M and MSM Series
cancel
Showing results for 
Search instead for 
Did you mean: 

MSM710 Active Directory 802.1X authentication issue?

 
Highlighted
SteveB2177
Advisor

MSM710 Active Directory 802.1X authentication issue?

Having some users who are unable to authenticate to a VSC using Remote Authentication to Active Directory.

I have tested this to some degree, and have confirmed they have the LDAP attribute set on their user account (Tested it, the absence of which would get an "Invalid User" rejection, not the "Login incorrect" we are seeing). I had one user try connecting on my laptop (which definitely conects when logged on to window as myself) and he met with the same failure he sees on his laptop. It locks out his account in AD Users and Computers, so it is talking to AD, and is recognizing his user ID... somehow it is just not passing along his password correctly?

It was/is set to automatically pass the user credentials you were logged onto your windows session with, which should rule out any issues of typing it incorrectly. The pasword worked to log onto the laptop with his domain account, but is failing to properly authenticate his wireless connection.

Puzzled, and not finding anything on point after googling this forum (and the internet at large) fairly extensively.

Hopeful someone has an idea of what to try next...

Thanks in advance!
13 REPLIES 13
Highlighted
Fred!
Trusted Contributor

Re: MSM710 Active Directory 802.1X authentication issue?

Out of curiosity, you did tried a "simple" password with no spaces, no special characters, etc? Like a very standard, plain and simple, let's say 6 character password (just for a test)?
Highlighted
SteveB2177
Advisor

Re: MSM710 Active Directory 802.1X authentication issue?

The password of the one person I am focusing on (based on him being similar privelege level, and an adjacent desk) that does not work is about 8 characters long, no spaces or special characters, just numbers and letters.

One I know works (aka mine) has more characters and includes special characters.

But there is also another that does currently work (same priveleges, also an adjacent desk) whose password is similarly just letters and numbers...

No rhyme or reason we can see as yet...

Thanks Fred! Willing to try more if someone can point us in a direction...
Highlighted
Fred!
Trusted Contributor

Re: MSM710 Active Directory 802.1X authentication issue?

OK, sorry for the obvious question, but we must start somewhere, right? :)

Then maybe what I can see is that this might be related to the group(s) this particular user is associated to. There must be an exact match between the groups returned by the AD server and the ones defined in the active directory profiles. So let's say in AD your own user profile has a group named 'IT-Staff' there must be an 'IT-Staff' profile inside the MSM710. For the people where this does not work, maybe they are in a group that is not currently defined in the MSM710. If there is no match, the system will refuse the user authentication.

If you don't know which group is returned or if you think this is not the problem, one way to debug what's going on is to enable the active directory debugs in the MSM710. In Service Controller >> Tools > System tools you have an item called 'Extra AD/RADIUS debug' run that tool, clear your syslog, try again and look at the logs (you can eventually post them back here if they don't make much sense). In there you should be able to see exactly what's happening with your problematic user, versus the ones that work.
Highlighted
SteveB2177
Advisor

Re: MSM710 Active Directory 802.1X authentication issue?

I had ran across that tip for extra logging on another thread and tried it Friday, actually... Here is what we are getting in the log for him...

-Timestamp- debug radiusd A:Login incorrect: [DOMAIN\\username] (from client localhost port 70 cli -mac address-)

He is in the same AD OU as I (and the other person who works) and we are in all the same groups...

I tried removing the attribute it looks for (Remote Access Permission on Dial Up tab) and then we got the error "Invalid User" unstead of "Login Incorrect" in the log file... and it does lock his account, so it apparently recognizes him correctly as a domain user, and sees he has the right to connect, it just doesn't pass his credentials correctly somehow is how it appears to me/us.

Thanks Fred! Really appreciate the help... Pretty sure you were the one who I had previously see make that additional debugging suggestion, actually...
Highlighted
Fred!
Trusted Contributor

Re: MSM710 Active Directory 802.1X authentication issue?

Yes, I might have :) I like to repeat myself :)

Can you attach the full system log to this discussion thread? I trust that you have checked, x2 checked and x3 checked, but maybe we have missed something. And you are also saying that you don't have any particular log on the AD server when the user gets refused, right? Which would really mean that the phenomenon is happening at the controller level.

And while we are at it, what SW version are you running on the controller?
Highlighted
SteveB2177
Advisor

Re: MSM710 Active Directory 802.1X authentication issue?

We have 7 DC's... On the two located here at HQ, nothing... I am (slowly) working through the remote servers at the 5 other locations, but nothing as yet... I'll try to get through them today and post what I can of the log files as well...

Thanks!

Steve
Highlighted
SteveB2177
Advisor

Re: MSM710 Active Directory 802.1X authentication issue?

But I would think it is generating a failure on the AD side somewhere, since it is locking his account in AD users and computers...

Perhaps it is not under his username in the server logs, but I am looking at any failure generated in the time frame of one specific example from the MSM710 controller's logs, so if it is there I should find it... but having so many servers makes it a bit time consuming.

Thanks!
Highlighted
SteveB2177
Advisor

Re: MSM710 Active Directory 802.1X authentication issue?

I found no failure errors in the Security event logs on any of our DCs that would correlate to the failures in authentication we are seeing.

Software version: 5.3.5.0-01-7943

I am attaching a slightly sanitized version of the unfiltered log...

Thanks so much for your assistance!
Highlighted
Fred!
Trusted Contributor

Re: MSM710 Active Directory 802.1X authentication issue?

OK, so I've looked at the detailed log. Unfortunately in this log what I could see is that the user account was locked on the first attempt. So I could not really use the log unfortunately. What would be good is to see the user trying for a couple of times and then get locked, maybe that would help, but again I understand that it might be painful in your setup to get to that information.

What I would suggest is to try to lower your AD security policy for that particular user. There is a lot of challenges between the client and the server, and some back and forth, and maybe the sringent policy to lock an account after (how many retries? 3?) might be a little harsh.

As a test I would try to augment that limit to let's say 10 or just to remove it temporarily to see if it makes any good on your users...