Re: MSM765 + WINDOWS AD

Pavel Chelisant · ‎03-05-2010

Hi all!
i successfully joined controller to domain, and its status points AS joined. But when im trying to auth via client in logs shows that LOGIN OK, but then i receive ACCESS REJECT.
HERE some log i got

Mar 5 16:10:37 debug radiusd I:rlm_eap_mschapv2: Issuing Challenge
Mar 5 16:10:37 debug iprulesmgr Received RADIUS Packet (Length:'159',Code:'Access-Challenge',Id:'134') from RADIUS Server (Ip:'127.0.0.1',Port:'27910') for User (nas-port:'666',username:'pchelisant').
Mar 5 16:10:37 debug iprulesmgr Sending RADIUS Access Challenge (id='237') to RADIUS Client (ip-address='169.254.0.4',port='32772').
Mar 5 16:10:37 debug iprulesmgr Received RADIUS Access Request (id='27') for user (calling-station-id='00-13-CE-D7-CC-D7',virtual-ap-index='2') from IEEE802dot1x RADIUS Client (ip-address='169.254.0.4',port='32772',called-station-id='00-0F-61-7F-BB-F0:ML_ES').
Mar 5 16:10:37 debug iprulesmgr Sending RADIUS Packet (Length:'374',Code:'Access-Request',Id:'161') to RADIUS Server (Ip:'127.0.0.1',Port:'1645') for User (nas-port:'666',username:'pchelisant').
Mar 5 16:10:37 debug radiusd E:internal authorization attributes are missing.
Mar 5 16:10:37 debug radiusd Last message repeated 1 times
Mar 5 16:10:37 debug iprulesmgr Received RADIUS Packet (Length:'174',Code:'Access-Challenge',Id:'161') from RADIUS Server (Ip:'127.0.0.1',Port:'27910') for User (nas-port:'666',username:'pchelisant').
Mar 5 16:10:37 debug iprulesmgr Sending RADIUS Access Challenge (id='27') to RADIUS Client (ip-address='169.254.0.4',port='32772').
Mar 5 16:10:37 debug iprulesmgr Received RADIUS Access Request (id='98') for user (calling-station-id='00-13-CE-D7-CC-D7',virtual-ap-index='2') from IEEE802dot1x RADIUS Client (ip-address='169.254.0.4',port='32772',called-station-id='00-0F-61-7F-BB-F0:ML_ES').
Mar 5 16:10:37 debug iprulesmgr Sending RADIUS Packet (Length:'311',Code:'Access-Request',Id:'173') to RADIUS Server (Ip:'127.0.0.1',Port:'1645') for User (nas-port:'666',username:'pchelisant').
Mar 5 16:10:37 debug radiusd E:internal authorization attributes are missing.
Mar 5 16:10:37 debug radiusd Last message repeated 1 times
Mar 5 16:10:37 debug radiusd A:Login OK: [pchelisant] (from client localhost port 666 cli 00-13-CE-D7-CC-D7)
Mar 5 16:10:37 debug iprulesmgr Received RADIUS Packet (Length:'138',Code:'Access-Challenge',Id:'173') from RADIUS Server (Ip:'127.0.0.1',Port:'27910') for User (nas-port:'666',username:'pchelisant').
Mar 5 16:10:37 debug iprulesmgr Sending RADIUS Access Challenge (id='98') to RADIUS Client (ip-address='169.254.0.4',port='32772').
Mar 5 16:10:37 debug iprulesmgr Received RADIUS Access Request (id='82') for user (calling-station-id='00-13-CE-D7-CC-D7',virtual-ap-index='2') from IEEE802dot1x RADIUS Client (ip-address='169.254.0.4',port='32772',called-station-id='00-0F-61-7F-BB-F0:ML_ES').
Mar 5 16:10:37 debug iprulesmgr Sending RADIUS Packet (Length:'320',Code:'Access-Request',Id:'149') to RADIUS Server (Ip:'127.0.0.1',Port:'1645') for User (nas-port:'666',username:'pchelisant').
Mar 5 16:10:37 debug radiusd E:internal authorization attributes are missing.
Mar 5 16:10:37 debug radiusd A:Login OK: [pchelisant] (from client localhost port 666 cli 00-13-CE-D7-CC-D7)
Mar 5 16:10:37 debug iprulesmgr Received RADIUS Packet (Length:'214',Code:'Access-Accept',Id:'149') from RADIUS Server (Ip:'127.0.0.1',Port:'27910') for User (nas-port:'666',username:'pchelisant').
Mar 5 16:10:37 debug iprulesmgr Sending RADIUS Access Reject (id='82') to RADIUS Client (ip-address='169.254.0.4',port='32772').

Pavel Chelisant · ‎03-05-2010

Who will point me to the problem?
Thank you!

Trevor Commulynx · ‎03-07-2010

You have Radius Rejects, are you sure you have the VSC set to use AD for Auth?

Pavel Chelisant · ‎03-07-2010

sure

Fred! · ‎03-08-2010

Can you provide a screen capture of the AD page? Did you activated any Active Directory group attributes profiles?

Pavel Chelisant · ‎03-08-2010

See attach

Pavel Chelisant · ‎03-08-2010

Regarding attributes, the only thing i did is created groups named as my OU domain containers. But seems something is not correct, because LOGIN OK i receive only when default NON AC group is activated....

Fred! · ‎03-09-2010

So that I clearly understand: I can see that you have created a couple of groups that are not access controlled. Your active directory setup seems OK so far.

However, I need to understand if the user 'pchelisant' from the traces above is connecting on a VSC that has access control enabled or not? Can you confirm the setings in your VSC?

Pavel Chelisant · ‎03-10-2010

The user PCHELISANT is a domain user. And only 1 default AD group is activated = NON AC Controlled. This is shows in the pic. So user is not Access controlled

Fred! · ‎03-10-2010

I can see that you only have configured non-access controlled as an AD group from your screen capture, but my question was is the VSC/SSID that you connect to really non-access controlled?

The reason why I'm asking is that I suspect it is access-controlled from the traces that you have in your first post.

Could you please do a screen capture of the VSC page (just the top of the page, not the entire page) so that we can verify?

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: MSM765 + WINDOWS AD

MSM765 + WINDOWS AD