Wireless Access

Hi

I just upgraded a Aruba 3200 to 6.1.3.1, because the customer wants to use VIA 2.x with MSchapv2.

The client connects to the controller as it should, downloads the profile. Authentication is done thru the Aruba and to a RADIUS checking the AD username/password.

When i try to connect the client, it fails to establish a secure session.

Last night i was able to get the connection going, but with the internal database as auth server.

Now I'm not able to get a secure connection to either internaldb or RADIUS.

When connecting to RADIUS i get this error message

Apr 18 11:00:17  isakmpd[1580]: <103063> <DBUG> |ike|  212.89.48.14:4500->  exchange=IKE_AUTH msgid=1 len=284
Apr 18 11:00:17  isakmpd[1580]: <103063> <DBUG> |ike|  212.89.48.14:4500->  spi={554d0d4da179c5e3 1aaa1073464d39ba} np=E{IDi}
Apr 18 11:00:17  isakmpd[1580]: <103063> <DBUG> |ike|  212.89.48.14:4500-> #RECV 288 bytes from 212.89.48.14(22234) at 159.171.108.70 (4283.428)
Apr 18 11:00:17  isakmpd[1580]: <103063> <DBUG> |ike|  212.89.48.14:4500-> IKE_EXAMPLE_IKE_msgRecv: ip:d459300e  port:22234  server:0   len:288  numSkts:18
Apr 18 11:00:17  isakmpd[1580]: <103063> <DBUG> |ike|  212.89.48.14:4500-> ike2.c (755):errorCode = ERR_IKE_GETSA_FAIL
Apr 18 11:00:17  isakmpd[1580]: <103063> <DBUG> |ike|  212.89.48.14:4500-> udp_encap_handle_message IKEv2 pkt status:-8944
Apr 18 11:00:17  isakmpd[1580]: <103063> <DBUG> |ike|  212.89.48.14:4500-> udp_encap_handle_message ver:2 serverInst:0 pktsize:288

I'm not sure what the problem is, but as i can see there is a problem with the IKE exchange.

Does anybode have a clue to resolve this? Is there anything in the connection profile i'm missing?

Roar Fossen

Has this ever worked?

Did you set an IKE preshared key on the controller? (yes, it is necessary)

I had it working for a test last night, but as i have taken over this installation i'm not sure if the IKE preshared key was ever set.

I recon that you are referring to the IKE shared secret found under Configuration -> Advanced services -> VPN services.

If that's the one, do i have to enter somewhere in the VIA connection profile?

Roar Fossen

You do not have to enter it in the VIA profile.  You just have to set one.

In addition, Please see the file here:  http://community.arubanetworks.com/aruba/attachments/aruba/108/947/1/VIA-configuration-detail.pdf 

Thanx for the link, but as i want to use the VIA 2.x client with MSChapv2, i'm using the ArubaVIA2.0_UserGuide.pdf.

I have now set a IKE shared secret, but the problems persists. The client has the same problem.

Now with this error:

Apr 18 12:44:00 :103063:  <DBUG> |ike|  212.89.48.14:4500-> udp_encap_handle_message ver:2 serverInst:0 pktsize:288
Apr 18 12:44:00 :103063:  <DBUG> |ike|  212.89.48.14:4500-> IKE_EXAMPLE_IKE_msgRecv: ip:d459300e  port:17539  server:0   len:288  numSkts:18
Apr 18 12:44:00 :103063:  <DBUG> |ike|  212.89.48.14:4500->
Apr 18 12:44:00 :103063:  <DBUG> |ike|  212.89.48.14:4500-> #RECV 288 bytes from 212.89.48.14(17539) at 159.171.108.70 (10506.102)
Apr 18 12:44:00 :103063:  <DBUG> |ike|  212.89.48.14:4500->  spi={363967d10b552a74 f1925aa9522a43de} np=E{IDi}
Apr 18 12:44:00 :103063:  <DBUG> |ike|  212.89.48.14:4500->  exchange=IKE_AUTH msgid=1 len=284
Apr 18 12:44:00 :103063:  <DBUG> |ike|  212.89.48.14:4500-> ike2.c (755): errorCode = ERR_IKE_GETSA_FAIL
Apr 18 12:44:00 :103063:  <DBUG> |ike|  212.89.48.14:4500-> udp_encap_handle_message IKEv2 pkt status:-8944

So i suspect that the shared secret was already set as the connection was ok last night.

When i had it running i used the internaldb as auth, but then switched to RADIUS. RADIUS was not working until i opened for PAP between RADIUS and Aruba. I was then able to authenticate my AD user thru the ViA client as i log in.

But when i try to connect the secure session fails, and it beats me why.

Roar Fossen

Any message on the radius server?

The RADIUS is working as it should. I authenticate with AD username/password as i log on the client for the first time.

The client then downloads the profile, but as i try to connect and establish the VPN tunnel, it fails with the error message i posted in my last post.

Roar Fossen

Mosher,

I just looked at the document you used, and there is more configuration needed to do MSCHAPv2 on via that has not been included in that document.  I will try to get some of that information for you shortly.

