Wireless Access

last person joined: 9 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Aruba Controller with LDAP server authentication failed

This thread has been viewed 22 times

  • 1.  Aruba Controller with LDAP server authentication failed

    Posted Oct 02, 2020 04:19 AM

    Hi, im trying to integrate 7010 controller with LDAP server on an AD. This will be a captive portal authentication. This is the configuration and status:

     

    (WLC-IDM) *[mynode] #show aaa authentication-server ldap LDAP-server

LDAP Server "LDAP-server"
-------------------------
Parameter                                Value
---------                                -----
Host                                     10.0.1.159
Admin-DN                                 CN=wifi
Admin-Passwd                             ********
Allow Clear-Text                         Enabled
Auth Port                                389
Base-DN                                  DC=i*****ret,DC=group
Filter                                   (objectclass=*)
Key Attribute                            sAMAccountName
Timeout                                  20 sec
Mode                                     Enabled
Preferred Connection Type                clear-text
maximum number of non-admin connections  4
Chase-Referrals                          Enabled
    (WLC-IDM) *[mynode] #show aaa authentication-server ldap LDAP-server status

LDAP Server Table
-----------------
LDAP Server Attribute        Value
---------------------        -----
Priority                     2
Name                         LDAP-server
Hostname                     10.0.1.159
AuthPort                     389
AuthSSLPort                  636
Retries                      3
Timeout                      20
AdminDN                      CN=wifi
AdminPasswd                  *****
BaseDN                       DC=i*****ret,DC=group
KeyAttribute                 sAMAccountName
Filter                       (objectclass=*)
Allow Cleartext              yes
Status                       Enabled
InService                    Up
InitDone                     yes
AdminBound                   no
Connection Type              clear text
Server Down                  no
Marked For Delete            no
In Use Callback Set          no
Outstanding Authentications  27
RebindTimerSet               no
RebindCount                  2
ReqViolationCount            0

     

    I logged the security authmgr, did the query-user command and found this:

     

    Oct 2 14:04:59 :199802:  <3517> <ERRS> |authmgr|  ldapclient.c, ldap_client_bind_admin_cb:922: LDAP Server LDAP-server: Error in Binding Admin to server: Timeout or Network error
Oct 2 14:04:59 :199802:  <4127> <ERRS> |dot1x-proc:2|  ldapclient.c, ldap_client_bind_admin_cb:922: LDAP Server LDAP-server: Error in Binding Admin to server: Timeout or Network error
Oct 2 14:05:01 :199802:  <4117> <ERRS> |dot1x-proc:1|  ldapclient.c, ldap_client_bind_admin_cb:972: LDAP Server LDAP-server: Error in Binding Admin to server: Probably error in credentials
Oct 2 14:05:01 :199802:  <4127> <ERRS> |dot1x-proc:2|  ldapclient.c, ldap_client_bind_admin_cb:972: LDAP Server LDAP-server: Error in Binding Admin to server: Probably error in credentials
Oct 2 14:05:59 :199802:  <3517> <ERRS> |authmgr|  ldapclient.c, ldap_client_bind_admin_cb:972: LDAP Server LDAP-server: Error in Binding Admin to server: Probably error in credentials
Oct 2 14:08:49 :199802:  <3517> <ERRS> |authmgr|  ldapclient.c, ldap_auth_api:144: LDAP Server LDAP-server: User operation attempted when server is OOS
Oct 2 14:08:54 :199802:  <3517> <ERRS> |authmgr|  ldapclient.c, ldap_auth_api:144: LDAP Server LDAP-server: User operation attempted when server is OOS

     

    What is the solution to this?

    Thank you.



  • 2.  RE: Aruba Controller with LDAP server authentication failed
    Best Answer

    EMPLOYEE
    Posted Oct 02, 2020 06:24 AM

    It looks like your LDAP server is not even answering:

    dapclient.c, ldap_client_bind_admin_cb:922: LDAP Server LDAP-server: Error in Binding Admin to server: Timeout or Network error

    I would go on the commandline of that LDAP server and do a "netstat -an" to make sure it is listening on port 389.

    Also, I would use an ldap browser like Softerra LDAP browser to connect to that server and ensure that your parameters are correct.

