Wireless Access

I've got several users who are unable to log into our 802.1x network using their Chromebooks.  These same users can login using Windows and Mac computers and even Android phones, but when they enter their credentials on their Chromebooks they receive the error "username/password incorrect or eap-auth failed."

But as far as I can tell from the logs, the authorization has gone through perfectly.  There is no audit failure on my AD server.  The log on my Aruba controller has no red flags (I've attached an anonymized extract from the log below). Does anyone have any ideas what could be going on?

No attachment...

[Correction: This log was for a successful connection by the same user on a different device; I mixed up the MAC addresses.  See below.]

Sorry about the lack of attachment yesterday.  It showed as having uploaded before I posted.  Hopefully it will work this time.

As I mentioned, the Aruba Logs show successful authentication, association, and assignment to the correct VLAN based on server rules.  I will have to check the NPS logs for audit successes; I know there were no audit failure entries.

Attachment(s)

Log-Anonymized.txt   1 KB 1 version

Use the command here right after the failur:  https://community.arubanetworks.com/t5/Command-of-the-Day/COTD-Show-AP-Client-Trail-Info/idi-p/194039 to see if you obtain more information.

I have to correct something: the log I posted above actually is for another device owned by the same user.  I mixed up the MAC addresses.

The device that isn't working does not show up in the process log on the controller at all.  Nor does any audit success or failure show up on the NPS server.  Finally, show ap client trail-info [device MAC address] shows nothing for the times when I was attempting 802.1x authentication on the device.  The only entries in trail-info for connections to a separate WAP2-PSK network I've set up to give the user temporary access while I sort this problem out (and are timestamped before and after my unsuccessful attempts).  It's like the controller's not seeing any connection attempt at all.

The controller does not have much room for historical info.  Please collect the logs and the output right after you experience the issue.

Please be aware that the use of EAP-PEAP-MSCHAPv2 (username/password) is strongly deprecated as the underlying MSCHAPv2 has been broken and should not be used anymore.

If you don't have 100% control over your client configuration (validate server certificate), you should consider the user credentials relatively easy compromised.

As mentioned the logs are missing. Do you see a successful authentication on your RADIUS server (AD NPS/IAS???) but the client mentions a failure?