Wednesday, September 9, 2020

radius w/ aruba not working mschapv2

Hey friends,

I am running into an issue on an Aruba 2930F while trying to configure it to allow authentication via windows NPS. If I configure it to use radius, I can get it working but I have to use PAP which I am trying to avoid. When I do PEAP-MSChapv2 however, the NPS server sends back an access challenge and then the switch just fails the connection.

On the NPS side of things, the one thing I dont have is a Vendor attribute but I, perhaps erroneously, operating on the idea that since it works with straight radius+pap, thats not where the problem is.

Switch configuration

aaa server-group radius "NPS" host [RADIUS_SERVER_IP] aaa authorization user-role enable aaa authentication ssh login peap-mschapv2 server-group "NPS" local

radius debug from the switch

0019:10:17:43.41 LOGA mSshAlrm:user_login_lookup: name='REDACTED' addr=10.212.134.9 priv=noauth status=SUCCESS 0019:10:17:43.41 RAD mRadiusCtrl:Received RADIUS MSG: DATA, session: 81. 0019:10:17:43.41 RAD mRadiusCtrl:Received RADIUS MSG: DATA, session: 81. 0019:10:17:43.41 RAD mRadiusCtrl:ACCESS REQUEST id: 95 to [RADIUS_SERVER_IP] session: 81, access method: SSH, User-Name: REDACTED, Calling-Station-Id: 10.212.134.9, NAS-IP-Address: 192.168.100.26. 0019:10:17:43.52 RAD tRadiusR:ACCESS CHALLENGE id: 95 from [RADIUS_SERVER_IP] received. 0019:10:17:43.52 SSL tRadiusR:1704096 0019:10:17:43.52 SSL tRadiusR: 0019:10:17:43.52 RAD tRadiusR:ACCESS REQUEST id: 96 to [RADIUS_SERVER_IP] session: 81, access method: SSH, User-Name: REDACTED, Calling-Station-Id: 10.212.134.9, NAS-IP-Address: 192.168.100.26. 0019:10:17:43.55 RAD tRadiusR:ACCESS CHALLENGE id: 96 from 10.0.100.240 received. 0019:10:17:43.55 RAD tRadiusR:ACCESS REQUEST id: 97 to [RADIUS_SERVER_IP] session: 81, access method: SSH, User-Name: REDACTED, Calling-Station-Id: 10.212.134.9, NAS-IP-Address: 192.168.1.5. 0019:10:17:43.57 RAD tRadiusR:ACCESS CHALLENGE id: 97 from [RADIUS_SERVER_IP] received. 0019:10:17:43.57 SSL tRadiusR:0 0019:10:17:43.57 SSL tRadiusR: 0019:10:17:43.57 SSL tRadiusR:0 0019:10:17:43.57 SSL tRadiusR: 0019:10:17:43.57 SSL tRadiusR:handleClientHandshakeMessages() returns status = 0019:10:17:43.57 SSL tRadiusR:-7606 0019:10:17:43.57 SSL tRadiusR: 0019:10:17:43.57 LOGA tRadiusR:user_login_lookup: name='REDACTED' addr=10.212.134.9 priv=none status=FAILURE 0019:10:17:43.57 RAD tRadiusR:Removing RADIUS REQUEST id: 97 from queue. 0019:10:17:43.57 SSL tRadiusR:SSL_closeConnection() from AppType: 0019:10:17:43.57 SSL tRadiusR:0

thanks in advance



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)