Hmm, sounds interesting, but at the same time confused.

One of the major benefits of using VIA v2.x and AOS 6.1.3 is the availability of MSCAHPv2, and the document is missing some info?

If you could provide the info it will be much appreciated

Roar Fossen

What is missing, is that you need to create a server certificate for the controller (using the same CA as the radius server), upload it to the controller and then reference it in the screenshot below in the VPN panel.  That server certificate must be trusted by the client.  You can try this ahead of time until we get the documentation added, or you can open a TAC case so that they can help.  

From the doc you mentioned, I do not think it is in there.

Sweet, will talk to the customer about getting a server cert.

I have already opened a TAC case with Aruba, but haven't got any useful feedback yet.

Thanx a bunch

Roar Fossen

If the Windows Radius server simply has a server certificate from the domain enterprise CA, you can just create one for the controller from the same CA, because the client will trust it.

Yes, i have done this to other customers when we want incorporate proper 802.1X. Adding a cert to a GPO, which is pushed to clients.

Can just create a similar from the local CA.

Will try this and get back to you

Roar Fossen

Hi

Still no luck with this one.

The TAC case i opened is still not giving me any good information on how the certificate is used and what it shall authenticate.

The only answer i got is that it is used the same way as EAP-TLS.

We have dug a bit more and done som testing, and found that IKEv2 is failing, but not sure why. The log is inconclusive, but a few interesting lines was found.

Jun 4 13:33:51 :103063:  <DBUG> |ike|   IKE_checkExpSa pxSa:0x10228a04 error:-8949 flags:
2097169
Jun 4 13:33:51 :103063:  <DBUG> |ike|   IKE2_updateSadb SA Expired
Jun 4 13:33:51 :103063:  <DBUG> |ike|   IKE2_delSa error:-90034 saflags:200011 arflags:1
Jun 4 13:33:51 :103063:  <DBUG> |ike|     IKE_SA [v2 R
Jun 4 13:33:51 :103063:  <DBUG> |ike|   , status = -8949
Jun 4 13:33:51 :103063:  <DBUG> |ike|   IKE2_delSa
Jun 4 13:33:51 :103063:  <DBUG> |ike|   IKE2_delSa: deleting IPSEC SA 212.89.48.14:17824
due to deletion of un-rekeyed IKE_SA
Jun 4 13:33:51 :103063:  <DBUG> |ike|     CHILD_SA [v2 R
Jun 4 13:33:51 :103063:  <DBUG> |ike|     auth=sha1  encr=aesDelete Timer Type 1
Jun 4 13:33:51 :103063:  <DBUG> |ike|   Delete Timer Type 2
Jun 4 13:33:51 :103063:  <DBUG> |ike|   EAP_sessionDelete: Deleted EAP, sessionId = 1

The IP address referred is the one i try to use the VIA client from.

If this problem is because of something wrong with the IKE server certificate. i don't know.

Roar

Did you ever get this resolved?  I have somewhat of a similar situation.

Nope, this is not resolved.

I have actually had Aruba technicians look at the computer running the VIA client, at the same time given them access to the controller.

As for now I haven't gotten any conclusion from my Aruba contact regarding this case after they thoroughly when thru the configuration and the PC client.

Documentation on this IKEv2 with MSCHAPv2 is kind of slim, and Aruba know, so I rely on Airheads and the Aruba technicians.

I will update this thread as fast as I get an answer.

Roar Fossen

Mosher,

Can you please PM me your TAC case # so that we can get this looked at?

Thank you.

Hi

Well, I opened a TAC case earlier without getting any useful help. So I approached the head of TAC in EMEA at the Aruba EMEA conference in Nice, France this summer and got in touch with a guy helping me. He has done extensive testing and have a few issues on his hands, some bug in the code related to VIA, and some issues with 2003 server.

I have just gotten an update from him, so if I get a more accurate solution, I will post it.

Roar Fossen

Mosher, Thank you.

Stargaten, you could be having a separate issue so please open a TAC case or let us know what your setup is here, and what error you are getting.

Hi all ,

I have Master 1 in 6.5 which has few APs and local controllers. Master 1 has all licenses and will act as license server. I have another Master 2 running 6.5 which can reach master 1 however master 2 doesn't have license. In master2, I have given license server ip as master 1. Is the below topology supported in centralized licensing for license server ip?

Master 1 ------------- Local controller ----- APs

|

|

| 

Master 2 ----------- APs

Regards,

Sandeep.

This should be a new thread rather than a follow-up on an 8 year old VIA topic.

---

@VB wrote:

Hi all ,

 

I have Master 1 in 6.5 which has few APs and local controllers. Master 1 has all licenses and will act as license server. I have another Master 2 running 6.5 which can reach master 1 however master 2 doesn't have license. In master2, I have given license server ip as master 1. Is the below topology supported in centralized licensing for license server ip?

 

Master 1 ------------- Local controller ----- APs

|

|

| 

Master 2 ----------- APs

 

Regards,

Sandeep.

---