HPE Community
M and MSM Series
1752817 Members
4124 Online
108789 Solutions
New Discussion юеВ

Re: MSM710 + Active Directory

 
SFM
Occasional Advisor

тАО05-05-2010 05:37 AM

тАО05-05-2010 05:37 AM

MSM710 + Active Directory

I have successfully setup my MSM710 using WPA2 with a static key and html login using AD and local accounts without issue.

I am now trying to setup my MSM710 using WPA2-enterprise and having issues with users authenticating against AD.I am using an XP workstation with WPA2-enterprise PEAP MS-CHAP-V2 and every time I try to connect it comes back with Authorization failed due to invalid credentials. I have tried two different user accounts and was able to get these to work with AD and HTML logon but not with WPA2-enterprise.

The Device is joined to the domain.

I have added the groups in AD that the user belongs to.

I have made sure the user does have the AD attribute.

I saw from other issues like this on this forum that I should run the System tools AD/Radius debug and have attached the file. I have attached the file and am hoping someone will be able to make some sense of it for me.

I would greatly appreciate any help on this one.

Thanks
SFM
0 Kudos
10 REPLIES 10
SteveB2177
Advisor

тАО05-05-2010 06:31 AM

тАО05-05-2010 06:31 AM

Re: MSM710 + Active Directory

Are you having them manually enter their credentials on attempting to connect, or is it set to "Automatically use my Windows logon name and password (and domain if any)"?(PEAP Properties, where you select MS-CHAP-V2 there is a "Configure" button)

We have some users who fail to authenticate if set to automatically pass their credentials, but they conect just fine if they manually type their credentials in on connection...

No answers as to why but the behavior is fairly well established here. We know it is correctly identifying the user, as it locks their account for bad logon attempts. Are you seeing this as well?

Hope that helps, if only a bit.

Steve
0 Kudos
SFM
Occasional Advisor

тАО05-05-2010 06:38 AM

тАО05-05-2010 06:38 AM

Re: MSM710 + Active Directory

Yes I am having them manually enter their credentials.

It is not locking the accounts out. It is telling me that it is invalid credentials but doesn't seem like it is trying or the account would be locked out.

0 Kudos
SteveB2177
Advisor

тАО05-05-2010 07:27 AM

тАО05-05-2010 07:27 AM

Re: MSM710 + Active Directory

Are you seeing any security failures in the error logs of either the client computer or a DC?

Does our vsc look like the "stock image" attached?
0 Kudos
SFM
Occasional Advisor

тАО05-05-2010 07:59 AM

тАО05-05-2010 07:59 AM

Re: MSM710 + Active Directory

My configuration matches your screen shot.

I looked through my DC's event logs and see no failed audits? I tried connecting again and watching the audit trail and don't see anything.

I looked at the two workstations and don't see any failed audits as well.
0 Kudos
SFM
Occasional Advisor

тАО05-05-2010 08:13 AM

тАО05-05-2010 08:13 AM

Re: MSM710 + Active Directory

Here is my screen shot.

Only thing different is I am using WPA2 but I have tried it both ways and still the same results.
0 Kudos
SteveB2177
Advisor

тАО05-05-2010 09:50 AM

тАО05-05-2010 09:50 AM

Re: MSM710 + Active Directory

Is the AD group(s) you are using for AD authentication at the controller a domain local group, global group, or universal group (in AD)?

Apparently best practice is to use domain local groups per documentation forwarded me by support personnel at HP...
0 Kudos
SFM
Occasional Advisor

тАО05-05-2010 10:59 AM

тАО05-05-2010 10:59 AM

Re: MSM710 + Active Directory


I did get one user connected and then when I tried to reconnect I got the same issues.

I tried rejoining the controller to the domain but this didn't fix the issue either.

I just tried creating a domain local group and adding the users in that I want to get connected with no luck.
0 Kudos
Shadow13
Respected Contributor

тАО05-05-2010 09:27 PM

тАО05-05-2010 09:27 PM

Re: MSM710 + Active Directory

Contact the support please
0 Kudos
SteveB2177
Advisor

тАО05-06-2010 04:10 AM

тАО05-06-2010 04:10 AM

Re: MSM710 + Active Directory

Support might be a good option for you... you might think about giving them a call.

On the group, after you create it in AD and add it to the controller, you have to join AD again before it will recognize the group....

Good luck!

Steve
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.