Wireless Access

Reply
Occasional Contributor II

deauth to sta

I have a client that cannot connect to our production wireless network but can connect to a development network on the same access point. The client is using the same machine and 802.1x authentication for each network. I have debug logs for a successful (dev) and a failed (prd) session but the main difference I see is:

 

//a success

Mar 20 13:24:56 :522035:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx Station UP: BSSID=d8:c7:c8:xx:2f:41 ESSID=dev VLAN=2 AP-name=ab208

Mar 20 13:24:56 :522004:  <DBUG> |authmgr|  MAC=68:a3:c4:c9:xx:xx ingress 0x10f1 (tunnel 145), u_encr 16, m_encr 4112, slotport 0x1000 

Mar 20 13:25:25 :522038:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=ACS-B

//role, IP and other good stuff happen

 

//a failure

Mar 20 13:24:12 :522035:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx Station UP: BSSID=d8:c7:c8:xx:2f:40 ESSID=prd VLAN=2 AP-name=ab208

Mar 20 13:24:12 :522004:  <DBUG> |authmgr|  MAC=68:a3:c4:c9:xx:xx ingress 0x11b6 (tunnel 342), u_encr 16, m_encr 4112, slotport 0x1000 

//repeat the previous message five more times, then

Mar 20 13:24:31 :501106:  <NOTI> |stm|  Deauth to sta: 68:a3:c4:c9:xx:xx: Ageout AP 10.xxx.70.210-d8:c7:xx:xx:2f:40-ab208 handle_sapcp

//followed by similar messages

 

 

Anybody have an idea?

Guru Elite

Re: deauth to sta


scottwe wrote:

I have a client that cannot connect to our production wireless network but can connect to a development network on the same access point. The client is using the same machine and 802.1x authentication for each network. I have debug logs for a successful (dev) and a failed (prd) session but the main difference I see is:

 

//a success

Mar 20 13:24:56 :522035:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx Station UP: BSSID=d8:c7:c8:xx:2f:41 ESSID=dev VLAN=2 AP-name=ab208

Mar 20 13:24:56 :522004:  <DBUG> |authmgr|  MAC=68:a3:c4:c9:xx:xx ingress 0x10f1 (tunnel 145), u_encr 16, m_encr 4112, slotport 0x1000 

Mar 20 13:25:25 :522038:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=ACS-B

//role, IP and other good stuff happen

 

//a failure

Mar 20 13:24:12 :522035:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx Station UP: BSSID=d8:c7:c8:xx:2f:40 ESSID=prd VLAN=2 AP-name=ab208

Mar 20 13:24:12 :522004:  <DBUG> |authmgr|  MAC=68:a3:c4:c9:xx:xx ingress 0x11b6 (tunnel 342), u_encr 16, m_encr 4112, slotport 0x1000 

//repeat the previous message five more times, then

Mar 20 13:24:31 :501106:  <NOTI> |stm|  Deauth to sta: 68:a3:c4:c9:xx:xx: Ageout AP 10.xxx.70.210-d8:c7:xx:xx:2f:40-ab208 handle_sapcp

//followed by similar messages

 

 

Anybody have an idea?


While the client is failing, type "show auth-tracebuf mac <mac address of client>" to see why.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: deauth to sta

Thank you, neat command!

 

I see:

 

Mar 21 13:32:52  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

Mar 21 13:32:52  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:53  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

Mar 21 13:32:53  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:53  eap-start             ->  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     

Mar 21 13:32:53  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:55  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

Mar 21 13:32:55  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:55  eap-start             ->  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     

Mar 21 13:32:55  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:56  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

 

over and over again, credentials are never passed and authentication servers don't get into the mix, which is different from a successful logon. I don't understand what the command reference guide is telling me about the arrows andif this is on the client or server side. 

 

Guru Elite

Re: deauth to sta

Are you sure the client is configured with the right encryption?

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: deauth to sta

yes. we went through and manually set it for wpa2-enterprise and aes as a test, still could not get it to go. we run in mixed mode, either tkip or aes is valid.

Guru Elite

Re: deauth to sta

Are these 802.11n access points?  If so, the 802.11n standard only allows cipher types of AES and Open.  TKIP is not allowed.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: deauth to sta

They are N. Good point. When I manually configure the client to use WPA2 and AES (which I can see using the command you gave me, thanks again) they still cannot connect. I'm beginning to think it is the clients system but it is at a remote location and the clientdoes not have other devices available to test with.

Guru Elite

Re: deauth to sta

You probably want to open a case so that they can see the full picture...  Has this EVER worked?

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: deauth to sta

With this device no it has never worked. Other devices, yes.

Guru Elite

Re: deauth to sta

Have you considered upgrading the client drivers?

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: