Wireless Access

last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

everything but an iPhone works

This thread has been viewed 1 times

  • 1.  everything but an iPhone works

    Posted Dec 08, 2013 05:00 PM

    I can connect win7/8, android, laptop, tablet, phone - but not iPhones (I don't have a iPad to test with)

     

    Here is what I am seeing on the controller:

     

    Dec  8 16:48:32  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM PUBLISH MAC user: BSS:9c:1c:12:a2:ff:20 MAC:6c:3e:6d:4c:05:bf VLAN:26 wired_or_wifi:1 data-ready:0 Dec  8 16:48:32  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: ADD STA channel event:0 for mac:6c:3e:6d:4c:05:bf Dec  8 16:48:32  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: DELETE MAC user 6c:3e:6d:4c:05:bf Dec  8 16:48:32  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: USER uuid(0x7c), mac(6c:3e:6d:4c:05:bf), name(), role(logon), devtype(), wired(0), auth_type(0), auth_subtype(0), encrypt_type(10), conn_port(0) Dec  8 16:48:32  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: USER uuid(0x7c), mac(6c:3e:6d:4c:05:bf), name(), role(logon), devtype(), wired(0), auth_type(0), auth_subtype(0), encrypt_type(10), conn_port(0) Dec  8 16:48:32  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: chan sta : DEL 6c:3e:6d:4c:05:bf ageout 0 Dec  8 16:48:32  authmgr[2070]: <124090> <DBUG> |authmgr|  Free macuser 0x0x107121f4 and user 0x0x10862764 for mac 6c:3e:6d:4c:05:bf. Dec  8 16:48:32  authmgr[2070]: <124091> <DBUG> |authmgr|  station_check_license_limits: mac 6c:3e:6d:4c:05:bf  encr-algo:64. Dec  8 16:48:32  authmgr[2070]: <124093> <DBUG> |authmgr|  Called mac_station_new() for mac 6c:3e:6d:4c:05:bf. Dec  8 16:48:32  authmgr[2070]: <124103> <DBUG> |authmgr|  Setting user 6c:3e:6d:4c:05:bf aaa profile to SPI_INTERNAL_AAA, reason: ncfg_get_wireless_aaa_prof. Dec  8 16:48:32  authmgr[2070]: <124103> <DBUG> |authmgr|  Setting user 6c:3e:6d:4c:05:bf aaa profile to SPI_INTERNAL_AAA, reason: ncfg_set_aaa_profile_defaults.

     

    Dec  8 16:44:40  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM PUBLISH MAC user: BSS:9c:1c:12:a3:25:f0 MAC:c8:19:f7:0b:6e:24 VLAN:26 wired_or_wifi:1 data-ready:0 Dec  8 16:44:40  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: ADD STA channel event:0 for mac:c8:19:f7:0b:6e:24 Dec  8 16:44:40  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: DELETE MAC user c8:19:f7:0b:6e:24 Dec  8 16:44:40  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: USER uuid(0x63), mac(c8:19:f7:0b:6e:24), name(gibbonr1), role(EMPLOYEE-ROLE), devtype(Android), wired(0), auth_type(4), auth_subtype(9), encrypt_type(10), conn_port(0) Dec  8 16:44:40  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: USER uuid(0x72), mac(c8:19:f7:0b:6e:24), name(), role(logon), devtype(Android), wired(0), auth_type(0), auth_subtype(0), encrypt_type(10), conn_port(0) Dec  8 16:44:40  authmgr[2070]: <124004> <DBUG> |authmgr|  AUTH GSM: chan sta : DEL c8:19:f7:0b:6e:24 ageout 0 Dec  8 16:44:40  authmgr[2070]: <124090> <DBUG> |authmgr|  Free macuser 0x0x10744554 and user 0x0x10743b3c for mac c8:19:f7:0b:6e:24. Dec  8 16:44:40  authmgr[2070]: <124091> <DBUG> |authmgr|  station_check_license_limits: mac c8:19:f7:0b:6e:24  encr-algo:64. Dec  8 16:44:40  authmgr[2070]: <124093> <DBUG> |authmgr|  Called mac_station_new() for mac c8:19:f7:0b:6e:24. Dec  8 16:44:40  authmgr[2070]: <124103> <DBUG> |authmgr|  Setting user c8:19:f7:0b:6e:24 aaa profile to SPI_INTERNAL_AAA, reason: ncfg_get_wireless_aaa_prof. Dec  8 16:44:40  authmgr[2070]: <124103> <DBUG> |authmgr|  Setting user c8:19:f7:0b:6e:24 aaa profile to SPI_INTERNAL_AAA, reason: ncfg_set_aaa_profile_defaults.

     

     

     I am sorry that looks so ugly...but the fourth l;ine down in either case is the difference. On the droid, my name, role, devtype, auth-type, and auth-subtype are all being passed on the android, none are being passed on the iPhone. Any ideas? I've been banging away at this for a little over 7 hours now to no avail.

     

    Thanks,

     

    Russell

     



  • 2.  RE: everything but an iPhone works

    Posted Dec 08, 2013 07:36 PM

     

    What AOS are you using ?

     

    What iOS the phone has installed ?

     

    What type of authentication that SSID is using ?

     

    Can you please share the following :

     

    show auth-tracebuf  | include <device mac>

     

    Have you tried resetting the network settings in the iPhone and try again ?



  • 3.  RE: everything but an iPhone works

    Posted Dec 08, 2013 08:36 PM

    What AOS are you using ?   ArubaOS 6.2.1.3

     

    What iOS the phone has installed ?  iOS 7.0.4

     

    What type of authentication that SSID is using ?  WPA2-Enterprise

     

    Can you please share the following :

    Dec  8 20:25:18  station-up             *  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            -      -     wpa2 aes
    Dec  8 20:25:18  eap-id-req            <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            1      5
    Dec  8 20:25:18  eap-id-resp           ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            1      12    davise1
    Dec  8 20:25:18  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            65458  222
    Dec  8 20:25:18  rad-resp              <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65458  90
    Dec  8 20:25:18  eap-req               <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            2      6
    Dec  8 20:25:18  eap-resp              ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            2      152
    Dec  8 20:25:18  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65459  400
    Dec  8 20:25:18  rad-resp              <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65459  1188
    Dec  8 20:25:18  eap-req               <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            3      1096
    Dec  8 20:25:18  eap-resp              ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            3      6
    Dec  8 20:25:18  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65460  254
    Dec  8 20:25:18  rad-resp              <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65460  1050
    Dec  8 20:25:18  eap-req               <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            4      960
    Dec  8 20:25:21  eap-resp              ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            4      220
    Dec  8 20:25:21  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65461  468
    Dec  8 20:25:21  rad-resp              <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65461  153
    Dec  8 20:25:21  eap-req               <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            5      69
    Dec  8 20:25:21  eap-resp              ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            5      6
    Dec  8 20:25:21  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65462  254
    Dec  8 20:25:21  rad-resp              <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65462  127
    Dec  8 20:25:21  eap-req               <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            6      43
    Dec  8 20:25:21  eap-resp              ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            6      43
    Dec  8 20:25:21  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65463  291
    Dec  8 20:25:21  rad-resp              <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65463  143
    Dec  8 20:25:21  eap-req               <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            7      59
    Dec  8 20:25:21  eap-resp              ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            7      43
    Dec  8 20:25:21  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65464  291
    Dec  8 20:25:21  rad-resp              <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65464  159
    Dec  8 20:25:21  eap-req               <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            8      75
    Dec  8 20:25:21  eap-resp              ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            8      107
    Dec  8 20:25:21  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65465  355
    Dec  8 20:25:21  rad-resp              <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65465  175
    Dec  8 20:25:21  eap-req               <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            9      91
    Dec  8 20:25:21  eap-resp              ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            9      43
    Dec  8 20:25:21  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65466  291
    Dec  8 20:25:21  rad-resp              <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65466  191
    Dec  8 20:25:21  eap-req               <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            11     107
    Dec  8 20:25:21  eap-resp              ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            11     43
    Dec  8 20:25:21  rad-req               ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65467  291
    Dec  8 20:25:21  rad-accept            <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21/SPIPSEC06  65467  298
    Dec  8 20:25:21  eap-success           <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            11     4
    Dec  8 20:25:21  wpa2-key1             <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            -      117
    Dec  8 20:25:21  wpa2-key2             ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            -      117
    Dec  8 20:25:21  wpa2-key3             <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            -      151
    Dec  8 20:25:21  wpa2-key4             ->  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            -      95
    Dec  8 20:25:21  rem-ap-setkey         <-  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            -      16    wpa2 aes
    Dec  8 20:25:43  station-down           *  44:d8:84:42:6a:26  9c:1c:12:a2:ff:21            -      - 

     

     

    Have you tried resetting the network settings in the iPhone and try again ?  Yes

     

    now, the problem has changed. they appear to be authenticating, but are being blocked by an error that states "SophosNACRegistration" failed, and we have no Sophos NAC that anyone here is aware of. Is there a place in either the CLI or the web GUI to attach a NAC?

     

    Background -

    We are converting from Cisco to Aruba. Each SSID from Cisco is replicated in Aruba. Each SSID in Cisco is replicated in Aruba. and lastly, as I mentioned above, every device available can connect to Aruba, but now the iPhones get a NAC error that no other device gets. pushing 10 hours of troubleshooting, and this is getting ridiculous. We've reverted, but I still have one test Aruba AP online.

     

    Thanks for the help



  • 4.  RE: everything but an iPhone works

    Posted Dec 08, 2013 09:10 PM

     

    Not really familiar with the Sopho products but you should probably ask them if they an MDM appliance in place ? 

     

    Are both network isolated ? because having the same SSIDs using different products could be a pain to troubleshoot if devices could hear both different APs and keep roaming between the two.

     

     

     

     

     

     



  • 5.  RE: everything but an iPhone works

    Posted Dec 08, 2013 09:26 PM

    yes, all of the Cisco APs were removed before we began testing the Aruba APs



  • 6.  RE: everything but an iPhone works

    Posted Dec 09, 2013 03:00 AM

    Where are you seeing this "SophosNACRegistration" error? On the client iPhone I assume?

     

    If so, it suggests it has some sort of supplicant on it that's trying to protect itself??? Just to prove it, try to find that supplicant and turn it off temporarily if it exists?