     



  • 3.  RE: Aruba Controller with LDAP server authentication failed

    Posted Oct 02, 2020 07:15 AM

    Thank you, i will ask the customer to do that.

    In the meantime, the log also said:

    Error in Binding Admin to server: Probably error in credentials

     and the status said:

    AdminBound                   no

    Does this mean the Admin-DN and admin password could probably be incorrect? 



  • 4.  RE: Aruba Controller with LDAP server authentication failed

    EMPLOYEE
    Posted Oct 02, 2020 07:33 AM

    Possibly.  The ldap browser would easily determine that.



  • 5.  RE: Aruba Controller with LDAP server authentication failed

    Posted Oct 05, 2020 11:00 PM

    So i used the LDAP browser and input the correct admin-dn. The status became like this:

     

     

    (WLC-IDM) *[mynode] #show aaa authentication-server ldap LDAP-server status

LDAP Server Table
-----------------
LDAP Server Attribute        Value
---------------------        -----
Priority                     2
Name                         LDAP-server
Hostname                     10.0.1.159
AuthPort                     389
AuthSSLPort                  636
Retries                      3
Timeout                      20
AdminDN                      CN=wifi .,OU=WIFI,DC=i*****ret,DC=group
AdminPasswd                  *****
BaseDN                       DC=i*****ret,DC=group
KeyAttribute                 sAMAccountName
Filter                       (objectclass=*)
Allow Cleartext              yes
Status                       Enabled
InService                    Up
InitDone                     yes
AdminBound                   yes
Connection Type              clear text
Server Down                  no
Marked For Delete            no
In Use Callback Set          no
Outstanding Authentications  0
RebindTimerSet               no
RebindCount                  0
ReqViolationCount            0

     

     

    Note that the adminbound is now "yes".

    I tried to do the user query again, it now shows "timeout" instead of the "authentication failed" from before. I checked the log and this is what i got:

     

