Extreme Networks

tobias_protz · ‎08-23-2019

On our HiveManager NG on prem, PPSK authentication stopped working for some clients.

We cannot pinpoint the issue, what we see on the APs is that the PW of the users gets rejected. Even when we create new users on the HiveManager, these get rejected too. (we have 2 SSIDs using PPSK, and it is the same with both, regardless of the user group - one has four different with different expiration dates, the other just one).

The whole setup was working until wednesday evening. It is still working for most people, and all other auth methods work fine, but even a restart of the APs and the Hive Manager didn't solve the problem.

The currently elected Radius Proxy APs reject the authentication, the user cannot connect her/his mobile device. On the AP it looks like a "wrong password", as if the Radius Proxies do not check with the HiveManager at all for the correct/current user list.

Funny thing: I had a working login for one of the networks on my device. It was supposed to be able to auth 10 devices in this network. I let a co-worker try to auth with my key, it didn't work. Afterwards, I wasn't able to log in with this key either.

We created a new one for him, he was able to log in with his macbook with it, but not with his mobile phone.

tobias_protz · ‎09-10-2019

Just to give a closure for those who might have been following this thread:

We created new SSIDs, and added the same user groups to those. Clients were able to log into those with their old passwords, although the SSIDs had the exact same settings as the old ones.

Aerohive were still looking into this problem, could be a fluke with our on-premises hive manager, but so far we are happy we have a working setup now with minmal hassle (one reconnect) for the users.

samantha_lynn · ‎08-23-2019

Perfect, thank you. Those look like they're operating normally, which is good news. I'd like to take a look at the logs for when a device fails to connect, hopefully we can get more details than just a password fail. To do this, could you please SSH in to the AP you're going to attempt to connect to, enable auth debugs, replicate the issue, note the MAC address of the client used to replicate the issue, and pull tech data from the AP? If you can send the tech data and the client MAC address to me at communityhelp@aerohive.com, I can let you know what we find in the logs.

This guide reviews how to enable auth debugs: https://thehivecommunity.aerohive.com/s/article/Authentication-Auth-Debugs

tobias_protz · ‎08-23-2019

Hi Sam,

here's the output from both of the Radsec Proxys in one of the affected Hives:

AH-595340#show idm

IDM client: Enabled Per SSID

IDM Proxy IP: 172.20.16.245

IDM proxy: Enabled

IDM server: <correct HiveManager hostname>

IDM server IP: <HiveManager IP>

RUN state: Connected securely to the IDM server

IDM transport mode: TCP

Server destination Port: 2083

RadSec Certificate state: Valid

RadSec Certificate Issued: 2019-05-17 20:31:33 GMT

RadSec Certificate Expires: 2020-05-16 20:31:33 GMT

AH-581740#show idm