06-02-2014 02:46 AM - edited 03-10-2019 09:45 PM
Dears
Hello
i'm receiving this error when i'm trying to authenticate wireless users using PEAP MSCHAPv2. can anyone please support me.
thanks
06-02-2014 03:24 AM
Please check the old conversation on the same issue
supportforums.cisco.com/discussion/11428016/ssid-authentication-acs-5
06-02-2014 06:30 AM
Dear Mohanak
hi
i can see we have different issues, that gentleman has different issue i guess. let me explain you in details, that i'm doing only simple authentication.. as following :
1- i have added all devices by using IP range with subnet mask using tacacs and radius.. i couldn't add particular WLC ip addresses with Radius only because ACS doesn't accept overlapping.
2- i configure one user and select simple Network access Authorization profile "Permit all".
3- i configure Access service Radius
i got this error which i didn't understand what is root cause.
06-02-2014 06:32 AM
06-02-2014 09:27 AM
Well that is the problem you need to replace Arube with Cisco :)
Can you click on the magnifying glass under the details column and post the screen shot from the new window with all of the details on the failure?
06-02-2014 10:00 AM
06-02-2014 10:07 AM
I was joking about that :)
Couple of more questions:
1. Can you post a screen shot of the "Service Selection Rules"
2. Post screen shot of the "Identity" under "Wireless-Users"
3. Confirm that the wireless users are not hitting the "Device-Admin" rule that you have listed above
4. If you can post all of the details of the failed authentication. You are getting "access-reject" for some reason so you are not hitting the rule that you are trying to hit.
06-02-2014 10:50 AM
Dear Neno :) thanks for your support..
you are absolutely right.. i'm not hitting the access rule. even though i configured it to match wireless user group.. i notice the Devices admins are not hitting the rule but since i enabled Radius for device management as well, i can see many logs from them as failed also as radius.
06-02-2014 10:55 AM
06-02-2014 11:11 AM
It is probably a good idea to keep Device Management under TACACS+ and wireless access under Radius. From "acs-access-service01.jpg" screenshot we can see that your wireless rule is getting zero hits. Which again indicates that your wireless clients are hitting the default rule which is probably "deny access" The ACS rules look OK from the screen shots so the issue could be on the wireless side.
Can you:
1. Provide better/full capture from "acs-issue1_0.jpg" ? I need to see all steps and details
2. Confirm the wireless settings. More specifically that Radius/802.1x is configured
06-02-2014 11:30 AM
Dear Neno
the customer has sent me this in aruba
aaa authentication dot1x "dot1xProfile"
termination eap-type eap-peap
termination inner-eap-type eap-mschapv2
aaa authentication-server radius "SERVER"
host x.x.x.x
key xxxx
nas-ip x.x.x.x
aaa server-group "RADIUS-GROUP"
auth-server “SERVER”
aaa profile "KSAU-JED-AAA-Profile"
authentication-dot1x "dot1xProfile"
dot1x-server-group "RADIUS-GROUP"
wlan virtual-ap "SSID-NAME"
aaa-profile "KSAU-JED-AAA-Profile"
ssid-profile "SSID-NAME"
vlan <VLAN ID>
06-02-2014 02:26 PM
Everything looks good (with my limited knowledge of Aruba). Unfortunately, I won't be much help here without getting my hands on the network :(
Perhaps someone else can come and chime in.
06-03-2014 02:13 AM
Dears
FYI.. i have solved the issue today.. basically the issue was that Cisco ACS doesn't have Aruba controllers dictionary by default. for specific-vendor dictionary, you need to download from vendor site and write down the values to ACS dictionary fields.
06-03-2014 02:25 AM
06-03-2014 12:56 PM
thanks Neno .. by the way how to mark this thread is answered? sorry i'm not so familiar with these tools :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide