HPE Community
IMC
1753514 Members
6241 Online
108795 Solutions
New Discussion

Re: iMC_UAM_7.1_E0302P06 changes/breaks computer authentication!!!??

 
NeilR
Esteemed Contributor

‎01-12-2015 10:07 AM

‎01-12-2015 10:07 AM

iMC_UAM_7.1_E0302P06 changes/breaks computer authentication!!!??

I tested iMC_UAM_7.1_E0302P06 update. My windows machine authentication using PEAP/mschapV2 and the computer account does not work, giving this error:

 

Account Name computer
Login Name host/WS500X.domain.com
Authentication Failure Cause E63121::receive no packet from mschapv2server.
Failed at 2015-01-11 11:45:46
User IP Address 
User MAC Address B8:AC:6F:32:B3:46
Device IP 10.10.100.133
Device NAT IP 10.10.100.133
Port 0
Device SN 
IMSI 
Service Name PEAP_Computer_acc_svc
VLAN ID/Inner VLAN ID 27
Outer VLAN ID 
User SSID 
Computer Name 
Windows Domain

 

Not sure where the Inner VLAN ID of 27 is coming from as I don't specify one.

 

The update changes how Domain Controller-Assisted PEAP Authentication is configured, moving it from a global configuration to a part of the LDAP server configuration.

 

In the read me under features added:

 

9. LDAP servers can use different domain controllers for MS-CHAPv2 authentication. This feature is configurable under User > User Access Policy > LDAP Service > LDAP Server .

 

And modified:

 

4.The LDAP parameters were moved from the system parameter settings page to the LDAP Service menu. This feature is configurable under User > User Access Policy > LDAP Service > LDAP Parameters.

 

Under Other problems:

 

PEAP-MSCHAPv2 is not supported by PCs using machine authentication.

 

So how is the computer authentication now supposed to work??

 

Is it temporarily broken and will be fixed, or is it eliminated?

 

This is a big change without much documentation except as above. My authentication strategy has been using this for the last few years in PCM and now IMC - now its not supported anymore??? Not happy about this.

 

I was not able to do extensive testing - I only have the production instance at this time - I snapshotted it fortunately before deploying and testing this update, so I rolled it back.

 

Any insight on this would be appreciated. If you use computer authentication beware of this update!

 

BTW the ability to use multiple DC's is handy but still....

 

 

0 Kudos
5 REPLIES 5
Karol Karkowski
Advisor

‎01-28-2015 04:27 PM

‎01-28-2015 04:27 PM

Re: iMC_UAM_7.1_E0302P06 changes/breaks computer authentication!!!??

HI

 

I have the same problem after installing patch 06

Beside this one i have also

 

E63120::Domain controller infomation error

 

Have you got simiilar ?

 

I have notice tonigh that P07 has beed released, I am trying to check it

 

Besides I am still expiriencing instability: from time to time my server is unreachable from the switch

 

can't reach radius server

 

I have got also intsalled UAM subserver but it behave the same way

 

best regards :)

 

I would appriaciate any suggestions

 

K

0 Kudos
NeilR
Esteemed Contributor

‎01-29-2015 04:43 PM - edited ‎01-29-2015 04:44 PM

‎01-29-2015 04:43 PM - edited ‎01-29-2015 04:44 PM

Re: iMC_UAM_7.1_E0302P06 changes/breaks computer authentication!!!??

I run IMC as VM, so I snapshot the VM before the upgrade. After I discovered/verfiied the issue I reverted to the original state, as my production system depends on machine authentication via PEAP- MSCHAP.  So I can't comment further on symptoms.

 

Without that, new users cannot log into a machine unless a Domain controller is visible on a restricted network. Additionally if a different VLAN is assigned, the the IP address changes, making remote desktop break becuase the ip changes after login and the remote session can't follow that.

 

UAM 7.1E0302P07 is posted. They put the wrong release notes on the web site, TAM instead of UAM, so you need to download the whole package. Fortunately the correct release notes are included. Lots of fixes and features, but still 

 

Other Problems:

 

  • PEAP-MSCHAPv2 is not supported by PCs using machine authentication

I've asked for clarification on this from HP but no answer yet: Broken forever or just for this release. Can't go further without it or else I have to redesign my whole authentication system

0 Kudos
Karol Karkowski
Advisor

‎01-30-2015 03:57 AM

‎01-30-2015 03:57 AM

Re: iMC_UAM_7.1_E0302P06 changes/breaks computer authentication!!!??

Hi

 

I have installed P07 but without impact on the issue with mschapv2, I have also sent question to OBP, must wait...

 

I have seen this notice on PC machine and PEAP-MSCHAPv2, it is a little bit strange that HP has released software version that has limitation in comparison to earlier version

 

Yestarday I have installed second test server HP IMC with UAM on Wondows Server (my first is on Linux RedHat) but withou patches and observing problem with radius availability from switch

 

It seems i canot use patches in this moment and I am considering changing to EAP-TLS, because client want to add additional domains

 

I have no snapshot of machine so I thinkd the only solution for me to return to IMC UAM prior patch 06 is reinstall HP IMC UAM but not shure if any changes in databases structure

 

best regards

 

Karol

 

 

0 Kudos
Georgeisaac
Advisor

‎07-15-2015 12:02 AM

‎07-15-2015 12:02 AM

Re: iMC_UAM_7.1_E0302P06 changes/breaks computer authentication!!!??

This issue is fixed with P14 release .

0 Kudos
NeilR
Esteemed Contributor

‎07-15-2015 11:13 AM

‎07-15-2015 11:13 AM

Re: iMC_UAM_7.1_E0302P06 changes/breaks computer authentication!!!??

 I did deploy that update and noted the result in a separate post. It has been working fine so far


  • Computer auth FIXED in UAM E0302P14

Should have updated this post as well. Thx for the reply

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.