different accounts that all can access the wifi ok and all get the reject response when doing AAA test but otherwise auth ok and get assigned the role they should get etc in production on an actual wireless device.

 

With regards to test SSID etc I have not tried that but as I have not experienced this issue myself in the 3 or so months the controllers have been live I wouldn't expect to see it on a test SSID and can't ask the hundred or so users in the production environment to use the test SSID so pretty limited there as well unfortunately.

 

We initially suspected the issue was with FreeRADIUS as we didn't have any reports of issues using NPS but we pointed auth back to NPS and we got reports from users so can only assume the issue is configuration of the controllers or AOS 8 behaviour.

 

Thanks.


What do you see in the security logs on the controller for any of the users experiencing this issue? 

 

Command : show log security all | include <mac of user>

 

Note: This command does not need a live client

 

Do these logs indicate that the issues could be the same in both scenarios? (when using freeradius and when using NPS)

 

 

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Contributor I

Re: AOS 8.4.0.3 Roaming disconnects


@cjoseph wrote:

 

We initially suspected the issue was with FreeRADIUS as we didn't have any reports of issues using NPS but we pointed auth back to NPS and we got reports from users so can only assume the issue is configuration of the controllers or AOS 8 behaviour.

 

Thanks.


What was the corresponding message on the NPS server?  Did that make you think you had the same issue?


It was decided to move to only use FreeRADIUS on our AOS8 environment going forward (not my decision) so I can't point it back to NPS to test and try and find logs when users are affected. In the time we were on NPS before whenever the issue was reported it was usually after the fact without precise times so I was unable to find anything in the logs.

 

Our AOS 6.5 environment does not have the same issue when using the same FreeRADIUS and NPS servers so that makes me believe it is the AOS8 config as the problem.

 

Thanks.

Contributor I

Re: AOS 8.4.0.3 Roaming disconnects


@A_RAK wrote:

@kuairhead wrote:

@cjoseph wrote:

@A_RAK wrote:

What happens when you create a set of new test credentials and try to aaa test those credentials?

 

Have you tried creating a test SSID and using the internal database on the controller to authenticate your users? Is the behaviour the same?

 

Also if i am not wrong, freeRadius is available as a windows .exe file?

What happens when you configure another freeRadius server and add the IP of the new server to test the test SSID with the test credentials?

 

 

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.


@kuairhead already wrote that it is not working because the AAA test server is not sending all the attributes required by his radius server.


As said I would expect no matter the account it would respond with reject. We have tried loads of different accounts that all can access the wifi ok and all get the reject response when doing AAA test but otherwise auth ok and get assigned the role they should get etc in production on an actual wireless device.

 

With regards to test SSID etc I have not tried that but as I have not experienced this issue myself in the 3 or so months the controllers have been live I wouldn't expect to see it on a test SSID and can't ask the hundred or so users in the production environment to use the test SSID so pretty limited there as well unfortunately.

 

We initially suspected the issue was with FreeRADIUS as we didn't have any reports of issues using NPS but we pointed auth back to NPS and we got reports from users so can only assume the issue is configuration of the controllers or AOS 8 behaviour.

 

Thanks.


What do you see in the security logs on the controller for any of the users experiencing this issue? 

 

Command : show log security all | include <mac of user>

 

Note: This command does not need a live client

 

Do these logs indicate that the issues could be the same in both scenarios? (when using freeradius and when using NPS)

 

 

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.


Checking the logs for MAC address of the user device affected yesterday I see the following, none of which relates to yesterday. Not sure if any help.

 

Aug 19 17:36:05 dot1x-proc:1[4592]: <138057> <4592> <ERRS> |dot1x-proc:1| Failed to send the radius request for Station b8:8a:60:xx:xx:xx b4:5d:50:xx:xx:xx
Aug 29 14:46:11 dot1x-proc:2[4595]: <138094> <4595> <WARN> |dot1x-proc:2| MIC failed in WPA2 Key Message 2 from Station b8:8a:60:xx:xx:xx b4:5d:50:xx:xx:xx AP-b4:5d:50:xx:xx:xx
Aug 30 16:01:20 dot1x-proc:1[4592]: <138094> <4592> <WARN> |dot1x-proc:1| MIC failed in WPA2 Key Message 2 from Station b8:8a:60:xx:xx:xx b4:5d:50:7c:5c:d0 AP-b4:5d:50:xx:xx:xx
Sep 25 15:37:50 authmgr[3926]: <199802> <3926> <ERRS> |authmgr| dot1x.c, auth_handle_dot1x_key_handshake_data:4957: Key handshake data received for unknown user b8:8a:60:xx:xx:xx

 

The user who experienced issue yesterday was challenged for their credentials when roaming, then credentials were rejected even though correct so they left their device alone for around 7-8 minutes and after that it reconnected by itself. Not sure if a timer at play somewhere relating to this? The RADIUS requests when the issue occured seem to show the user went from an AP on one controller to an AP on the other controller in the cluster and at that point got the RADIUS login failed although this doesn't seem to be the case for other users when they experienced issues as it is roaming between APs on the same controller.

 

Thanks.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: