cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
170
Views
0
Helpful
1
Replies
Beginner

Webauth issues with Chromebooks

   I am having issues with some students not being able to authenticate to our guest network with their Chromebooks.  Everything worked fine last year but for some reason is not working now.  They will attach to the network and then they get redirected to the Webauth page.  They enter their username and ID and then it just spins and does nothing until it eventually comes back to the Webauth page.  If they try again the same thing happens.  If we powerwash the Chromebook then it seems to work fine for the day.

    There have been no changes to my wireless infrastructure since then other than renaming the SSID.  I have no layer 2 security set up and I have webauth set up for Layer 3 security which does an LDAP lookup to a Windows server.  After doing debugs for the clients on the controller and not finding anything I did a debug aaa ldap and found that every time there was a successful ldap authentication the log contained a line that contains "LDAP ATTR> dn=" but all the failed authentications don't contain that line.  Here is an example of the debug:

 

*aaaQueueReader: Sep 09 08:03:45.428: AuthenticationRequest: 0x2b5e69e0


*aaaQueueReader: Sep 09 08:03:45.428: Callback.....................................0x11671408

*aaaQueueReader: Sep 09 08:03:45.428: protocolType.................................0x00000002

*aaaQueueReader: Sep 09 08:03:45.428: proxyState...................................28:FF:3C:F1:D7:2F-00:00

*aaaQueueReader: Sep 09 08:03:45.428: Packet contains 14 AVPs (not shown)

*LDAP DB Task 1: Sep 09 08:03:45.429: ldapTask [1] received msg 'REQUEST' (2) in state 'IDLE' (1)
*LDAP DB Task 1: Sep 09 08:03:45.429: LDAP server 1 changed state to INIT
*LDAP DB Task 1: Sep 09 08:03:45.429: LDAP_OPT_REFERRALS = -1

*LDAP DB Task 1: Sep 09 08:03:45.429: ldapInitAndBind [1] called lcapi_init (rc = 0 - Success)
*LDAP DB Task 1: Sep 09 08:03:45.431: ldapInitAndBind [1] configured Method Authenticated lcapi_bind (rc = 0 - Success)
*LDAP DB Task 1: Sep 09 08:03:45.431: LDAP server 1 changed state to CONNECTED
*LDAP DB Task 1: Sep 09 08:03:45.431: disabled LDAP_OPT_REFERRALS

*LDAP DB Task 1: Sep 09 08:03:45.431: LDAP_CLIENT: UID Search (base=dc=xxx,dc=xxxxx, pattern=(&(objectclass=Person)(sAMAccountName=user1)))
*LDAP DB Task 1: Sep 09 08:03:45.432: LDAP_CLIENT: ldap_search_ext_s returns 0 -5
*LDAP DB Task 1: Sep 09 08:03:45.432: LDAP_CLIENT: Returned 5 msgs including 3 references
*LDAP DB Task 1: Sep 09 08:03:45.432: LDAP_CLIENT: Returned msg 1 type 0x64
*LDAP DB Task 1: Sep 09 08:03:45.432: LDAP_CLIENT: Received 1 attributes in search entry msg
*LDAP DB Task 1: Sep 09 08:03:45.432: LDAP_CLIENT: Returned msg 2 type 0x73
*LDAP DB Task 1: Sep 09 08:03:45.432: LDAP_CLIENT: Received search reference msg
*LDAP DB Task 1: Sep 09 08:03:45.432: LDAP_CLIENT: Returned msg 3 type 0x73
*LDAP DB Task 1: Sep 09 08:03:45.432: LDAP_CLIENT: Received search reference msg
*LDAP DB Task 1: Sep 09 08:03:45.432: LDAP_CLIENT: Returned msg 4 type 0x73
*LDAP DB Task 1: Sep 09 08:03:45.432: LDAP_CLIENT: Received search reference msg
*LDAP DB Task 1: Sep 09 08:03:45.432: LDAP_CLIENT: Returned msg 5 type 0x65
*LDAP DB Task 1: Sep 09 08:03:45.432: LDAP_CLIENT : No matched DN
*LDAP DB Task 1: Sep 09 08:03:45.432: LDAP_CLIENT : Check result error 0 rc 1013
*LDAP DB Task 1: Sep 09 08:03:45.432: LDAP_CLIENT: Received no referrals in search result msg
*LDAP DB Task 1: Sep 09 08:03:45.432: ldapAuthRequest [1] xxx.xxx.xxx.xxx - 389 called lcapi_query base="dc=xxx,dc=xxxxx" type="Person" attr="sAMAccountName" user="user1" (rc = 0 - Success)
*LDAP DB Task 1: Sep 09 08:03:45.432: Attempting user bind with username CN=xxxxxx xxxx,OU=Students,DC=xxx,DC=xxxxx
*LDAP DB Task 1: Sep 09 08:03:45.433: Handling LDAP response Authentication Failed
*LDAP DB Task 1: Sep 09 08:03:45.434: Authenticated bind : Closing the binded session

*LDAP DB Task 1: Sep 09 08:03:45.434: ldapClose [1] called lcapi_close (rc = 0 - Success)
*LDAP DB Task 1: Sep 09 08:03:45.434: LDAP server 1 changed state to IDLE
*aaaQueueReader: Sep 09 08:03:47.410: AuthenticationRequest: 0x2b5e69e0


*aaaQueueReader: Sep 09 08:03:47.410: Callback.....................................0x11671408

*aaaQueueReader: Sep 09 08:03:47.410: protocolType.................................0x00000002

*aaaQueueReader: Sep 09 08:03:47.410: proxyState...................................F8:2D:7C:11:AB:B2-00:00

*aaaQueueReader: Sep 09 08:03:47.410: Packet contains 14 AVPs (not shown)

*LDAP DB Task 2: Sep 09 08:03:47.410: ldapTask [2] received msg 'REQUEST' (2) in state 'IDLE' (1)
*LDAP DB Task 2: Sep 09 08:03:47.410: LDAP server 2 changed state to INIT
*LDAP DB Task 2: Sep 09 08:03:47.411: LDAP_OPT_REFERRALS = -1

*LDAP DB Task 2: Sep 09 08:03:47.411: ldapInitAndBind [2] called lcapi_init (rc = 0 - Success)
*LDAP DB Task 2: Sep 09 08:03:47.414: ldapInitAndBind [2] configured Method Authenticated lcapi_bind (rc = 0 - Success)
*LDAP DB Task 2: Sep 09 08:03:47.414: LDAP server 2 changed state to CONNECTED
*LDAP DB Task 2: Sep 09 08:03:47.414: disabled LDAP_OPT_REFERRALS

*LDAP DB Task 2: Sep 09 08:03:47.414: LDAP_CLIENT: UID Search (base=dc=ahs,dc=local, pattern=(&(objectclass=Person)(sAMAccountName=user2)))
*LDAP DB Task 2: Sep 09 08:03:47.415: LDAP_CLIENT: ldap_search_ext_s returns 0 -5
*LDAP DB Task 2: Sep 09 08:03:47.415: LDAP_CLIENT: Returned 5 msgs including 3 references
*LDAP DB Task 2: Sep 09 08:03:47.415: LDAP_CLIENT: Returned msg 1 type 0x64
*LDAP DB Task 2: Sep 09 08:03:47.415: LDAP_CLIENT: Received 1 attributes in search entry msg
*LDAP DB Task 2: Sep 09 08:03:47.415: LDAP_CLIENT: Returned msg 2 type 0x73
*LDAP DB Task 2: Sep 09 08:03:47.415: LDAP_CLIENT: Received search reference msg
*LDAP DB Task 2: Sep 09 08:03:47.415: LDAP_CLIENT: Returned msg 3 type 0x73
*LDAP DB Task 2: Sep 09 08:03:47.415: LDAP_CLIENT: Received search reference msg
*LDAP DB Task 2: Sep 09 08:03:47.415: LDAP_CLIENT: Returned msg 4 type 0x73
*LDAP DB Task 2: Sep 09 08:03:47.415: LDAP_CLIENT: Received search reference msg
*LDAP DB Task 2: Sep 09 08:03:47.415: LDAP_CLIENT: Returned msg 5 type 0x65
*LDAP DB Task 2: Sep 09 08:03:47.415: LDAP_CLIENT : No matched DN
*LDAP DB Task 2: Sep 09 08:03:47.415: LDAP_CLIENT : Check result error 0 rc 1013
*LDAP DB Task 2: Sep 09 08:03:47.415: LDAP_CLIENT: Received no referrals in search result msg
*LDAP DB Task 2: Sep 09 08:03:47.415: ldapAuthRequest [2] xxx.xxx.xxx.xxx - 389 called lcapi_query base="dc=xxx,dc=xxxxx" type="Person" attr="sAMAccountName" user="user2" (rc = 0 - Success)
*LDAP DB Task 2: Sep 09 08:03:47.415: Attempting user bind with username CN=xxxxxx xxx,OU=Students,DC=xxx,DC=xxxxx
*LDAP DB Task 2: Sep 09 08:03:47.417: LDAP ATTR> dn = CN=xxxxxx xxx,OU=Students,DC=xxx,DC=xxxxx (size 41)
*LDAP DB Task 2: Sep 09 08:03:47.417: Handling LDAP response Success
*LDAP DB Task 2: Sep 09 08:03:47.417: Authenticated bind : Closing the binded session

*LDAP DB Task 2: Sep 09 08:03:47.417: ldapClose [2] called lcapi_close (rc = 0 - Success)
*LDAP DB Task 2: Sep 09 08:03:47.417: LDAP server 2 changed state to IDLE

 

This is the WLAN config:

WLAN Identifier.................................. 2
Profile Name..................................... AHSstudent
Network Name (SSID).............................. AHSstudent
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Maximum number of Clients per AP Radio........... 200

--More-- or (q)uit
ATF Policy....................................... 0
Number of Active Clients......................... 1264
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ 28800 seconds
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ 511-guest
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
WLAN URL ACL..................................... unconfigured
mDNS Status...................................... Enabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured

--More-- or (q)uit
PMIPv6 Mobility Type............................. none
PMIPv6 MAG Profile........................... Unconfigured
PMIPv6 Default Realm......................... Unconfigured
PMIPv6 NAI Type.............................. Hexadecimal
PMIPv6 MAG location.......................... WLC
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled

--More-- or (q)uit
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... 802.1P (Tag=0)
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Interim Update............................. Enabled
Interim Update Interval.................... 0
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Mu-Mimo.......................................... Enabled
Security

802.11 Authentication:........................ Open System
FT Support.................................... Disabled

--More-- or (q)uit
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Enabled
Web Authentication Timeout.................... 300
IPv4 ACL........................................ Unconfigured
IPv6 ACL........................................ Unconfigured
Web-Auth Flex ACL............................... Unconfigured
Web Authentication server precedence:
1............................................... ldap
2............................................... local
3............................................... radius
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Enabled
FlexConnect Local Switching................... Disabled
FlexConnect Central Association............... Disabled

--More-- or (q)uit
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Not Applicable
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel Configuration
Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled

--More-- or (q)uit
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Disabled
802.11v BSS Max Idle Service..................... Enabled
802.11v BSS Transition Service................... Disabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
DMS DB is empty
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled

Mobility Anchor List
WLAN ID IP Address Status Priority
------- --------------- ------ --------
2 xxx.xxx.xxx.xxx Up 0
2 xxx.xxx.xxx.xxx Up 3


--More-- or (q)uit
802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy
----------------
Priority Policy Name
-------- ---------------

Lync State ...................................... Disabled
Audio QoS Policy................................. Silver
Video QoS Policy................................. Silver
App-Share QoS Policy............................. Silver
File Transfer QoS Policy......................... Silver
QoS Fastlane Status.............................. Disable
Selective Reanchoring Status..................... Disable

 

It seems like this is just an issue with Chromebooks.  I haven't heard anyone having issues authenticating using Windows or Apple devices.  Can anyone suggest anything that I can look at to figure out what is happening?

 

Thanks.

 

1 REPLY 1
Rising star

Re: Webauth issues with Chromebooks

if it is not the wireless environment.....

Chrome OS upgrades happen automatically and quietly, with no annoying delays or notifications.

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards