ARUBA INSTANT DOT1X TROUBLESHOOTING

Similar documents
ARUBA INSTANT BEST PRACTICES & TROUBLESHOOTING

ARUBA OS UNDERSTANDING CONTROL PLANE SECURITY FEATURE

Configuring Layer2 Security

Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3

IAP VPN TROUBLESHOOTING

CLUSTER MANAGER. Technical Climb Webinar. 10:00 GMT 11:00 CET 13:00 GST May 30th, Presenter: Saravanan Moorthy

Configuring a VAP on the WAP351, WAP131, and WAP371

Configuring the EAPs Globally via Omada Controller

Configuring WLAN Security

Configuring WLANsWireless Device Access

Configuring r BSS Fast Transition

ARUBA OS ARUBA CONTROLLER FEATURES USED TO OPTIMIZE PERFORMANCE

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Configuring Cipher Suites and WEP

802.11r Fast Transition Roaming

Instructions for connecting to winthropsecure

Cloudpath and Aruba Instant Integration

FortiNAC. Aerohive Wireless Access Point Integration. Version 8.x 8/28/2018. Rev: E

Table of Contents X Configuration 1-1

Configuring OfficeExtend Access Points

Configure MAC authentication SSID on Cisco Catalyst 9800 Wireless Controllers

Configuring a WLAN for Static WEP

Securing a Wireless LAN

Wireless Security Guide (for Windows XP, Windows Vista, Windows 7, Mac OSx)

Cisco Exam Securing Wireless Enterprise Networks Version: 7.0 [ Total Questions: 53 ]

ENH200 LONG RANGE WIRELESS 11N OUTDOOR CB/AP PRODUCT OVERVIEW. IEEE802.11/b/g/n 1T+1R 150Mbps 25 km High Performance

Aruba Instant Release Notes

This solution is fully reproducible and has been deployed in live environments.

Configuring Authentication Types

802.11r or Fast Transition (FT) for fast secure Roaming

FortiNAC ADTRAN vwlan Wireless Controllers Integration

Troubleshooting the 792xG Series Wireless IP Phone

Aruba PEAP-GTC Supplicant Plug-In Guide

FAQ on Cisco Aironet Wireless Security

Authentication and Security: IEEE 802.1x and protocols EAP based

WLAN Roaming and Fast-Secure Roaming on CUWN

Summary. Deployment Guide: Configuring the Cisco Wireless Security Suite 1 OL

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

Using the Cisco Unified Wireless IP Phone 7921G Web Pages

Working DERIVATION ROLE for DOMAIN and PERSONAL workstation without CPPM Jan14-Tutorial

FortiNAC. Cisco Airespace Wireless Controller Integration. Version: 8.x. Date: 8/28/2018. Rev: B

Configuring FlexConnect Groups

Configuring FlexConnect Groups

User Guide. Omada Controller Software

Configuring a Wireless LAN Connection

Configuring Local EAP

LevelOne. User Manual. WAP Mbps PoE Wireless AP V3.0.0

Aruba Instant in AirWave 7.7

Release Notes for Avaya WLAN 9100 AOS-Lite Operating System WAP9112 Release WAP9114 Release 8.1.0

Cisco Exam Questions & Answers

Interoperability Report

Configuring the Wireless Parameters (CPE and WBS)

PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server

Configuring WLANs CHAPTER

User Guide. EAP Controller Software REV

Configuring the Client Adapter

CUA-854 Wireless-G Long Range USB Adapter with Antenna. User s Guide

Using Cisco Workgroup Bridges

Securing Your Wireless LAN

Access Connections 5.1 for Windows Vista: User Guide

Guide to Configuring eduroam Using the Aruba Wireless Controller and ClearPass RADIUS

BEST PRACTICE - NAC AUF ARUBA SWITCHES. Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features

Configuring WEP and WEP Features

Instant 3.3: BYOD and Captive portal Enhancements

Wireless Integration Overview

Using the CLI to Configure the Syslog Server for Access Points

Cisco 4400 Series Wireless LAN Controllers PEAP Under Unified Wireless Networks with Microsoft Internet Authentication Service (IAS)

ClearPass QuickConnect 2.0

Vendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo

Light Mesh AP. User s Guide. 2009/2/20 v1.0 draft

Zebra Setup Utility, Zebra Mobile Printer, Microsoft IAS, Cisco Access Point, PEAP and WPA-PEAP

Interoperability Report

Standard For IIUM Wireless Networking

User Guide. Omada Controller Software

Using PEAP and WPA PEAP Authentication Security on a Zebra Wireless Tabletop Printer

Wireless KRACK attack client side workaround and detection

COPYRIGHTED MATERIAL. Contents

VOCOM II. WLAN Instructions. VOCOM II Tough

Authentication and Security: IEEE 802.1x and protocols EAP based

Exam Questions Demo Cisco. Exam Questions

MZ Firmware Release Notes

Workgroup Bridges. Cisco WGBs. Information About Cisco Workgroup Bridges. Cisco WGBs, page 1 Third-Party WGBs and Client VMs, page 9

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

accounting (SSID configuration mode) through encryption mode wep

User Guide. 450Mbps/300Mbps Wireless N Access Point TL-WA901ND/TL-WA801ND REV

150Mbps N Wireless USB Adapter

Aruba Instant Release Notes

ARUBA OS HIGH AVAILABILITY WITH AP FAST FAILOVER

Wireless-N Business Notebook Adapter

Cisco EXAM Implementing Cisco Unified Wireless Networking Essentials (IUWNE) Buy Full Product.

accounting (SSID configuration mode) through encryption mode wep accounting (SSID configuration mode) through

Oct 2007 Version 1.01

WISNETWORKS. WisOS 11ac V /3/21. Software version WisOS 11ac


Windows 7 Configuration for ORU Wireless Networks

MSM320, MSM410, MSM422, MSM430,

Wireless Access Point

Aruba Central Instant Access Point Configuration

Xirrus WDS Configuration Guide

Transcription:

ARUBA INSTANT DOT1X TROUBLESHOOTING Technical Climb Webinar 12:00 GMT 13:00 CET 15:00 GST June 21st, 2016 Presenter: Barath Srinivasan barath.srinivasan@hpe.com

Welcome to the Technical Climb Webinar Listen to this webinar using the computer audio broadcasting or dial in by phone. The dial in number can be found in the audio panel, click additional numbers to view local dial in numbers. If you experience any difficulties accessing the webinar contact us using the questions panel. 2

Housekeeping This webinar will be recorded All lines will be muted during the webinar How can you ask questions? Use the question panel on your screen The recorded presentation will be posted on Arubapedia for Partners (https://arubapedia.arubanetworks.com/afp/) 3

TROUBLESHOOTING 802.1X ISSUES How to identify, diagnose and debug 802.1x related user authentication issues

Why 802.1x? 5

Prerequisites isolating 802.1x client connectivity Ensure to have the following information made available to you by the End-User or Customer, Before beginning to work on client connectivity issues. Nature of the problem Frequent disconnection, Unable to associate, Does not work in specific area, Low speed, etc Magnitude of the issue reported How many clients are affected, Partial or complete outage Client specific information Mac or IP address, Client device type, OS and driver version, SSID to which client connects Replicable Is the issue replicable consistently or occurs on a random basis Deployment History Was the issue present since deployment? Did the customer do a code upgrade or config change? 6

Method of troubleshooting approach The three main entities of 802.1x authentication, troubleshooting begins with isolation of potential symptoms 7

What are the symptoms reported by users? Depending on the type of EAP authentication being performed by the user, they can experience multiple forms of errors, understanding the type of error is a key factor in quickly and efficiently isolating the potential entity which has triggered the issue. End-User Symptoms: i.e., Users are being repeatedly asked to enter credentials and they eventually never get connected to the Corp WLAN. Users get a pop-up which says it is unable to verify the server Certificate. Users keep getting dropped off from the WLAN, although they did get associated initially with their credentials. 8

Understanding the EAP authentication process 9

Verifying baseline config on Aruba Instant AP (Instant Access Point) (config)# wlan ssid-profile <SSID-Name> (Instant Access Point) (SSID Profile <"profile-name>")# type {<Employee> <Voice>} (Instant Access Point) (SSID Profile <"profile-name>")# opmode {<opensystem> <wpa2-ae> <wpa2-psk-aes> <wpatkip> <wpa-psk-tkip> <wpa-tkip> <wpa2-aes> <wpa-psk-tkip> <wpa2-psk-aesstatic-wep> <dynamic-wep>} (Instant Access Point) (SSID Profile <"profile-name>")# leap-use-session-key (Instant Access Point) (SSID Profile <"profile-name>")# termination (Instant Access Point) (SSID Profile <"profile-name>")# external-server (Instant Access Point) (SSID Profile <"profile-name>")# auth-server <server-name> (Instant Access Point) (SSID Profile <"profile-name>")# auth-survivability (Instant Access Point) (SSID Profile <"profile-name>")# auth-survivability cache-time-out <hours> (Instant Access Point) (SSID Profile <"profile-name>")# radius-reauth-interval <minutes> (Instant Access Point) (SSID Profile <"profile-name>")# end 10

Instant Access point Overview What should be checked on the Aruba IAP side without fail? While configuring a WLAN network for EAP-PEAP authentication, the vlan assignment can be either VC assigned or Network assigned, similar to all other types of authentication. The dynamic keys can be WPA/WPA2, Mixed or Dynamic WEP with 802.1x EAP - Termination can be optionally enabled on the IAP, by default Disabled. It is possible to upload a customized certificate for 802.1x authentication on the IAP. We can use the auth server as RADIUS when EAP Termination is disabled and we can additionally use LDAP as an option when EAP termination is enabled on the AP. 11

Are users able to view the SSID name? the command show ap bss-table can be run from individual AP s that have issues 12

What auth-data is the IAP reading from the client? 13

IAP to RADIUS server communications 14

Auth tracing on IAP 15

Auth tracing on IAP Typical key exchange between AP and client Auth Trace Buffer ----------------- May 10 13:05:09 station-up * ac:81:12:59:5c:12 d8:c7:c8:3d:42:13 - - wpa2 psk aes May 10 13:05:09 wpa2-key1 <- ac:81:12:59:5c:12 d8:c7:c8:3d:42:13-117 May 10 13:06:30 station-up * 08:ed:b9:e1:51:7d d8:c7:c8:3d:42:12 - - wpa2 psk aes May 10 13:06:30 wpa2-key1 <- 08:ed:b9:e1:51:7d d8:c7:c8:3d:42:12-117 May 10 13:06:30 wpa2-key2 -> 08:ed:b9:e1:51:7d d8:c7:c8:3d:42:12-117 May 10 13:06:30 wpa2-key3 <- 08:ed:b9:e1:51:7d d8:c7:c8:3d:42:12-151 May 10 13:06:30 wpa2-key4 -> 08:ed:b9:e1:51:7d d8:c7:c8:3d:42:12-95 May 10 13:07:03 station-up * 08:ed:b9:e1:51:7d d8:c7:c8:3d:42:12 - - wpa2 psk aes May 10 13:07:03 wpa2-key1 <- 08:ed:b9:e1:51:7d d8:c7:c8:3d:42:12-117 May 10 13:07:03 wpa2-key2 -> 08:ed:b9:e1:51:7d d8:c7:c8:3d:42:12-117 May 10 13:07:03 wpa2-key3 <- 08:ed:b9:e1:51:7d d8:c7:c8:3d:42:12-151 May 10 13:07:03 wpa2-key4 -> 08:ed:b9:e1:51:7d d8:c7:c8:3d:42:12-95 16

RADIUS Statistics on Aruba IAP The key here is to check for whether the RADIUS server which is mapped to the 802.1x authentication service is IN-SERVICE or not. These counters play a key role in terms of identifying server-end communication or authentication issues 17

RADIUS Status Overview RADIUS status overview can be performed using show radius-servers support 18

Always check the event viewer 19

Useful bits & bytes, when in a hurry! Complete list of IAP CLI commands with definition of the debug command http://www.arubanetworks.com/techdocs/instantmobile/advanced/content/troubleshooting.htm Setting up IAP with Clearpass for 802.1x authentication https://www.youtube.com/watch?v=9x5uvhn2phg Troubleshooting Cheat sheet http://community.arubanetworks.com/aruba/attachments/aruba/84/106/1/troubleshooting+cheat+sheet-.pdf 20

QUESTIONS Any Questions?

THANK YOU FOR YOUR TIME!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback