- Community Home
- >
- Networking
- >
- Wireless
- >
- M and MSM Series
- >
- Re: MSM 720 Active Directory - " Failed to validat...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-03-2013 11:31 AM
тАО01-03-2013 11:31 AM
MSM 720 Active Directory - " Failed to validate the user."
Hi,
We purchased several MSM430 APs and the MSM 720 controllers for the enterprise and need to configure 802.1x AD authentication.
I've read all other posts in the forum, but have got nowhere.
To summarize what has been done:
- A non AC VSC was created and set to use WPA/Dynamic key, and AD auth
- Access Control is off in the VSC
- We created an AD group "Wireless-Group", and put in the members
- We created a similar group "Wireless-Group" in the MSM interface, disabled AC on that group, and restricted it to the VSC
- The "Default non AC Active Directory" group is enabled, AC disabled, and restricted to the VSC
- After all this, we joined the domain
The logs and wireshark traces show that LDAP between the MSM and the DCs works, as the MSM enumerates all of the user's group memberships. In the logs:
Jan 3 13:39:54 debugradiusd D:rlm_ldap: performing user authorization for enry
--snip lots of ldap stuff as the MSM enumerates all of my groups--
Jan 3 13:39:54 debug radiusd D:rlm_ldap: user enry authorized to use remote access --snip lots of postrgres stuff, then: -- Jan 3 13:39:54 debug radiusd D:rlm_sql (ldap_sql): User enry not found in radcheck Jan 3 13:39:54 debug radiusd D:radius_xlat: '' Jan 3 13:39:54 debug radiusd D:radius_xlat: 'SELECT * FROM radius.ldap_authorize_group_check(9, '0x00', 5)' Jan 3 13:39:54 debug radiusd D:rlm_sql_postgresql: Status: PGRES_TUPLES_OK Jan 3 13:39:54 debug radiusd D:rlm_sql_postgresql: affected rows = Jan 3 13:39:54 debug radiusd D:radius_xlat: 'SELECT * FROM radius.ldap_group_reply(9, '0x00', 5, 'enry')' Jan 3 13:39:54 debug radiusd D:rlm_sql_postgresql: Status: PGRES_TUPLES_OK Jan 3 13:39:54 debug radiusd D:rlm_sql_postgresql: affected rows = Jan 3 13:39:54 debug radiusd E:internal authorization attributes are missing. Jan 3 13:39:54 debug radiusd D:Query: DELETE FROM radius.radrequest WHERE req_number = 9 Jan 3 13:39:54 debug radiusd D:rlm_sql_postgresql: Status: PGRES_COMMAND_OK Jan 3 13:39:54 debug radiusd D:rlm_sql_postgresql: affected rows = 15 Jan 3 13:39:54 debug radiusd D:rlm_sql (ldap_sql): Released sql socket id: 4 Jan 3 13:39:54 debug radiusd D: modsingle[authorize]: returned from ldap_sql (rlm_sql) for request 9 Jan 3 13:39:54 debug radiusd D: modcall[authorize]: module "ldap_sql" returns ok for request 9 Jan 3 13:39:54 debug radiusd D:modcall: leaving group (returns ok) for request 9 Jan 3 13:39:54 debug radiusd D:modcall: leaving group authorize (returns updated) for request 9 Jan 3 13:39:54 debug radiusd D: rad_check_password: Found Auth-Type EAP Jan 3 13:39:54 debug radiusd D:auth: type "EAP" Jan 3 13:39:54 debug radiusd D: Processing the authenticate section of radiusd.conf Jan 3 13:39:54 debug radiusd D:modcall: entering group authenticate for request 9 Jan 3 13:39:54 debug radiusd D: modsingle[authenticate]: calling eap (rlm_eap) for request 9 Jan 3 13:39:54 debug radiusd D: rlm_eap: Request found, released from the list Jan 3 13:39:54 debug radiusd D: rlm_eap: EAP NAK Jan 3 13:39:54 debug radiusd D: rlm_eap: EAP-NAK asked for EAP-Type/leap Jan 3 13:39:54 debug radiusd D: rlm_eap: No such EAP type leap Jan 3 13:39:54 debug radiusd D: rlm_eap: Failed in EAP select Jan 3 13:39:54 debug radiusd D: modsingle[authenticate]: returned from eap (rlm_eap) for request 9 Jan 3 13:39:54 debug radiusd D: modcall[authenticate]: module "eap" returns invalid for request 9 Jan 3 13:39:54 debug radiusd D:modcall: leaving group authenticate (returns invalid) for request 9 Jan 3 13:39:54 debug radiusd D:auth: Failed to validate the user. Jan 3 13:39:54 debug radiusd A:Login incorrect: [PACIFICA\\enry] (from client localhost port 74 cli 88-53-2E-9B-E1-55) Jan 3 13:39:54 debug radiusd D:Finished request 9 Jan 3 13:39:54 debug radiusd D:Going to the next request Jan 3 13:39:54 debug radiusd D:--- Walking the entire request list --- Jan 3 13:39:54 debug radiusd D:Cleaning up request 0 ID 222 with timestamp 50e5d074 Jan 3 13:39:54 debug radiusd D:Waking up in 1 seconds... Jan 3 13:39:54 debug iprulesmgr Received RADIUS Packet (Length:'86',Code:'Access-Reject',Id:'83', Calling-Station-id='88-53-2E-9B-E1-55') from RADIUS Server (Ip:'127.0.0.1',Port:'1645') for User (nas-port:'74',username:'PACIFICA\enry'). Jan 3 13:39:54 debug iprulesmgr Sending RADIUS Access Reject (id='152') to RADIUS Client (ip-address='169.254.0.4',port='33700').
Everything looks good up to the lines that speak of "No such EAP type leap", and then failure to authenticate.
It is essential that we get this working, AD authentication was a key selling point on this and if it doesn't work we will have to find alternatives.
Note that other VSCs that don't use AD authentication work fine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-03-2013 08:44 PM
тАО01-03-2013 08:44 PM
Re: MSM 720 Active Directory - " Failed to validate the user."
It might be useful to configure an access controlled VSC to use AD authentication. I'm thinking that there may be a configuration issue between the client and the controller.
Can you tell us more about the client and how the wireless connection is configured?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-09-2013 09:44 PM
тАО01-09-2013 09:44 PM
Re: MSM 720 Active Directory - " Failed to validate the user."
Hi Glen, thanks for the reply. I will try the AC VsC to see if that works. The client is a Win7 laptop on the domain.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-09-2013 10:26 PM - edited тАО01-09-2013 10:33 PM
тАО01-09-2013 10:26 PM - edited тАО01-09-2013 10:33 PM
Re: MSM 720 Active Directory - " Failed to validate the user."
So yes, that works. I get the login screen, and I can sign in with my domain credentials.
I disabled 802.1x, and enabled "HTML-based user logins".
Of course, this means I entered my credentials manually. My expectation of 802.1x is that my computer authenticates me automatically using my logged in credentials.
So what's the next step ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-10-2013 06:33 AM
тАО01-10-2013 06:33 AM
Re: MSM 720 Active Directory - " Failed to validate the user."
Also, try different devices like iPhones and Mac. Windows' certificate checking strict and will be the last OS that you get working successfully.
- Tags:
- certificate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-10-2013 10:53 AM - edited тАО01-10-2013 10:54 AM
тАО01-10-2013 10:53 AM - edited тАО01-10-2013 10:54 AM
Re: MSM 720 Active Directory - " Failed to validate the user."
Well, certificate validation is sureley an issue until I add one from the domain CA. So obviously that is turned off in the client.
Here are some more detailed logs from when I configure the client settings manually for MS-CHAPv2. I get the same logs whether I use Android (prompts me for user/pass) or if I use my PC which uses my logged in credentials.
Jan 10 13:49:57 debug radiusd D: modsingle[authenticate]: calling eap (rlm_eap) for request 16 Jan 10 13:49:57 debug radiusd D: rlm_eap: Request found, released from the list Jan 10 13:49:57 debug radiusd D: rlm_eap: EAP/mschapv2 Jan 10 13:49:57 debug radiusd D: rlm_eap: processing type mschapv2 Jan 10 13:49:57 debug radiusd D: Processing the authenticate section of radiusd.conf Jan 10 13:49:57 debug radiusd D:modcall: entering group MS-CHAP for request 16 Jan 10 13:49:57 debug radiusd D: modsingle[authenticate]: calling mschap (rlm_mschap) for request 16 Jan 10 13:49:57 debug radiusd D: rlm_mschap: No User-Password configured. Cannot create LM-Password. Jan 10 13:49:57 debug radiusd D: rlm_mschap: No User-Password configured. Cannot create NT-Password. Jan 10 13:49:57 debug radiusd D: rlm_mschap: Told to do MS-CHAPv2 for enry with NT-Password Jan 10 13:49:57 debug radiusd D:radius_xlat: '--username=enry' Jan 10 13:49:57 debug radiusd D:radius_xlat: Running registered xlat function of module mschap for string 'Challenge' Jan 10 13:49:57 debug radiusd D: mschap2: 2b Jan 10 13:49:57 debug radiusd D:radius_xlat: '--challenge=f645b4dbf95e5c17' Jan 10 13:49:57 debug radiusd D:radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' Jan 10 13:49:57 debug radiusd D:radius_xlat: '--nt-response=279a97c9f8bfbcfccf57ff3a5ff2fc1fe173916ef48f3a83' Jan 10 13:49:57 debug radiusd D:radius_xlat: '--domain=pacifica' Jan 10 13:49:58 debug radiusd D:Exec-Program output: Access denied (0xc0000022) Jan 10 13:49:58 debug radiusd D:Exec-Program-Wait: plaintext: Access denied (0xc0000022) Jan 10 13:49:58 debug radiusd D:Exec-Program: returned: 1 Jan 10 13:49:58 debug radiusd D: rlm_mschap: External script failed. Jan 10 13:49:58 debug radiusd D: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Jan 10 13:49:58 debug radiusd D: modsingle[authenticate]: returned from mschap (rlm_mschap) for request 16 Jan 10 13:49:58 debug radiusd D: modcall[authenticate]: module "mschap" returns reject for request 16
Domain, username and of course password are correct, but the MS-CHAP2 response is not valid. I also noticed "No User-Password configured. Cannot create LM-Password.", it is unclear if this is relevant or not.
Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-11-2013 08:20 AM
тАО01-11-2013 08:20 AM
Re: MSM 720 Active Directory - " Failed to validate the user."
What firmware version are you running?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-11-2013 08:26 AM
тАО01-11-2013 08:26 AM
Re: MSM 720 Active Directory - " Failed to validate the user."
The two reasons I switched are:
- I didn't want guest users using my internal DNS servers while in the guest internet VSC. This is a big one.
- It isn't as flexible as NPS
More food for thought for you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-11-2013 02:39 PM
тАО01-11-2013 02:39 PM
Re: MSM 720 Active Directory - " Failed to validate the user."
What I am looking for is some system that will
1) authenticate users BEFORE they have access to anything on the network, and
2) authenticate the users using domain credentials, ideally transparently on (windows machines)
At all cost I want to avoid using PSK for the VSC that is the corporate network, but I obviously still want encryption and some security mechanism that isn't based on IP or MAC or Cookie.