Perform a test login.
Show the result: show packet-capture controlpath-pcap.
If required, you can save the packet capture in a file, download it and open it with wireshark: packet-capture copy-to-flash controlpath-pcap. The controller uses the file name controlpath-pcap.tar.gz.
Clean up packet-capture: packet-capture reset-pcap controlpath-pcap.
If "Access Accept" is displayed in packet capture, but the user cannot log in - open a case.
Original Message:
Sent: Mar 27, 2024 12:39 PM
From: neilc75
Subject: Management user authentication through RADIUS
This is what my logs look like after increasing the log level as suggested:
authmgr [3715]: <121031> <3715> <DBUG> |authmgr| |aaa| [tc_api.c:444] Radius authenticate user (username) PAP using server SERVERNAME
authmgr [3715]: <121031> <3715> <DBUG> |authmgr| |aaa| [tc_request.c:91] Add request: id=39, server=SERVERNAME, IP=x.x.x.x, server-group=SERVERGROUP, fd=72
authmgr [3715]: <121031> <3715> <DBUG> |authmgr| |aaa| [tc_server.c:2618] Sending radius request to SERVERNAME:x.x.x.x id:39,len=136
authmgr [3715]: <121031> <3715> <DBUG> |authmgr| |aaa| [tc_request.c:123] Find request: id=39, svr=x.x.x.x, fd=72
authmgr [3715]: <121031> <3715> <DBUG> |authmgr| |aaa| [tc_request.c:134] Current entry: server=SERVERNAME IP=x.x.x.x, server-group=SERVERGROUP, fd=72
authmgr [3715]: <121031> <3715> <DBUG> |authmgr| |aaa| [tc_request.c:63] Del request: id=39, server=SERVERNAME, IP=x.x.x.x, server-group-SERVERGROUP fd=72
Original Message:
Sent: Mar 27, 2024 12:03 PM
From: lord
Subject: Management user authentication through RADIUS
The config looks the same for me.
Does NPS send any aruba-radius-attributes or just an accept?
Increase the log level for security-aaa and security-auth-amon to debugging and check logs again.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Mar 27, 2024 08:37 AM
From: neilc75
Subject: Management user authentication through RADIUS
I'll give you the TL;DR version of the story.
ClearPass is not currently online. Yes, the local admin account works fine. NPS says access granted. The controller error reads:
aaa[3628]:<125022> <3628> <WARN> |aaa| Authentication failed for "user", Logged in from x.x.x.x port 22, Connecting to y.y.y.y port 55115 connection type SSH
and another error message follows which reads: Failed password for "user" from x.x.x.x port 55115 ssh2.
Admin Authentication Options
default role: standard
enable: checked
mschapv2: unchecked
server group: "the one I created"
management telnet access: unchecked
Login activities persistence period: 0 days
Login banner text: NA
Banner has to be accepted: unchecked
I appreciate your input!
Original Message:
Sent: Mar 27, 2024 03:16 AM
From: lord
Subject: Management user authentication through RADIUS
Admin login on the Aruba controller works fine, what error message do you get in ClearPass?
Please also share the admin authentication options for the controller.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Mar 20, 2024 04:09 PM
From: neilc75
Subject: Management user authentication through RADIUS
Nearly 10 years later I am having the same issue. I've set up AAA on the Aruba WLC, successfully run the AAA Server Test tool against my management user, but can login to neither the GUI nor CLI. I don't see a resolution to the OP's problem. I'm using the same RADIUS server for SSH switch management and Cisco Prime Infrastructure management. Why would the Aruba diagnostic tool report that it can authenticate against RADIUS, the RADIUS logs tell me that the user account is granted access, but the get denied by the CLI and GUI? TIA!
Original Message:
Sent: Aug 08, 2014 11:10 AM
From: WiFi_Newbie
Subject: Management user authentication through RADIUS
Hi Airheads Communtiry,
I am currently facing an issue at the controller of a customer of mine.
Regarding to this old discussion I tried to troubleshoot the configuration or the behavior.
But I was Unable to resolve the issue.
I try to authenticate admin users and Lobby Users via Radius.
But I am currently even unable to simply authenticate into the default role and I am not sure where the misconfiguration is.
Do I have to change the configuration of my Controller or is there a problem at the configuration of my Radius?
I can provide you the output of the Debug I have performed already like it was described in the old discussion.
Aug 8 15:13:37 :124011: <INFO> |authmgr| Test authenticating user winketa:****** using server Radius1Aug 8 15:13:37 :121041: <DBUG> |authmgr| User winketa MAC=00:00:00:00:00:00 not found.Aug 8 15:13:37 :124004: <DBUG> |authmgr| Auth server 'Radius1' response=0Aug 8 15:13:37 :124019: <INFO> |authmgr| Test server response: Authentication SuccessfulAug 8 15:11:38 :124004: <DBUG> |authmgr| RX (sock) message of type 1, len 1016Aug 8 15:11:38 :124546: <DBUG> |authmgr| aal_authenticate user:winketa vpnflags:0.Aug 8 15:11:38 :124004: <DBUG> |authmgr| unknown user=172.31.29.241, method=ManagementAug 8 15:11:38 :124547: <DBUG> |authmgr| aal_authenticate server_group:default.Aug 8 15:11:38 :124004: <DBUG> |authmgr| Select server for method=Management, user=winketa, essid=<>, server-group=KVB_RADIUS_ADMIN, last_srv <>Aug 8 15:11:38 :124004: <DBUG> |authmgr| server=Radius1, ena=1, ins=1 (1)Aug 8 15:11:38 :124038: <INFO> |authmgr| Selected server Radius1 for method=Management; user=winketa, essid=<>, domain=<>, server-group=RADIUS_ADMINAug 8 15:11:38 :124064: <NOTI> |authmgr| Administrative User result=Authentication failed(1), method=Management, username=winketa IP=172.31.29.241 auth server=Radius1Aug 8 15:11:38 :124003: <INFO> |authmgr| Authentication result=Authentication failed(1), method=Management, server=Radius1, user=172.31.29.241Aug 8 15:11:38 :124004: <DBUG> |authmgr| Auth server 'Radius1' response=1Aug 8 15:11:38 :125022: <WARN> |aaa| Authentication failed for User winketa, Logged in from 172.31.29.241 port 56934, Connecting to 172.31.190.50 port 4343 connection type HTTPS
I tried to login via with the User "winketa" in the AAA diagnostics tool everything went fine. As you see in my first authentication attempt. The radius returns a successful authentication.
But if I try to log into the WebGUI using the same credentials the controller sends some additional information to the radius like the issuing hosts IP address.
I think this is why my radius sends a authentication reject.
But I cant see where I can change this behavior.
Or where my misconfiguration is?
Here I have a screenshot with my current configuration.
I already tried several "Server Rules" I also tried to have no "Server Rules" applied but nothing changed the current behavior.
Do you guys have any idea how to solve this issue?
I like to thank you for your support in advance!
Greetings
WiFi_Newbie