Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

wlsx(N)UserAuthenticationFailed not being send

This thread has been viewed 6 times

  • 1.  wlsx(N)UserAuthenticationFailed not being send

    Posted Jun 10, 2014 10:52 AM

    working with airwave and the controller, configured SNMP traps and seeing traps come in, but when an authentication fails i dont get the wlsx(N)UserAuthenticationFailed traps. anyone got a clue on the reason?

     

    they are enabled

     

    (name) #show snmp trap-list

    SNMP TRAP LIST
    --------------
    TRAP-NAME                                  CONFIGURABLE  ENABLE-STATE
    ---------                                  ------------  ------------
    authenticationFailure                      Yes           Enabled
    ...

    wlsxMgmtUserAuthenticationFailed           Yes           Enabled
    wlsxNUserAuthenticationFailed              Yes           Enabled
    wlsxUserAuthenticationFailed               Yes           Enabled



  • 2.  RE: wlsx(N)UserAuthenticationFailed not being send

    Posted Jun 10, 2014 12:10 PM

    ok, think i found it, disabled EAP termination and the traps were send.

     

    could that be it? anyone got a clue why they aren't send with EAP termination enabled?



  • 3.  RE: wlsx(N)UserAuthenticationFailed not being send

    EMPLOYEE
    Posted Jun 10, 2014 01:10 PM

    That trap is only sent for an authentication failure from an authentication source.  If your problem existed between the client and the controller, your problem might be with certificate or EAP setup vs an actual authentication failure.  I would turn on client debugging and see what the auth-tracebuf says.  

     

    Please let us know if you enter a wrong username and password and see if it sends the trap.



  • 4.  RE: wlsx(N)UserAuthenticationFailed not being send

    Posted Jun 11, 2014 02:49 AM

    ok, did the testing, this what i get with a wrong request and EAP termination on

    Jun  8 23:45:41  station-down           *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -
    Jun  8 23:45:42  station-up             *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -    wpa2 aes
    Jun  8 23:45:42  station-term-start     *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     31  -
    Jun  8 23:45:42  eap-term-start        ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -
    Jun  8 23:45:42  station-term-start     *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     31  -
    Jun  8 23:45:48  station-down           *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -
    Jun  8 23:45:49  station-up             *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -    wpa2 aes
    Jun  8 23:45:49  station-term-start     *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     31  -
    Jun  8 23:45:49  eap-term-start        ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -
    Jun  8 23:45:49  station-term-start     *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     31  -
    Jun  8 23:45:56  client-finish         ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -
    Jun  8 23:45:56  server-finish         <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   61
    Jun  8 23:45:56  server-finish-ack     ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -
    Jun  8 23:45:56  inner-eap-id-req      <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   35
    Jun  8 23:45:56  inner-eap-id-resp     ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -    wrong
    Jun  8 23:45:56  eap-mschap-chlg       <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   67
    Jun  8 23:45:56  eap-mschap-response   ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  9   49
    Jun  8 23:45:56  mschap-request        ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  9   -    wrong
    Jun  8 23:45:56  mschap-response       <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/radius01            -   -    wrong
    Jun  8 23:45:56  eap-mschap-chlg-retry <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   115
    Jun  8 23:46:01  eap-mschap-chlg-retry <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   115
    Jun  8 23:46:06  eap-mschap-chlg-retry <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   115
    Jun  8 23:46:11  eap-mschap-chlg-retry <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   115
    Jun  8 23:46:16  eap-mschap-chlg-retry <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   115
    Jun  8 23:46:21  eap-mschap-chlg-retry <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   115
    Jun  8 23:46:26  eap-failure           <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   4

