Wireless Access

Ever since migrating to 8.x code from 6.x we received a handful of reports with issues with our AD Managed wireless laptops.

One of the issues we are seeing is when a user with cached credentials logs into a wireless machine, they see the message "Unable to Connect to Network, logging on".  Our AD machines are configured to machine auth using the AD Computer object.  I confirmed that when the machine is that the control-alt-delete screen, they have a valid role and IP address. I started a ping to the machines IP from my desktop and proceeded to login with my AD credentials.  After doing so, the machine drops a few pings, displays the "unable to connect message" and continues to login with cached credentials, then the machine starts pinging again.

Also once a user is logged into the machine, they get the message they were logged on using previously stored credentials and their mapped drives have red Xs.  However, you can just click on them and they connect.

If a user without cached credentials trys to login they get the "no logon sevrers" message, even though the machine is machine authed with valid IP and role.

I have compared all of the settings for this VAP and AAA profile between the old and new controller environment and they are identical.  I also opened a TAC case but they were unable to find any issues with the config.  If I bring up an AP on our old controllers the issue goes away when connected to that AP.

We use NPS for our AD joined machines and are running 8.4.0.1 with 7240XMs for the MDs.

Anyone else seen this issue?

-

Are you doing machine authentication?  Are you changing roles or VLANs depending on user or machine authentication?

cjoseph,

Yes we are doing machine auth and no the roles are the same between the machine auth and user auth.

What about the VLANS?  Can you ping a user's device before the user logs into the ctrl-alt-delete screen?

Try "show ap client trail-info <mac address of client>" to see if the VLAN is changing.

Yes I can ping the device before the user logs in and the VLAN stays the same after they log in, it just drops a few pings after they click sign in.  When it drops pings it appears to dissassociate and reassociate.  As soon as I see it stop pinging the "Unable to connect to Network, logging on" message appears.

If there are cached credentials it will continue.  If not, it won't let the user log in. 

What are the ACLS on the machine authenticated role?  (show rights <role>).

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'FacStaff-NAP'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 512
Assigned VLAN = gcn_pool
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 111/0
Openflow: Enabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-facstaff-nap-sacl session
3 allowdhcp-denydhcpserver session
4 deny-controller session
5 allowall session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
apprf-facstaff-nap-sacl
-----------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
allowdhcp-denydhcpserver
------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user any udp 68 deny Low 4
2 any any svc-dhcp permit Low 4
deny-controller
---------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 any public-controller-ip any deny Low 4
allowall
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 any any any permit Low 4
2 any any any-v6 permit Low 6

Expired Policies (due to time constraints) = 0

-

We would then move to look at the AAA and the 802.1x profiles to see if there is anything non-default.

Assigned VLAN = gcn_pool

Wait.  I would remove the VLAN pool from the user role.  You should assign the Vlan Pool to the Virtual AP.

AAA Profile "UNCG-GCN-FacStaff"
-------------------------------
Parameter Value
--------- -----
Initial role DropALL
MAC Authentication Profile N/A
MAC Authentication Default Role guest
MAC Authentication Server Group default
802.1X Authentication Profile UNCG-GCN-FacStaff
802.1X Authentication Default Role DropALL
802.1X Authentication Server Group nps
Download Role from CPPM Disabled
Set username from dhcp option 12 Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout N/A
Max IPv4 for wireless user 2
RADIUS Accounting Server Group nps
RADIUS Roaming Accounting Disabled
RADIUS Interim Accounting Disabled
RADIUS Acct-Session-Id In Access-Request Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Disabled
Reauthenticate wired user on VLAN change Disabled
Device Type Classification Enabled
Enforce DHCP Disabled
PAN Firewall Integration Disabled
Open SSID radius accounting Disabled
Apply ageout mechanism on bridge mode wireless clients Disabled

802.1X Authentication Profile "UNCG-GCN-FacStaff"
-------------------------------------------------
Parameter Value
--------- -----
Max authentication failures 0
Enforce Machine Authentication Disabled
Machine Authentication: Default Machine Role guest
Machine Authentication Cache Timeout 24 hr(s)
Blacklist on Machine Authentication Failure Disabled
Machine Authentication: Default User Role FacStaff-NONAP
Interval between Identity Requests 5 sec
Quiet Period after Failed Authentication 30 sec
Reauthentication Interval 3600 sec
Use Server provided Reauthentication Interval Disabled
Use the termination-action attribute from the Server Disabled
Multicast Key Rotation Time Interval 1800 sec
Unicast Key Rotation Time Interval 900 sec
Authentication Server Retry Interval 5 sec
Authentication Server Retry Count 3
Framed MTU 1100 bytes
Max number of requests sent during an Auth attempt 5
Max Number of Reauthentication Attempts 3
Maximum number of times Held State can be bypassed 0
Dynamic WEP Key Message Retry Count 1
Dynamic WEP Key Size 128 bits
Interval between WPA/WPA2/WPA3 Key Messages 1500 msec
Delay between EAP-Success and WPA2/WPA3 Unicast Key Exchange 170 msec
Delay between WPA/WPA2/WPA3 Unicast Key and Group Key Exchange 0 msec
Time interval after which the PMKSA will be deleted 8 hr(s)
Delete Keycache upon user deletion Disabled
WPA/WPA2/WPA3 Key Message Retry Count 1
Multicast Key Rotation Disabled
Unicast Key Rotation Disabled
Reauthentication Enabled
Opportunistic Key Caching Enabled
Validate PMKID Disabled
Use Session Key Disabled
Use Static Key Disabled
xSec MTU 1300 bytes
Termination Disabled
Termination EAP-Type N/A
Termination Inner EAP-Type N/A
Enforce Suite-B 128 bit or more security level Authentication Disabled
Enforce Suite-B 192 bit security level Authentication Disabled
Token Caching Disabled
Token Caching Period 24 hr(s)
CA-Certificate N/A
Server-Certificate default
TLS Guest Access Disabled
TLS Guest Role guest
Ignore EAPOL-START after authentication Disabled
Handle EAPOL-Logoff Disabled
Ignore EAP ID during negotiation. Disabled
WPA-Fast-Handover Disabled
Check certificate common name against AAA server Enabled

-

@cjoseph

I tried removing the VLAN pool from the user role and letting the VAP assign the VLAN pool and that did not make a difference in the behavior.

One thing to note, this is a Hidden SSID.  Not sure if that makes a difference.

A hidden SSID should not make a difference if worked before.

I would:

- Have the computer sit at the ctrl-alt-delete screen and ensure it passed machine authentication

- Type "show datapath session table <ip address of laptop>" every few seconds to ensure that no traffic is being blocked or treated incorrectly.

- Login to the laptop and run the same command above to see what the laptop is attempting to do while you are logging in.

Alternatively, I would start a device pcap on the controller and analyze the flow of traffic in wireshark to see during bootup and login what could be happening:

https://community.arubanetworks.com/t5/Controller-Based-WLANs/HOW-TO-DO-DATAPATH-PACKET-CAPTURE-FOR-WIRELESS-CLIENT-FROM/ta-p/179940

I had a session yesterday with Aruba ERT about this issue.  He took captures and looked at the show datapath session, auth tracebuf and a number of other things.  Hes going to look those over and get back with me.