Private PSK troubleshooting

  • 2
  • Question
  • Updated 6 months ago
I have lost the ability to create PPSK's in our NG instance "service" Account type Not Local "device" type (they work fine), I have port 2083 open on my Pfsense, all tests from the firewall to NG are green lights. Are there any other methods I can try from the AP? perhaps a cli command that would confirm connectivity from the AP to NG. I have cleared users made new groups still no joy.

Thanks in advance
Photo of Peter Mears

Peter Mears

  • 14 Posts
  • 6 Reply Likes

Posted 7 months ago

  • 2
Photo of Jonas Dekkers

Jonas Dekkers

  • 2 Posts
  • 1 Reply Like
Are you 100% sure of port 2083? If we have this problem at our customers. It always solved with opening Radsec.

 - TCP 2083 (TCP port 2083 needs to be open on outbound firewall policies )
(Edited)
Photo of Peter Mears

Peter Mears

  • 14 Posts
  • 6 Reply Likes
As I said Green lights from the firewall, but want it confirmed from the perspective of the AP.
on Pfsense there is an option to test a port to an address, I got a pass on this. so that's why I am posting.

thanks for taking a moment to post.
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Hi Peter,

It's not clear to me what the issue is. "I have lost the ability to create PPSK's in our NG instance". Does this mean that you cannot create PPSK service keys? Is there an error?
Does it mean that PPSK service keys are not usable or that clients can not authenticate?
Are you using self-registration?

I'm afraid I am not clear where the failure is at the moment.

A good place to start with connectivity is with CLI commands;
show idm
show idm cert
exec aaa idm-test radsec-proxy

Kind Regards,
Gary Smith
(Edited)
Photo of Peter Mears

Peter Mears

  • 14 Posts
  • 6 Reply Likes
Gary thanks for taking the time to respond.

I have 3 SSID’s each has  PPSK as the Authentication method.

I have created user groups assigned to each SSID. For example group guest to event ssid. I wanted to have this group of users be created as Service accounts, as in credentials stored in the cloud appliance. This is failing for me. If I create a group using the device method as in save to the AP it works.

Am I using the wrong technology? Not sure how better to frame the issue.
It’s obvious I have with a configuration or a perhaps a firewall issue I am asking for tools or pointers  where I effectively troubleshoot the issues

thanks again.
Photo of Peter Mears

Peter Mears

  • 14 Posts
  • 6 Reply Likes
I was able to run the commands,

exec aaa idm-test radsec-pro

The Aerohive device establish a TCP session with the ID Manager auth gateway successfully.

From the output, do I correctly assume the "ID Manager auth gateway" is my NG instance?
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Hi Peter,

Yes, your HM will be running the ID Manager function. Can you also give us the outputs of;
show idm
show idm cert

Thanks,
Gary
Photo of Peter Mears

Peter Mears

  • 14 Posts
  • 6 Reply Likes
Hey Gary thanks for the reply here is the rest of the output

I didn't see anything that gives me a red flag, or at least that I am aware of.


I am see that the 192.168.1.107 AP is the RADSEC proxy

show idm
IDM client: Enabled Per SSID
IDM Proxy IP: 192.168.1.107
IDM proxy: Disabled
RadSec Certificate state: Valid
RadSec Certificate Issued: 2017-10-23 05:36:21 GMT
RadSec Certificate Expires: 2018-10-23 05:36:21 GMT

