i can see we have different issues, that gentleman has different issue i guess. let me explain you in details, that i'm doing only simple authentication.. as following :
1- i have added all devices by using IP range with subnet mask using tacacs and radius.. i couldn't add particular WLC ip addresses with Radius only because ACS doesn't accept overlapping.
2- i configure one user and select simple Network access Authorization profile "Permit all".
3- i configure Access service Radius
i got this error which i didn't understand what is root cause.
Well that is the problem you need to replace Arube with Cisco :)
Can you click on the magnifying glass under the details column and post the screen shot from the new window with all of the details on the failure?
I was joking about that :)
Couple of more questions:
1. Can you post a screen shot of the "Service Selection Rules"
2. Post screen shot of the "Identity" under "Wireless-Users"
3. Confirm that the wireless users are not hitting the "Device-Admin" rule that you have listed above
4. If you can post all of the details of the failed authentication. You are getting "access-reject" for some reason so you are not hitting the rule that you are trying to hit.
Dear Neno :) thanks for your support..
you are absolutely right.. i'm not hitting the access rule. even though i configured it to match wireless user group.. i notice the Devices admins are not hitting the rule but since i enabled Radius for device management as well, i can see many logs from them as failed also as radius.
It is probably a good idea to keep Device Management under TACACS+ and wireless access under Radius. From "acs-access-service01.jpg" screenshot we can see that your wireless rule is getting zero hits. Which again indicates that your wireless clients are hitting the default rule which is probably "deny access" The ACS rules look OK from the screen shots so the issue could be on the wireless side.
1. Provide better/full capture from "acs-issue1_0.jpg" ? I need to see all steps and details
2. Confirm the wireless settings. More specifically that Radius/802.1x is configured
the customer has sent me this in aruba
aaa authentication dot1x "dot1xProfile"
termination eap-type eap-peap
termination inner-eap-type eap-mschapv2
aaa authentication-server radius "SERVER"
aaa server-group "RADIUS-GROUP"
aaa profile "KSAU-JED-AAA-Profile"
wlan virtual-ap "SSID-NAME"
vlan <VLAN ID>
Everything looks good (with my limited knowledge of Aruba). Unfortunately, I won't be much help here without getting my hands on the network :(
Perhaps someone else can come and chime in.
FYI.. i have solved the issue today.. basically the issue was that Cisco ACS doesn't have Aruba controllers dictionary by default. for specific-vendor dictionary, you need to download from vendor site and write down the values to ACS dictionary fields.
No problem. Please take a look at: