- Community Home
- >
- Networking
- >
- IMC
- >
- Re: iMC UAM Computer account EAP-TLS problem
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2015 08:41 AM
тАО05-06-2015 08:41 AM
iMC UAM Computer account EAP-TLS problem
My setup is simple :).
Computer + User autenticated by UAM using 802.1X with EAP-TLS (Certificates from internal CA).
Switches are comware-based (5120/5130/5500). iMC 7.1 with latest patch (10) and UAM 7.1 E302 with p10.
What I want to achieve is:
Computer after boot will be able to login to limited network with access to domain controller and DHCP, antivirus update, WSUS and nothing else.
User after login will get full access to his resources.
User can login to network using certificate (EAP-TLS) to UAM, so user authentication part is fully functional included VLAN assignement. Can work with resources etc.
But I am not able to authorize the computer. Any idea will help.
UAM setup:
I imported CA certificate. I generated certificate for IMC (with correct common-name).
I setup LDAP connection and synchronization. Test is OK. Synchronization is working properly.
I setup user-policy and user-service with appropriate filter to AD - this part is functional
I setup computer-policy and computer-service.
I create Computer-type user with login Computer and assign appropriate policy created in last step.
So I can see in All access users this account.
Windows setup:
I created autoenroll group policy to create certificates for both, users and computers. Verified, certificates are created for computer and for user properly. (and I saw it on the desktop in correct containers).
I created Wired-Autoconfig setup. Authentication: Both computer and user, SmartCard or other Certificate, 802.1X according standard. SingleSignOn enabled, different login VLAN ticked.
Issue: Radius get back information, that no user found so access denied.
E63018: The user does not exist or has not subscribed for this service.. that is the message I get from RADIUS/UAM
I enabled debug in IMC and get this:
EapProc.auth: Begin. [CEapProcess::eapAttribute]begin eapAttribute(). [CEapProcess::eapAttribute]end eapAttribute(). EapProc.handlr: begin. [CEapProcess::eapValidation]begin eapValidation(). [CEapProcess::eapValidation]end eapValidation(). [CEapProcess::eapIdentity]begin eapIdentity(). [CEapProcess::eapIdentity]end eapIdentity(). [CEapProcess::parseIdentity]begin parseIdentity(). [CEapProcess::parseIdentity]end parseIdentity(). chkTmpLdapUsr: User[WIFILABPC$] non sync-a-n. EapProc.fndEapTypeFromDB: find computer account(WIFILABPC$) in ldap service. chkAccScene: 0 row found for WIFILABPC$. [checkIfBYODauthUser] The user name is not equal to MAC. ifSecondAuthConfig the third party authentication has not been configured yet. chkAccScene: User[WIFILABPC$] subscribe no service . fndEapType calling chkAccScenario(WIFILABPC$,2C-41-38-11-5F-5C) returns 63018 [V-T-O:0_0_0,SSID:0,MAC:0,AREA:0,IP:0,AP:0]. EapProc.handlr: outer fndEapType failed for [host/WIFILABPC.domain.lan] [CEapProcess::eapBuildds]begin eapBuildds(). [CEapProcess::eapBuildds]end eapBuildds(). [commonEap::getAttrFromPacket]no attribute of Framed-IP-Address. [CEapProcess::parseIdentity]begin parseIdentity(). [CEapProcess::parseIdentity]end parseIdentity(). User(host/WIFILABPC.domain.lan2C:41:38:11:5F:5C) auth fail and plus in auth feil map. [[CEapProcess::eapCompose] Reply_Message:E63018: The user does not exist or has not subscribed for this service.. chkAccScene: 0 row found for host/WIFILABPC.domain.lan. [checkIfBYODauthUser] The user name is not equal to MAC. ifSecondAuthConfig the third party authentication has not been configured yet. chkAccScene: User[host/WIFILABPC.ave-labs.lan] subscribe no service . Begin replyPrivateAttribute(), auth step is 2,AttrPolicyId is 0,DeviceTypeId is 1100 Call replyPrivateAttribute() successfully. The length of State is 12226656 [CEapTask::svc]Send packet to:192.168.188.15
So the user cannot be found in database. Yes it doesn┬┤t exist in UAM, but exist in AD. So where can be problem?
I have this setup on switches:
port-security enable
radius scheme rad-scheme1
server-type extended
primary authentication 10.10.100.23 key simple hp
primary accounting 10.10.100.23 key simple hp
timer realtime-accounting 3
accounting-on enable
quit
domain domain.lan
authentication lan-access radius-scheme rad-scheme1
authorization lan-access radius-scheme rad-scheme1
accounting lan-access radius-scheme rad-scheme1
access-limit disable
state active
idle-cut disable
self-service-url disable
quit
interface GigabitEthernet1/0/1
port-security port-mode userlogin-secure-ext
undo dot1x handshake
dot1x mandatory-domain domain.lan
undo dot1x multicast-trigger
dot1x unicast-trigger
Quit
System engineer
AVE BOHEMIA, s.r.o.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-11-2015 04:34 PM
тАО05-11-2015 04:34 PM
Re: iMC UAM Computer account EAP-TLS problem
I have 802.1x running with user and computer authentication. I'm using UAM with LDAP for the users. For the workstations, you must use the computer account, which serves as the owner of the all the computer logins.
I have a few posts with examples discussing this. But basically install the root cert from your domain, and then tell your clients to trust the root ca for your domain. Set user or computer authentication
But - this feature got broken in UAM versions past 7.1 E0302 until the latest release 7.1 E0302P10 - readme says that its fixed - I have not had a chance to load and test it.
So if you are using versions in between those then computer authentication via PEAP ms-chap will not work. Either roll back or roll forward.
Hope this helps
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-19-2015 03:48 AM
тАО05-19-2015 03:48 AM
Re: iMC UAM Computer account EAP-TLS problem
I am using E302P10. But you lead me to the root of problem (EAP-PEAP,TLS,PEAP-mschap). Thanks for reply, I will test it.
System engineer
AVE BOHEMIA, s.r.o.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-30-2015 09:02 AM
тАО09-30-2015 09:02 AM
Re: iMC UAM Computer account EAP-TLS problem
Everything was wrong. Patch 10 was the real cause. After upgrading to E302P13 and later (P16 now), all is working now.
System engineer
AVE BOHEMIA, s.r.o.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-21-2019 07:55 AM
тАО01-21-2019 07:55 AM
Re: iMC UAM Computer account EAP-TLS problem
When you say "For the workstations, you must use the computer account" you imported device from AD with LDAP ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-21-2019 02:36 PM
тАО01-21-2019 02:36 PM
Re: iMC UAM Computer account EAP-TLS problem
When using UAM, IMC has two levels of user information: A base userID for information about the user, and an Access UserID which has information for accessing the network for each device a User might use.
So one User ID can have multiple User Access IDs, such as an 802.1x credential and a MAC authentication
Since UAM manages port level security, you are using it because you don't want untrusted devices gaining access. Once a host authtenicates at the port level, IMC can give access to specific VLANs with the right level of access. Then when the user logs into the workstation, the user access information is presented and IMC can give a different set of access to the user.
The reason for the computer to authenticate in addition to the user, is so that the machine can get access to the network and talk to a domain controller, and then authenticate the user. On windows systems, a user can only log into to a domain computer if they have previoulsy successfully authenticated, or the computer is connected to a network with a DC that can verify the user's credentials
IMC has been configured with a single User Account called "computer" which is the base user for any workstations authenticating with a host name, not a user name. So if I had two computers in my domain trying to authenticate, Domain\WS01 & Domain\WS02, they would both be stored as 2 separate access user accounts under the user "computer"
If IMC is using AD via LDAP as the user directory, since the host don't "present" credentials to IMC, only users, IMC uses a "virtual computer" object to proxy authentication in AD for other "real" hosts. You have to create a Virtual computer entry in AD as a host, then give IMC this information and set a password. IMC then uses this "proxy" host to authenticate on behalf of the workstations via LDAP.
This is configured in the LDAP Server section under MS-CHAP V2 authentication.
On the workstation, when 802.1x is enabled, the authentication would be then set for "user or computer" to use both.
See the IMC User Access Manager Administrator Guide for more specifc information.
Hope I answered your question