IMC
cancel
Showing results for 
Search instead for 
Did you mean: 

iMC UAM Computer account EAP-TLS problem

 
Michal Doležal
Frequent Advisor

iMC UAM Computer account EAP-TLS problem

My setup is simple :).

 

Computer + User autenticated by UAM using 802.1X with EAP-TLS (Certificates from internal CA).

 

Switches are comware-based (5120/5130/5500). iMC 7.1 with latest patch (10) and UAM 7.1 E302 with p10.

 

What I want to achieve is:
Computer after boot will be able to login to limited network with access to domain controller and DHCP, antivirus update, WSUS and nothing else.

User after login will get full access to his resources.

 

User can login to network using certificate (EAP-TLS) to UAM, so user authentication part is fully functional included VLAN assignement. Can work with resources etc.

 

But I am not able to authorize the computer. Any idea will help.

 

UAM setup:

I imported CA certificate. I generated certificate for IMC (with correct common-name).

I setup LDAP connection and synchronization. Test is OK. Synchronization is working properly.

I setup user-policy and user-service with appropriate filter to AD - this part is functional

I setup computer-policy and computer-service.

I create Computer-type user with login Computer and assign appropriate policy created in last step.

So I can see in All access users this account.

 

Windows setup:

I created autoenroll group policy to create certificates for both, users and computers. Verified, certificates are created for computer and for user properly. (and I saw it on the desktop in correct containers).

I created Wired-Autoconfig setup. Authentication: Both computer and user, SmartCard or other Certificate, 802.1X according standard. SingleSignOn enabled, different login VLAN ticked.

 

Issue: Radius get back information, that no user found so access denied.

E63018: The user does not exist or has not subscribed for this service.. that is the message I get from RADIUS/UAM

 

I enabled debug in IMC and get this:

 EapProc.auth: Begin.  [CEapProcess::eapAttribute]begin eapAttribute().  [CEapProcess::eapAttribute]end eapAttribute().  EapProc.handlr: begin.  [CEapProcess::eapValidation]begin eapValidation().  [CEapProcess::eapValidation]end eapValidation().  [CEapProcess::eapIdentity]begin eapIdentity().  [CEapProcess::eapIdentity]end eapIdentity().  [CEapProcess::parseIdentity]begin parseIdentity().  [CEapProcess::parseIdentity]end parseIdentity().  chkTmpLdapUsr: User[WIFILABPC$] non sync-a-n.  EapProc.fndEapTypeFromDB: find computer account(WIFILABPC$) in ldap service.  chkAccScene: 0 row found for WIFILABPC$.  [checkIfBYODauthUser] The user name is not equal to MAC.  ifSecondAuthConfig the third party authentication has not been configured yet.  chkAccScene: User[WIFILABPC$] subscribe no service .  fndEapType calling chkAccScenario(WIFILABPC$,2C-41-38-11-5F-5C) returns 63018 [V-T-O:0_0_0,SSID:0,MAC:0,AREA:0,IP:0,AP:0].  EapProc.handlr: outer fndEapType failed for [host/WIFILABPC.domain.lan]  [CEapProcess::eapBuildds]begin eapBuildds().  [CEapProcess::eapBuildds]end eapBuildds().  [commonEap::getAttrFromPacket]no attribute of Framed-IP-Address.  [CEapProcess::parseIdentity]begin parseIdentity().  [CEapProcess::parseIdentity]end parseIdentity().  User(host/WIFILABPC.domain.lan2C:41:38:11:5F:5C) auth fail and plus in auth feil map.  [[CEapProcess::eapCompose] Reply_Message:E63018: The user does not exist or has not subscribed for this service..  chkAccScene: 0 row found for host/WIFILABPC.domain.lan.  [checkIfBYODauthUser] The user name is not equal to MAC.  ifSecondAuthConfig the third party authentication has not been configured yet.  chkAccScene: User[host/WIFILABPC.ave-labs.lan] subscribe no service .  Begin replyPrivateAttribute(), auth step is 2,AttrPolicyId is 0,DeviceTypeId is 1100  Call replyPrivateAttribute() successfully.  The length of State is 12226656  [CEapTask::svc]Send packet to:192.168.188.15

So the user cannot be found in database. Yes it doesn´t exist in UAM, but exist in AD. So where can be problem?

 

I have this setup on switches:

 

port-security enable

 

radius scheme rad-scheme1
 server-type extended
 primary authentication 10.10.100.23 key simple hp

 primary accounting 10.10.100.23 key simple hp

 timer realtime-accounting 3
 accounting-on enable

quit

 

domain domain.lan
 authentication lan-access radius-scheme rad-scheme1
 authorization lan-access radius-scheme rad-scheme1
 accounting lan-access radius-scheme rad-scheme1
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable

quit

 

interface GigabitEthernet1/0/1
 port-security port-mode userlogin-secure-ext
 undo dot1x handshake
 dot1x mandatory-domain domain.lan
 undo dot1x multicast-trigger
 dot1x unicast-trigger

Quit

Michal Dolezal, DiS.
System engineer
AVE BOHEMIA, s.r.o.
3 REPLIES
NeilR
Respected Contributor

Re: iMC UAM Computer account EAP-TLS problem

I have 802.1x running with user and computer authentication. I'm using UAM with LDAP for the users. For the workstations, you must use the computer account, which serves as the owner of the all the computer logins.

 

I have a few posts with examples discussing this. But basically install the root cert from your domain, and then tell your clients to trust the root ca for your domain. Set user or computer authentication

 

But - this feature got broken in UAM versions past 7.1 E0302 until the latest release 7.1 E0302P10  - readme says that its fixed - I have not had a chance to load and test it.

 

So if you are using versions in between those then computer authentication via PEAP ms-chap will not work.  Either roll back or roll forward.

 

Hope this helps

Michal Doležal
Frequent Advisor

Re: iMC UAM Computer account EAP-TLS problem

I am using E302P10. But you lead me to the root of problem (EAP-PEAP,TLS,PEAP-mschap). Thanks for reply, I will test it.

Michal Dolezal, DiS.
System engineer
AVE BOHEMIA, s.r.o.
Michal Doležal
Frequent Advisor

Re: iMC UAM Computer account EAP-TLS problem

Everything was wrong. Patch 10 was the real cause. After upgrading to E302P13 and later (P16 now), all is working now.

Michal Dolezal, DiS.
System engineer
AVE BOHEMIA, s.r.o.