Aruba Wireless 802.1x losing username.

Aaron Street
Aaron Street used Ask the Experts™
So we have a bunch of Aruba 215 access points running with a virtual controller.

I have set up a radius server and from the CLI i can successfully authenticate

aaa test-server ISE-01 username password <password> auth-type pap
Radius server ISE-01 test successfully

on the Radius "ISE" server i see

Event	5200 Authentication succeeded
Endpoint Id	A8:BD:27:CF:3B:8E 
Endpoint Profile	HP-Device
Authentication Policy	Default >> Default
Authorization Policy	Default >> Basic_Authenticated_Access

Open in new window

However when i assign these radius server to a SSID and try to authenticate a client it gets

Event	5400 Authentication failed
Endpoint Id	A4:50:46:1F:13:33 
Endpoint Profile	
Authentication Policy	Wireless_POC >> Default
Authorization Policy	Wireless_POC

Open in new window

where did the USername go? This same set up on ISE works fine with the Meraki wireless but Aruba is having issues.

HAs any one else has issues trying to run PEAP and EAP-TLS on Aruba wireless over 802.1x
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Please clarify your question, do you mean your issue is the realm not being included?

Does your Aruba setup go beyond authorizing based on MAC address of the device connecting? Does it promot your for credentials?

Check to confirm if the endpoint Id is the MAC address of the wireless connection on the device it tried to authorize on the Aruba.
Technical Infrastructure Architecture and Global Network Manager
Issue was ISE / Aruba missmatch, ARuba does not send a "normalized Radius SSID" which is what the policy on ISE is using to match incoming requests. The police also authenticate other Wireless vendor network we have set up"  

Because it was not matching a policy it was not getting authenticate and because not getting authenticate it is dropped before the EAP packet is encapsulated and it can pull out the User name.

Adding in to the policy an or statement so it says

IF ("Normalized Radius SSID = X" or "Aruba-ESSID Name = X") then match this policy,  then the authentication is carried out correctly.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial