Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

EAP-TLS WiFi clients stop to authenticate on Aruba 7010/7210/7240 on AOS 8.2.1.1 and 8.5.0.3

This thread has been viewed 34 times

  • 1.  EAP-TLS WiFi clients stop to authenticate on Aruba 7010/7210/7240 on AOS 8.2.1.1 and 8.5.0.3

    Posted Feb 07, 2020 12:10 PM

    EAP-TLS WiFi clients stop to authenticate on Aruba 7010/7210/7240 on AOS 8.2.1.1 and 8.5.0.3

    We have an enterprise network with approximately 445 sites that all have local Aruba Mobility controllers.
    These are either 7010,7210 or 7240 controllers, single or in a cluster configuration of two.
    The controllers run 8.2.1.1 and some run 8.5.0.3 as we are in an upgrade proces to this version. The Mobility Master runs the latest version.

    We finished installing this environment in Q2 of 2019.

    Since oktober 2019 we experience the following problem:
    Sometimes (happened on seven sites up until now) In a cluster of two or more controllers, WiFi clients on our EAP-TLS based SSID's stop being able to authenticate.
    The problem is fixed when we reload the controller

    We see Authentication failed messages in the logs of the Mobility Controllers:

    Feb 5 10:10:05 dot1x-proc:1[4414]: <522275> <4414> <WARN> |dot1x-proc:1| User Authentication failed. username=host/username.eu.company.com userip=0.0.0.0 usermac=f0:d5:bf:94:21:3b authmethod=802.1x
    servername=clearpass serverip=10.20.30.1 apname=AP-RW01-a8bd27c52 158 bssid=a8:bd:27:d2:15:91

    The Clearpass server does not have any problem as authentication takes place successfully on all (445) other sites in our enterprise.
    In Clearpass, the failed authentication attempts on the effecrtearrive in the Access Tracker. All effected clients show up as "TIMEOUT"


    Has anyone experienced this and wants to share thoughts and possibly how you solved it?

     



  • 2.  RE: EAP-TLS WiFi clients stop to authenticate on Aruba 7010/7210/7240 on AOS 8.2.1.1 and 8.5.0.3

    Posted Feb 09, 2020 10:09 AM

    Looks like the client is not responding to authentication request. First thing to do is enabling user debugging and check the auth trace buffer. 

    Do you see this issue at both versions? Are all the clients at the location with issue experience issues with connecting?



  • 3.  RE: EAP-TLS WiFi clients stop to authenticate on Aruba 7010/7210/7240 on AOS 8.2.1.1 and 8.5.0.3

    Posted Feb 09, 2020 04:31 PM

    Hello Willem,

     

    We thought it looked like the clients are not responding to authentication request. However, reloading the controller fixes the issue without even touching the client or anything else. 

    We see this issue at both versions, Both 8.2 and 8.5

    All clients that use the EAP-TLS SSID's at that location with the issue experience issues authenticating.

    Clients making use of PEAP based- and open SSID's do not face the issue and authenticate/connect without a problem.

     

    To us it looks like the authentication on the controller gets stuck on the Mobility controller (auth module) or something like that.



  • 4.  RE: EAP-TLS WiFi clients stop to authenticate on Aruba 7010/7210/7240 on AOS 8.2.1.1 and 8.5.0.3

    Posted Feb 10, 2020 03:31 AM

    Best is to open a support ticket for this.

     

    You can also enable some debugging at the controller to see whats if you can collect more information.

     

    logging security process dot1x-proc level debugging

    logging security process aaa level debugging



  • 5.  RE: EAP-TLS WiFi clients stop to authenticate on Aruba 7010/7210/7240 on AOS 8.2.1.1 and 8.5.0.3

    Posted Jan 27, 2021 04:03 PM
    Hi All,

    Apologies for opening an old discussion, however this describes our current issue perfectly. We are currently experiencing the exact same symptoms in a cluster of 2x 7210 running 8.7.1.1 code.

    I have a TAC case open working on this, but also wondering if anyone else has seen similar?

    The controllers will process MSCHAP, MAC, Guest etc RADIUS via ClearPass no problem, but any EAP-TLS traffic will fail with timeouts until the controller is rebooted. The errorlogs are flooded with auth server timeouts and eventually the clearpass source goes into an uptime of 0. Similar to the original poster, the clearpass tracking logs are filled with TIMEOUTS or TLS failures.

    Thanks all

    ------------------------------
    Brent Buckley
    ------------------------------

    Original Message


  • 6.  RE: EAP-TLS WiFi clients stop to authenticate on Aruba 7010/7210/7240 on AOS 8.2.1.1 and 8.5.0.3

    Posted Oct 13, 2022 12:09 AM
    Hi All,

    Was there ever a resolution to this?  We are seeing the exact same behaviour on 8.6.0.18 in a cluster of 6x 7240XMs.
    Original Message


  • 7.  RE: EAP-TLS WiFi clients stop to authenticate on Aruba 7010/7210/7240 on AOS 8.2.1.1 and 8.5.0.3

    EMPLOYEE
    Posted Oct 13, 2022 04:33 AM
    Without looking at your setup, it sounds like it could be an MTU issue between your controllers and your radius server.  Does a WAN separate your controllers and your radius server?

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------

    Original Message