Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Aruba 802.1x issues

This thread has been viewed 3 times

  • 1.  Aruba 802.1x issues

    Posted Nov 14, 2018 04:57 PM

    I am installing a new aruba clearpass system.  I setup the cppm1-pub and cppm2-sub and linked to dc.  This system has two virtual controllers.

     

    When I tried to connect it give me a failure.  I saw commands to use in cli and check the status so I did 

     

    cppm1-pub#  show domain

    Domain Name:  xxxxx.local

    Domain NETBIOS: xxxxx

    Domain Server IP:  172.xxx.xxx.xxx

    Domain Server Name: xxxxxx.xxxxx.local

    Domain Status:  online

     

    cppm1-pub# ad auth -u client -n (domain xxxxx)

    Password: xxxxxxx

    could not obtain winbind separator!

    Reading winbind reply failed! (0x01)

    :  (0x0)

     

    This is the error message.  Does anyone have any ideas?

     

    Thanks in advance

     

     



  • 2.  RE: Aruba 802.1x issues

    MVP
    Posted Nov 15, 2018 09:30 AM

    Are you having trouble joining it to the domain or once it's joined, trouble authenticating users?



  • 3.  RE: Aruba 802.1x issues

    Posted Nov 15, 2018 10:20 AM

    It would be the authenticating the user on the device where the problem is.  Everything shows to be joined but not authenticating.



  • 4.  RE: Aruba 802.1x issues

    MVP
    Posted Nov 15, 2018 10:59 AM

    Make sure your account in your AD authentication source can do lookups in AD to validate the user account.



  • 5.  RE: Aruba 802.1x issues

    Posted Nov 15, 2018 11:20 AM

    The user I am using for authenication is part of the administrators, distributed COM users, Domain Admins, Domain Users, Event Log Readers, and Server Operators.  This is for a windows 2012r2 server.  Is there another group that should be added for authentication?

     

    Thanks



  • 6.  RE: Aruba 802.1x issues

    EMPLOYEE
    Posted Nov 16, 2018 11:37 AM

    For reference, I just did the commands in lab as you obfuscated some of the output:

    [appadmin@cppm-nl]# show domain

=======================================================
                Domain Information
-------------------------------------------------------
Domain Name              : NL.ARUBALAB.COM
Domain NETBIOS Name      : NL
Domain Server Ip Address : 192.168.32.11
Domain Server Name       : dc01.nl.arubalab.com
Domain Status            : online
-------------------------------------------------------
=======================================================

[appadmin@cppm-nl]# ad auth -u arubase -n nl.arubalab.com
Password:
NT_STATUS_OK: Success (0x0)
[appadmin@cppm-nl]# ad auth -u arubase -n nl
Password:
NT_STATUS_OK: Success (0x0)
[appadmin@cppm-nl]#

    From the error message (could not obtain windbind separator), could it be that you have special (non a-z,A-Z,0-9) characters in your full domain name, one of the DC fqdn, the username you tried or password? One thing I recently heard of was a customer who had an underscore _ in the DNS name, which is not supported in DNS. To isolate the issue, can you make sure none of these non-standard or accented characters exist in any of the domain/host/user-names or password? As you can see above you can either use the long Domain Name or the short Netbios name.

     

    This command should just do the authentication and is separate from Authentication sources that use LDAP to fetch user group attributes.

     

    BTW, domain join is only needed for MSCHAPv2 authentication (aka PEAP) which really shouldn't be used anymore as MSCHAPv2 is cracked.