    Oct 6 09:40:19 :124004:  <3517> <DBUG> |authmgr|  aal_query_user_oneshot (1572)(INC) : os_auths 1, s LDAP-server type 3 inservice 1 markedD 0 sg_name
Oct 6 09:40:19 :124004:  <3517> <DBUG> |authmgr|  aal_query_user_oneshot (1573)(INC) : os_reqs 1, s LDAP-server type 3 inservice 1 markedD 0
Oct 6 09:40:39 :124004:  <3517> <DBUG> |authmgr|  server_cbh (163)(DEC) : os_reqs 0, s LDAP-server type 3 inservice 0 markedD 0
Oct 6 09:40:39 :124607:  <3517> <DBUG> |authmgr|  server_cbh(): response=2 from Auth server 'LDAP-server for client:0 proto:7 eap-type:0'.
Oct 6 09:40:39 :124004:  <3517> <DBUG> |authmgr|  server_cbh (422)(DEC) : os_auths 0, s LDAP-server type 3 inservice 0 markedD 0 sg_name
Oct 6 09:40:39 :124004:  <3517> <DBUG> |authmgr|  Select server for method=, user=wifi, essid=<>, server-group=, last_srv LDAP-server
Oct 6 09:40:39 :199802:  <3517> <ERRS> |authmgr|  server_group.c, ncfg_server_getnext:380: Unknown or empty server group "" (method=, user=wifi)
Oct 6 09:40:39 :109000:  <3517> <DBUG> |authmgr|  LDAP Server LDAP-server: Server down callback.
Oct 6 09:40:39 :109013:  <3517> <WARN> |authmgr|  LDAP Server LDAP-server: Connectivity lost to the Server, trying to re-establish
Oct 6 09:40:39 :124004:  <3517> <DBUG> |authmgr|  LDAP: ldap_client_server_down_cb/1254 setting server LDAP-server out of service
Oct 6 09:40:39 :109017:  <3517> <INFO> |authmgr|  LDAP Server LDAP-server: Setting Server Out of Service
Oct 6 09:40:39 :124004:  <3517> <DBUG> |authmgr|  LDAP unbind: ldap_client_set_out_of_service
Oct 6 09:40:39 :109018:  <3517> <INFO> |authmgr|  LDAP Server LDAP-server: Unbinding Admin Context from the server
Oct 6 09:40:39 :109019:  <3517> <INFO> |authmgr|  LDAP Server LDAP-server: Unbinding User Context from the server
Oct 6 09:40:39 :109015:  <3517> <INFO> |authmgr|  LDAP Server LDAP-server: Starting Timer to rebind to server in 1500 ms
Oct 6 09:40:39 :109000:  <3517> <DBUG> |authmgr|  LDAP Server LDAP-server: Timer handler to bind to server
Oct 6 09:40:39 :109000:  <3517> <DBUG> |authmgr|  LDAP Server LDAP-server: initializing LDAP structure for host:10.0.1.159 sslport:636
Oct 6 09:40:39 :109000:  <3517> <DBUG> |authmgr|  LDAP Server LDAP-server: Initializing TLS Options
Oct 6 09:40:39 :109000:  <3517> <DBUG> |authmgr|  LDAP Server LDAP-server: preferred connection type 3
Oct 6 09:40:39 :109005:  <3517> <INFO> |authmgr|  LDAP Server LDAP-server: Admin - Using Clear Text Connection
Oct 6 09:40:39 :109000:  <3517> <DBUG> |authmgr|  LDAP Server LDAP-server: Setting ASYNC callback option
Oct 6 09:40:39 :109000:  <3517> <DBUG> |authmgr|  LDAP Server LDAP-server: Setting timeout to 20 seconds
Oct 6 09:40:39 :109000:  <3517> <DBUG> |authmgr|  LDAP Server LDAP-server: Initialization completed succssfully
Oct 6 09:40:39 :109000:  <3517> <DBUG> |authmgr|  LDAP Server LDAP-server: Setting server-down callback
Oct 6 09:40:39 :109001:  <3517> <DBUG> |authmgr|  LDAP Server LDAP-server: Initialization completed successfully
Oct 6 09:40:39 :109011:  <3517> <INFO> |authmgr|  LDAP Server LDAP-server: Binding Admin to server
Oct 6 09:40:39 :109000:  <3517> <DBUG> |authmgr|  LDAP Server LDAP-server: Sent Bind request to server
Oct 6 09:40:39 :109000:  <3517> <DBUG> |authmgr|  LDAP Server LDAP-server: Server down callback.
Oct 6 09:40:39 :124004:  <3517> <DBUG> |authmgr|  LDAP: ldap_client_server_down_cb/1254 setting server LDAP-server out of service
Oct 6 09:40:39 :109017:  <3517> <INFO> |authmgr|  LDAP Server LDAP-server: Setting Server Out of Service
Oct 6 09:40:39 :124004:  <3517> <DBUG> |authmgr|  LDAP unbind: ldap_client_set_out_of_service
Oct 6 09:40:39 :109018:  <3517> <INFO> |authmgr|  LDAP Server LDAP-server: Unbinding Admin Context from the server
Oct 6 09:40:39 :109015:  <3517> <INFO> |authmgr|  LDAP Server LDAP-server: Starting Timer to rebind to server in 60000 ms
Oct 6 09:40:40 :124004:  <3517> <DBUG> |authmgr|  Auth GSM: Num dev_id_cache entries aged = 0

     

    Do you know what is the problem now?

    Thank you.

     



  • 6.  RE: Aruba Controller with LDAP server authentication failed

    MVP EXPERT
    Posted Oct 06, 2020 04:25 AM

    The Server Timeout suggests that there is a configuration issues between the LDAP server and the Controllers. The controller will mark the auth server Out of Service if there is no response.

     

    Oct 6 09:40:39 :124004:  <3517> <DBUG> |authmgr|  LDAP: ldap_client_server_down_cb/1254 setting server LDAP-server out of service

     

    Does the controller still have reachability to the LDAP Server? Is there any logs you can check the LDAP server as to why the auth requests are being ignored? If you need to bring the AAA Server back into service to avoid waiting for the timeout, use the command below:

     

    (Aruba7030) *[mynode] #aaa inservice [ServerGroup] [AuthServer]


  • 7.  RE: Aruba Controller with LDAP server authentication failed

    Posted Oct 06, 2020 05:59 AM

    Yes, the controller can reach the LDAP-server.

    The AD team said that there are no logs available from the controller.

    I did the commands stated, it still shows 'request timeout'