     

    and this for a succesful one

    Jun  8 23:46:52  station-down           *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -
    Jun  8 23:46:55  station-up             *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -    wpa2 aes
    Jun  8 23:46:55  station-term-start     *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     31  -
    Jun  8 23:46:55  eap-term-start        ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -
    Jun  8 23:46:55  station-term-start     *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     31  -
    Jun  8 23:47:03  client-finish         ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -
    Jun  8 23:47:03  server-finish         <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   61
    Jun  8 23:47:03  server-finish-ack     ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -
    Jun  8 23:47:03  inner-eap-id-req      <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   35
    Jun  8 23:47:03  inner-eap-id-resp     ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -    test
    Jun  8 23:47:03  eap-mschap-chlg       <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   67
    Jun  8 23:47:03  eap-mschap-response   ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  9   49
    Jun  8 23:47:03  mschap-request        ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  9   -    test
    Jun  8 23:47:03  mschap-response       <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/radius01            -   -    test
    Jun  8 23:47:03  eap-mschap-success    <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   83
    Jun  8 23:47:03  eap-mschap-success-ack->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   -
    Jun  8 23:47:03  eap-tlv-rslt-success  <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   43
    Jun  8 23:47:03  eap-tlv-rslt-success  ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   2
    Jun  8 23:47:03  eap-success           <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/p3t3-aaa-auth_prof  -   4
    Jun  8 23:47:03  wpa2-key1             <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   117
    Jun  8 23:47:03  wpa2-key2             ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   117
    Jun  8 23:47:03  wpa2-key3             <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   151
    Jun  8 23:47:03  wpa2-key4             ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   95


    then with EAP termination off and a wrong one (same wrong one as with eap termination on)

    -
    Jun  8 23:49:03  station-up             *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -    wpa2 aes
    Jun  8 23:49:03  eap-id-req            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   5
    Jun  8 23:49:03  eap-start             ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -
    Jun  8 23:49:03  eap-id-req            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   5
    Jun  8 23:49:08  eap-id-resp           ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   10   wrong
    Jun  8 23:49:08  rad-req               ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     74  198
    Jun  8 23:49:08  rad-reject            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/radius01            74  44
    Jun  8 23:49:08  eap-failure           <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   4    server rejected

     

    this with a good authentication and eap termination off


    Jun  8 23:49:08  station-down           *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -
    Jun  8 23:49:10  station-up             *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -    wpa2 aes
    Jun  8 23:49:10  eap-id-req            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   5
    Jun  8 23:49:10  eap-start             ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -
    Jun  8 23:49:10  eap-id-req            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   5
    Jun  8 23:49:15  eap-id-req            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   5
    Jun  8 23:49:20  eap-id-req            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     2   5
    Jun  8 23:49:25  eap-id-req            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     2   5

    and with a correct one

    Jun  8 23:50:18  station-down           *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -
    Jun  8 23:52:20  station-up             *  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -     wpa2 aes
    Jun  8 23:52:20  eap-id-req            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   5
    Jun  8 23:52:20  eap-start             ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   -
    Jun  8 23:52:20  eap-id-req            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   5
    Jun  8 23:52:25  eap-id-resp           ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     1   9     test
    Jun  8 23:52:25  rad-req               ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     76  196
    Jun  8 23:52:25  rad-resp              <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/radius01            76  90
    Jun  8 23:52:25  eap-req               <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     2   6
    Jun  8 23:52:25  eap-resp              ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     2   109
    Jun  8 23:52:25  rad-req               ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/radius01            77  334
    Jun  8 23:52:25  rad-resp              <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/radius01            77  1188
    Jun  8 23:52:25  rad-accept            <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9/radius01            86  330
    Jun  8 23:52:25  eap-success           <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     12  4
    Jun  8 23:52:25  wpa2-key1             <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   117
    Jun  8 23:52:25  wpa2-key2             ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   117
    Jun  8 23:52:25  wpa2-key3             <-  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   151
    Jun  8 23:52:25  wpa2-key4             ->  d8:50:e6:f3:70:1d  00:24:6c:32:b3:b9                     -   95


    it seems that with termination the the reject doesnt show so the trap doesnt trigger, is that on purpose or something configured on my side?



  • 5.  RE: wlsx(N)UserAuthenticationFailed not being send

    EMPLOYEE
    Posted Jun 11, 2014 05:14 AM

    I do not know.