Aruba Wireless 802.1x losing username.

Aaron Street
Aaron Street used Ask the Experts™
on
So we have a bunch of Aruba 215 access points running with a virtual controller.

I have set up a radius server and from the CLI i can successfully authenticate

aaa test-server ISE-01 username aaron.street@park-now.com password <password> auth-type pap
Radius server ISE-01 test successfully

on the Radius "ISE" server i see

Event	5200 Authentication succeeded
Username	aaron.street@park-now.com
Endpoint Id	A8:BD:27:CF:3B:8E 
Endpoint Profile	HP-Device
Authentication Policy	Default >> Default
Authorization Policy	Default >> Basic_Authenticated_Access

Open in new window



However when i assign these radius server to a SSID and try to authenticate a client it gets

Event	5400 Authentication failed
Username	USERNAME
Endpoint Id	A4:50:46:1F:13:33 
Endpoint Profile	
Authentication Policy	Wireless_POC >> Default
Authorization Policy	Wireless_POC

Open in new window


where did the USername go? This same set up on ISE works fine with the Meraki wireless but Aruba is having issues.

HAs any one else has issues trying to run PEAP and EAP-TLS on Aruba wireless over 802.1x
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
Please clarify your question, do you mean your issue is the realm not being included?

Does your Aruba setup go beyond authorizing based on MAC address of the device connecting? Does it promot your for credentials?

Check to confirm if the endpoint Id is the MAC address of the wireless connection on the device it tried to authorize on the Aruba.
Technical Infrastructure Architecture and Global Network Manager
Commented:
Issue was ISE / Aruba missmatch, ARuba does not send a "normalized Radius SSID" which is what the policy on ISE is using to match incoming requests. The police also authenticate other Wireless vendor network we have set up"  

Because it was not matching a policy it was not getting authenticate and because not getting authenticate it is dropped before the EAP packet is encapsulated and it can pull out the User name.

Adding in to the policy an or statement so it says

IF ("Normalized Radius SSID = X" or "Aruba-ESSID Name = X") then match this policy,  then the authentication is carried out correctly.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial