Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Client Authentication Problem and RADIUS

This thread has been viewed 4 times

  • 1.  Client Authentication Problem and RADIUS

    Posted Aug 20, 2013 12:55 PM

    Hello,

     

    We have clients authenticating to a RADIUS server using certificates. We are seeing that the radius server is sending the RADIUS Accept message but the EAP SUCCES message from the controller to the client is not being generated/sent. We used the show auth tracebuf command to look at these messages. Is it possible to dig further into what the Radius Accept message contains using the aruba controller? I am curious if something incomplete is within the Radius accept message that is not enough for the controller to generate the Eap Sucess. Anyone who encountered this error before? Your help would be much appreciated. Thanks.



  • 2.  RE: Client Authentication Problem and RADIUS

    EMPLOYEE
    Posted Aug 20, 2013 01:00 PM

    On the Aruba Controller, turn on debugging for that specific client:

     

    config t

    logging level debug user-debug <mac address of client>

     

     

    Then, type "show auth-tracebuf mac <mac address of client>" to see the messages going back and forth.

     

    Make sure that client, if it has "Validate Server Certificate" configured indeed does have the radius server certficate trusted.

     



  • 3.  RE: Client Authentication Problem and RADIUS

    Posted Aug 20, 2013 01:42 PM

    Actually we used show auth-tracebuf mac <client's MAC> and we are seeing radius accept but not the eap success after the radius success. Also under process logs we are seeing <INFO> |authmgr| Authentication result=Authentication Successful(0) which if I understand it correctly, the user is successfully authenticated. Any thoughts?



  • 4.  RE: Client Authentication Problem and RADIUS

    EMPLOYEE
    Posted Aug 20, 2013 01:53 PM

    check to make sure your client has  "validate server certificate" unchecked as a test.  Your client might not trust your radius server's certificate.



  • 5.  RE: Client Authentication Problem and RADIUS

    Posted Aug 20, 2013 02:05 PM

    We did, and we tried it with validate server cert as well and verified that the root cert is added in the trusted root...



  • 6.  RE: Client Authentication Problem and RADIUS

    EMPLOYEE
    Posted Aug 20, 2013 02:07 PM

    Is that the only client with the issue?  Has this ever worked?  Does the AAA Test from the controller work?  What kind of client is this?



  • 7.  RE: Client Authentication Problem and RADIUS

    Posted Aug 20, 2013 02:15 PM

    Hello,

     

    Yes this was working before. No clients can authenticate. Clients are laptop computers with at least windows 7..



  • 8.  RE: Client Authentication Problem and RADIUS

    EMPLOYEE
    Posted Aug 20, 2013 02:16 PM

    Well,

     

    What has changed since?  What triggered this?



  • 9.  RE: Client Authentication Problem and RADIUS

    Posted Aug 20, 2013 02:25 PM

    It very likely the radius server, it is just that I am trying to find a way to prove it to the RADIUS guy....So I would like to know if there is a way to further identify why the controller won't generate the EAP SUCCESS message when it receives the RADIUS ACCEPT message..



  • 10.  RE: Client Authentication Problem and RADIUS

    EMPLOYEE
    Posted Aug 20, 2013 02:30 PM

    Unfortunately, the answer to that question is dependent on the events in the radius server.  Authentication is one thing, but key exchange is another, and the radius server participates in that after authentication.  We need to see the radius server logs to determine between the client and the radius server, what is the problem...



  • 11.  RE: Client Authentication Problem and RADIUS

    Posted Aug 21, 2013 03:11 PM

    If the radius accept does not have any attributes but the radius request does have some attributes...would that be a problem? How do we know what are the basic attributes that the RADIUS server must include in its radius accept message to the controller? I think there is a missing attribute (although there is no attribute at all coming from the RADIUS server) that is why the EAP SUCCESS message is not generated.



  • 12.  RE: Client Authentication Problem and RADIUS

    EMPLOYEE
    Posted Aug 21, 2013 03:31 PM
    @baboyero wrote:

    If the radius accept does not have any attributes but the radius request does have some attributes...would that be a problem? I think it is because then the controller won't know who/what was authenticated. I could be wrong though.....

    Certificate Mismatches, which are a big cause of failures are best viewed on the client and on the radius server itself in the radius server logs.  9 out of 10 times, the radius server log will give you a big clue as to what is going wrong.

     



  • 13.  RE: Client Authentication Problem and RADIUS

    Posted Aug 21, 2013 03:39 PM

    If the radius accept does not have any attributes but the radius request does have some attributes...would that be a problem? How do we know what are the basic attributes that the RADIUS server must include in its radius accept message to the controller (is there a command we can type?)? I think there is a missing attribute (although there is no attribute at all coming from the RADIUS server) that is why the EAP SUCCESS message is not generated



  • 14.  RE: Client Authentication Problem and RADIUS

    EMPLOYEE
    Posted Aug 21, 2013 03:47 PM
    @baboyero wrote:

    If the radius accept does not have any attributes but the radius request does have some attributes...would that be a problem? How do we know what are the basic attributes that the RADIUS server must include in its radius accept message to the controller (is there a command we can type?)? I think there is a missing attribute (although there is no attribute at all coming from the RADIUS server) that is why the EAP SUCCESS message is not generated

    Again, the radius server log is the key to most exchanges.  To supplement that, I would do a packet capture of the radius traffic between the controller and the radius server.  If the controller is not doing EAP termination, only the client and the radius server participate in that discussion, since a tunnel is built from the client to the radius server;  that exchange is protected by a tunnel and is not seen by the controller, per se.  The client and/or the radius server provide the most valuable clues as to the details of that exchange, which is not available through the controller interface.

     

    Wikipedia:  http://en.wikipedia.org/wiki/Protected_EAP

     

    "PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server. It then creates an encrypted TLS tunnel between the client and the authentication server. In most configurations, the keys for this encryption are transported using the server's public key. The ensuing exchange of authentication information inside the tunnel to authenticate the client is then encrypted and user credentials are safe from eavesdropping."

     

    This is just a long way of saying that you should try a AAA test server from the Aruba Controller, and if you can get that to work, it is normally a certificate issue that exists on the client/and or radius server.



  • 15.  RE: Client Authentication Problem and RADIUS

    Posted Aug 21, 2013 05:29 PM

    To Add to cjoseph's point,

     

    If the AAA Test fails, you want to have the RADIUS guys check the server to make sure that the controller is a valid client on the RADIUS Server. It could be possible that some one deleted it... You never know. I had the same issues recently and Adding the controller back into the RADIUS Server solved the issue.

     

     

    tupaa