M and MSM Series
1748122 Members
3152 Online
108758 Solutions
New Discussion юеВ

Re: MSM 720 Active Directory - " Failed to validate the user."

 
TheEnry
Occasional Contributor

MSM 720 Active Directory - " Failed to validate the user."

Hi,

 

We purchased several MSM430 APs and the MSM 720 controllers for the enterprise and need to configure 802.1x AD authentication.

 

I've read all other posts in the forum, but have got nowhere.

 

To summarize what has been done:

 

- A non AC VSC was created and set to use WPA/Dynamic key, and AD auth

- Access Control is off in the VSC

- We created an AD group "Wireless-Group", and put in the members

- We created a similar group "Wireless-Group" in the MSM interface, disabled AC on that group, and restricted it to the VSC

- The "Default non AC Active Directory" group is enabled, AC disabled, and restricted to the VSC

- After all this, we joined the domain

 

The logs and wireshark traces show that LDAP between the MSM and the DCs works, as the MSM enumerates all of the user's group memberships.    In the logs:

 

Jan  3 13:39:54 debugradiusd      D:rlm_ldap: performing user authorization for enry

--snip lots of ldap stuff as the MSM enumerates all of my groups--

Jan 3 13:39:54 debug radiusd D:rlm_ldap: user enry authorized to use remote access --snip lots of postrgres stuff, then: -- Jan 3 13:39:54 debug radiusd D:rlm_sql (ldap_sql): User enry not found in radcheck Jan 3 13:39:54 debug radiusd D:radius_xlat: '' Jan 3 13:39:54 debug radiusd D:radius_xlat: 'SELECT * FROM radius.ldap_authorize_group_check(9, '0x00', 5)' Jan 3 13:39:54 debug radiusd D:rlm_sql_postgresql: Status: PGRES_TUPLES_OK Jan 3 13:39:54 debug radiusd D:rlm_sql_postgresql: affected rows = Jan 3 13:39:54 debug radiusd D:radius_xlat: 'SELECT * FROM radius.ldap_group_reply(9, '0x00', 5, 'enry')' Jan 3 13:39:54 debug radiusd D:rlm_sql_postgresql: Status: PGRES_TUPLES_OK Jan 3 13:39:54 debug radiusd D:rlm_sql_postgresql: affected rows = Jan 3 13:39:54 debug radiusd E:internal authorization attributes are missing. Jan 3 13:39:54 debug radiusd D:Query: DELETE FROM radius.radrequest WHERE req_number = 9 Jan 3 13:39:54 debug radiusd D:rlm_sql_postgresql: Status: PGRES_COMMAND_OK Jan 3 13:39:54 debug radiusd D:rlm_sql_postgresql: affected rows = 15 Jan 3 13:39:54 debug radiusd D:rlm_sql (ldap_sql): Released sql socket id: 4 Jan 3 13:39:54 debug radiusd D: modsingle[authorize]: returned from ldap_sql (rlm_sql) for request 9 Jan 3 13:39:54 debug radiusd D: modcall[authorize]: module "ldap_sql" returns ok for request 9 Jan 3 13:39:54 debug radiusd D:modcall: leaving group (returns ok) for request 9 Jan 3 13:39:54 debug radiusd D:modcall: leaving group authorize (returns updated) for request 9 Jan 3 13:39:54 debug radiusd D: rad_check_password: Found Auth-Type EAP Jan 3 13:39:54 debug radiusd D:auth: type "EAP" Jan 3 13:39:54 debug radiusd D: Processing the authenticate section of radiusd.conf Jan 3 13:39:54 debug radiusd D:modcall: entering group authenticate for request 9 Jan 3 13:39:54 debug radiusd D: modsingle[authenticate]: calling eap (rlm_eap) for request 9 Jan 3 13:39:54 debug radiusd D: rlm_eap: Request found, released from the list Jan 3 13:39:54 debug radiusd D: rlm_eap: EAP NAK Jan 3 13:39:54 debug radiusd D: rlm_eap: EAP-NAK asked for EAP-Type/leap Jan 3 13:39:54 debug radiusd D: rlm_eap: No such EAP type leap Jan 3 13:39:54 debug radiusd D: rlm_eap: Failed in EAP select Jan 3 13:39:54 debug radiusd D: modsingle[authenticate]: returned from eap (rlm_eap) for request 9 Jan 3 13:39:54 debug radiusd D: modcall[authenticate]: module "eap" returns invalid for request 9 Jan 3 13:39:54 debug radiusd D:modcall: leaving group authenticate (returns invalid) for request 9 Jan 3 13:39:54 debug radiusd D:auth: Failed to validate the user. Jan 3 13:39:54 debug radiusd A:Login incorrect: [PACIFICA\\enry] (from client localhost port 74 cli 88-53-2E-9B-E1-55) Jan 3 13:39:54 debug radiusd D:Finished request 9 Jan 3 13:39:54 debug radiusd D:Going to the next request Jan 3 13:39:54 debug radiusd D:--- Walking the entire request list --- Jan 3 13:39:54 debug radiusd D:Cleaning up request 0 ID 222 with timestamp 50e5d074 Jan 3 13:39:54 debug radiusd D:Waking up in 1 seconds... Jan 3 13:39:54 debug iprulesmgr Received RADIUS Packet (Length:'86',Code:'Access-Reject',Id:'83', Calling-Station-id='88-53-2E-9B-E1-55') from RADIUS Server (Ip:'127.0.0.1',Port:'1645') for User (nas-port:'74',username:'PACIFICA\enry'). Jan 3 13:39:54 debug iprulesmgr Sending RADIUS Access Reject (id='152') to RADIUS Client (ip-address='169.254.0.4',port='33700').

 

Everything looks good up to the lines that speak of "No such EAP type leap", and then failure to authenticate.

 

It is essential that we get this working, AD authentication was a key selling point on this and if it doesn't work we will have to find alternatives.

 

Note that other VSCs that don't use AD authentication work fine.

 

8 REPLIES 8
Glen Willms
Frequent Advisor

Re: MSM 720 Active Directory - " Failed to validate the user."

It might be useful to configure an access controlled VSC to use AD authentication. I'm thinking that there may be a configuration issue between the client and the controller. 

 

Can you tell us more about the client and how the wireless connection is configured?

TheEnry
Occasional Contributor

Re: MSM 720 Active Directory - " Failed to validate the user."

Hi Glen, thanks for the reply.  I will try the AC VsC to see if that works.  The client is a Win7 laptop on the domain.

TheEnry
Occasional Contributor

Re: MSM 720 Active Directory - " Failed to validate the user."

So yes, that works.  I get the login screen, and I can sign in with my domain credentials.

 

I disabled 802.1x, and enabled "HTML-based user logins".

 

Of course, this means I entered my credentials manually.  My expectation of 802.1x is that my computer authenticates me automatically using my logged in credentials.

 

So what's the next step ?

Glen Willms
Frequent Advisor

Re: MSM 720 Active Directory - " Failed to validate the user."

802.1x will automatically log you on. I suspect that the Windows 7 client isn't trusting the SSL certificate that the controller is presenting to the client for authentication. Your options here would be to disable certificate checking or generate trusted certificate from your own internally certificate authority or purchase one from trusted CA.

Also, try different devices like iPhones and Mac. Windows' certificate checking strict and will be the last OS that you get working successfully.
TheEnry
Occasional Contributor

Re: MSM 720 Active Directory - " Failed to validate the user."

Well, certificate validation is sureley an issue until I add one from the domain CA.  So obviously that is turned off in the client.

 

Here are some more detailed logs from when I configure the client settings manually for MS-CHAPv2.  I get the same logs whether I use Android (prompts me for user/pass) or if I use my PC which uses my logged in credentials.

 

Jan 10 13:49:57 debug radiusd D: modsingle[authenticate]: calling eap (rlm_eap) for request 16
Jan 10 13:49:57 debug radiusd D: rlm_eap: Request found, released from the list
Jan 10 13:49:57 debug radiusd D: rlm_eap: EAP/mschapv2
Jan 10 13:49:57 debug radiusd D: rlm_eap: processing type mschapv2
Jan 10 13:49:57 debug radiusd D: Processing the authenticate section of radiusd.conf
Jan 10 13:49:57 debug radiusd D:modcall: entering group MS-CHAP for request 16
Jan 10 13:49:57 debug radiusd D: modsingle[authenticate]: calling mschap (rlm_mschap) for request 16
Jan 10 13:49:57 debug radiusd D: rlm_mschap: No User-Password configured. Cannot create LM-Password.
Jan 10 13:49:57 debug radiusd D: rlm_mschap: No User-Password configured. Cannot create NT-Password.
Jan 10 13:49:57 debug radiusd D: rlm_mschap: Told to do MS-CHAPv2 for enry with NT-Password
Jan 10 13:49:57 debug radiusd D:radius_xlat: '--username=enry'
Jan 10 13:49:57 debug radiusd D:radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
Jan 10 13:49:57 debug radiusd D: mschap2: 2b
Jan 10 13:49:57 debug radiusd D:radius_xlat: '--challenge=f645b4dbf95e5c17'
Jan 10 13:49:57 debug radiusd D:radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
Jan 10 13:49:57 debug radiusd D:radius_xlat: '--nt-response=279a97c9f8bfbcfccf57ff3a5ff2fc1fe173916ef48f3a83'
Jan 10 13:49:57 debug radiusd D:radius_xlat: '--domain=pacifica'
Jan 10 13:49:58 debug radiusd D:Exec-Program output: Access denied (0xc0000022)
Jan 10 13:49:58 debug radiusd D:Exec-Program-Wait: plaintext: Access denied (0xc0000022)
Jan 10 13:49:58 debug radiusd D:Exec-Program: returned: 1
Jan 10 13:49:58 debug radiusd D: rlm_mschap: External script failed.
Jan 10 13:49:58 debug radiusd D: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Jan 10 13:49:58 debug radiusd D: modsingle[authenticate]: returned from mschap (rlm_mschap) for request 16
Jan 10 13:49:58 debug radiusd D: modcall[authenticate]: module "mschap" returns reject for request 16
 

 

 

Domain, username and of course password are correct, but the MS-CHAP2 response is not valid.  I also noticed "No User-Password configured. Cannot create LM-Password.", it is unclear if this is relevant or not.

 

Thank you.

Glen Willms
Frequent Advisor

Re: MSM 720 Active Directory - " Failed to validate the user."

What firmware version are you running?

Glen Willms
Frequent Advisor

Re: MSM 720 Active Directory - " Failed to validate the user."

I tried to use the active directory authentication built-in to the controller, but I gave up on it and switched to NPS/RADIUS on Windows.

The two reasons I switched are:
- I didn't want guest users using my internal DNS servers while in the guest internet VSC. This is a big one.
- It isn't as flexible as NPS

More food for thought for you.
TheEnry
Occasional Contributor

Re: MSM 720 Active Directory - " Failed to validate the user."

I am on the latest version, 5.7.1.1-12533. I will consider what you've mentioned about Radius.

What I am looking for is some system that will

1) authenticate users BEFORE they have access to anything on the network, and

2) authenticate the users using domain credentials, ideally transparently on (windows machines)

At all cost I want to avoid using PSK for the VSC that is the corporate network, but I obviously still want encryption and some security mechanism that isn't based on IP or MAC or Cookie.