show idm cert
RadSec Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d1:61:1a:e8:d9:b0:0d:b1
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Aerohive Networks, Inc., OU=Aerohive Cloud Services, CN=QA ID Manager CA
Validity
Not Before: Oct 23 05:36:21 2017 GMT
Not After : Oct 23 05:36:21 2018 GMT
Subject: C=US, O=Aerohive Networks, Inc., OU=Aerohive Cloud Services, CN=01301707130998
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:e2:2b:0e:bc:7c:38:d8:b6:f8:78:a0:ba:6e:
84:cf:09:32:fd:39:18:78:60:76:4a:e0:ed:6d:72:
43:07:3c:27:84:b0:41:db:84:3f:97:ce:73:b8:c0:
95:7e:9f:52:0d:48:70:a3:90:1a:73:bd:75:fa:95:
2a:cc:e3:6a:6f:56:a0:ba:ce:c1:78:5c:0a:3f:af:
a8:70:05:fc:65:b4:7c:6a:39:62:a9:96:70:95:8c:
a9:01:ab:40:a2:b6:24:eb:47:61:0b:fc:5d:38:93:
67:78:45:26:1b:9a:95:24:ac:ed:14:c2:64:65:0a:
7c:57:40:62:eb:0a:5b:41:7b:61:c4:c2:4f:89:a0:
f4:30:59:92:d3:81:00:09:05:f5:7b:9c:39:c9:f5:
c8:46:a4:3e:a7:7f:d8:69:ac:67:c3:ad:7c:b2:9d:
b3:ae:69:eb:7d:84:3b:98:3c:a9:2f:86:61:50:48:
08:70:19:2d:fa:81:98:6b:9a:75:2e:e7:84:cf:1d:
07:23:c7:1d:0b:c4:8b:a8:04:3a:ef:b5:77:7e:21:
01:1f:04:22:ea:f9:85:49:59:a2:18:ab:cc:cc:b3:
78:7b:bf:fa:04:34:e9:58:f8:28:9f:0b:08:12:3c:
9f:40:ca:e7:b6:f4:3a:fd:3d:5e:8c:e1:28:54:1c:
4b:cb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
F2:C0:60:34:98:4C:FC:B6:A3:D1:A6:36:7C:35:A6:28:B4:EF:32:6C
X509v3 Authority Key Identifier:
keyid:6D:CF:7E:EB:FE:B0:AC:8E:09:50:E9:58:B8:18:22:A9:18:56:75:CE
DirName:/C=US/O=Aerohive Networks, Inc./OU=Engineering/CN=Aerohive Root Certificate
serial:05

X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage: critical
TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
1.3.6.1.4.1.26928.42.1:
..VHM-SWAMPBQV
1.3.6.1.4.1.26928.42.2:
..01301707130998
Signature Algorithm: sha1WithRSAEncryption
52:aa:41:8f:32:87:14:11:c0:ed:b2:dc:4e:e9:2d:65:a6:f4:
bd:be:25:1a:08:31:bd:6a:11:2b:ff:f8:6f:16:e6:81:80:1a:
96:87:21:8d:b8:15:26:68:5e:7d:50:95:b3:88:a7:17:12:f8:
f4:a0:46:c1:e5:38:77:4c:ab:16:37:27:0c:a1:05:f1:02:ee:
39:61:07:7a:59:0b:52:3c:ca:09:ec:ba:bc:66:2a:f0:f3:3c:
82:a1:79:66:d5:b3:f6:d4:0d:e2:b1:6b:85:33:cd:bd:72:33:
f2:6a:41:3d:2a:0a:46:65:82:63:e5:00:74:bd:e9:90:0c:9a:
2e:82:58:ed:b1:13:32:fe:b3:14:df:af:e2:22:2e:02:eb:77:
5b:4d:60:06:7f:a9:24:6d:70:0b:67:2b:b6:f4:a8:d3:11:90:
bb:2c:6c:70:35:03:fc:70:62:ab:86:5d:0e:79:97:57:89:25:
b6:f6:bb:cc:55:1b:2f:f7:14:b3:e0:26:2b:b9:07:d9:20:ca:
01:67:df:fe:d8:a3:16:17:99:23:2e:46:4b:88:7e:85:ed:5c:
28:29:c3:cc:eb:9b:59:81:eb:85:79:0f:dd:cc:52:34:7c:36:
00:a3:bc:25:f5:47:3c:b7:3d:88:12:a3:ac:d7:08:ae:9d:f3:
(Edited)
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
And the time is correct on the ap? "Show clock"
Photo of Peter Mears

Peter Mears

  • 14 Posts
  • 6 Reply Likes
show clock
      2017-11-13  07:26:16    Monday

I am in Tokyo Japan
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Peter,

I'm still not sure where the error is. Is it that you cannot generate "Service" PPSKs? Or, is it that service PPSK users fail to authenticate? Can you provide screenshots of errors?

Thanks,
Gary
Photo of Peter Mears

Peter Mears

  • 14 Posts
  • 6 Reply Likes
PPSK "Cloud" users fail to authenticate, I can get some screenshots soon I am not on this site everyday. Thanks for following up.
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Thanks Peter. To help understand a bit more, can you run the following debugs on the AP;
_debug radsec
_debug auth all
no _debug auth dump

Then connect a PPSK service user and collect the logs on the AP. This should give some useful clues. You can email me the techdata from the AP after the test if you like @ gsmith@aerohive.com

I'll summarise my findings in this thread after looking.