AAA, NAC, Guest Access & BYOD

Machine authentication fails when ssid profile pushed via GPO

Aruba Employee
Problem:

Machine authentication fails when ssid profile pushed via GPO



Diagnostics:

Below is the Radius request summary details where the machine authentication fails:

Request Details Summary -
 Session Identifier: R0000fd1d-01-580fbf67
 Date and Time: Oct 25, 2016 16:24:07 IST
 Username: CPPMLAB\CPPMMC1$
 End-Host Identifier: 00:E0Smiley Very Happy5:7D:BB:20
 Access Device IP/Port: 10.30.16.5:0
 Audit Posture Status: UNKNOWN (100)
 System Posture Status: UNKNOWN (100)
 Login Status: REJECT

Policies Used -
 Service: CPPM-Wireless
 Authentication Method: EAP-PEAP,EAP-MSCHAPv2
 Authentication Source: AD:cppmad01.blr.in
 Authorization Source: 
 Roles: [Other]
 Enforcement Profiles: [Deny Access Profile]
 Service Monitor Mode: Disabled

Input RADIUS Attributes -
 Radius:Aruba:Aruba-AP-Group = BLORE-APGrp
 Radius:Aruba:Aruba-Essid-Name = CPPM-ssid
 Radius:Aruba:Aruba-Location-Id = BLORE-LOCATION
 Radius:IETF:Called-Station-Id = 00:1C:2E:01:C1:E0
 Radius:IETF:Calling-Station-Id = 00:E0Smiley Very Happy5:7D:BB:20
 Radius:IETF:Framed-MTU = 768
 Radius:IETF:NAS-Identifier = 10.30.16.5
 Radius:IETF:NAS-IP-Address = 10.30.16.5
 Radius:IETF:NAS-Port = 0
 Radius:IETF:NAS-Port-Type = 19
 Radius:IETFSmiley Frustratedervice-Type = 1
 Radius:IETF:User-Name = CPPMLAB\\CPPMMC1$
 Radius:Microsoft:MS-CHAP2-Response = 0x0a31e2d1612283f6ae3847cef67451663dc70000000000000000000000000000000000000000000000000000000000000000
 Radius:Microsoft:MS-CHAP-Challenge = 0x8671287166e73820bcf77e168e1d3292
 Radius:Microsoft:MS-CHAP-Error = \nE=691 R=1

Input Computed Attributes -
 Authentication:ErrorCode = 216
 Authentication:Full-Username = CPPMLAB\\CPPMMC1$
 Authentication:InnerMethod = EAP-MSCHAPv2
 Authentication:MacAuth = NotApplicable
 Authentication:NetBIOS-Name = CPPM-LAB
 AuthenticationSmiley SurpriseduterMethod = EAP-PEAP
 AuthenticationSmiley Tongueosture = Unknown
 AuthenticationSmiley Frustratedtatus = Failed
 Authentication:Username = CPPMMC1$
 Connection:AP-Name = BLR-NDO-RM16
 Connection:Client-Mac-Address = 00:E0Smiley Very Happy5:7D:BB:20
 Connection:Client-Mac-Address-Colon = 00:e0:d5:7d:bb:20
 Connection:Client-Mac-Address-Dot = 00e0.d57d.bb20
 Connection:Client-Mac-Address-Hyphen = 00-e0-d5-7d-bb-20
 Connection:Client-Mac-Address-NoDelim = 00e0d57dbb20
 Connection:Client-Mac-Address-Upper-Hyphen = 00-E0-D5-7D-BB-20
 ConnectionSmiley Very Happyest-IP-Address = 10.30.16.4
 ConnectionSmiley Very Happyest-Port = 1812
 Connection:NAD-IP-Address = 10.30.16.5
 ConnectionSmiley Tonguerotocol = RADIUS
 ConnectionSmiley Frustratedrc-IP-Address = 10.30.16.5
 ConnectionSmiley Frustratedrc-Port = 34102
 ConnectionSmiley FrustratedSID = CPPM-ssid
 DateSmiley Very Happyate-Time = 2016-10-25 16:24:07

Alerts -
 Error Code: 216
 Error Category: Authentication failure
 Error Message: User authentication failed
 Alerts for this Request -
   RADIUS: MSCHAP: AD status:Logon failure (0xc000006d) \nMSCHAP: Authentication failed\nEAP-MSCHAPv2: User authentication failure

 

From the above scenario, we see that Username is CPPMLAB\CPPMMC1$ which is the sAMAccountName in AD. It is observed that when domain machine sends the machine auth request with sAMAccountName, the machine authentication fails.

As the settings are pushed via GPO and to ensure that the domain machine sends the machine auth request as servicePrincipalName, the below registry needs to be modified in domain machine if the machine auth request comes as sAMAccountName to the Clearpass server.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 and change the szName to servicePrincipalName of the machine. 

 

After modifying the above registry, the machine auth request username would be the servicePrincipalName and would be machine authenticated on Clearpass successfully as shown below:

Request Details Summary -
 Session Identifier: R00018c45-01-58112219
 Date and Time: Oct 26, 2016 17:37:30 IST
 Username: host/CPPMMC1.blr.in
 End-Host Identifier: 00:E0Smiley Very Happy5:7D:BB:20
 Access Device IP/Port: 10.30.16.5:0
 Audit Posture Status: UNKNOWN (100)
 System Posture Status: UNKNOWN (100)
 Login Status: ACCEPT

Policies Used -
 Service: CPPM-Wireless
 Authentication Method: EAP-PEAP,EAP-MSCHAPv2
 Authentication Source: AD:cppmad01.blr.in
 Authorization Source: CPPM-AD
 Roles: [Machine Authenticated], [Other]
 Enforcement Profiles: Domain-Machine
 Service Monitor Mode: Disabled

Input RADIUS Attributes -
 Radius:Aruba:Aruba-AP-Group = BLORE-APGrp
 Radius:Aruba:Aruba-Essid-Name = CPPM-ssid
 Radius:Aruba:Aruba-Location-Id = BLORE-LOCATION
 Radius:IETF:Called-Station-Id = 00:1C:2E:01:C1:E0
 Radius:IETF:Calling-Station-Id = 00:E0Smiley Very Happy5:7D:BB:20
 Radius:IETF:Framed-MTU = 768
 Radius:IETF:NAS-Identifier = 10.30.16.5
 Radius:IETF:NAS-IP-Address = 10.30.16.5
 Radius:IETF:NAS-Port = 0
 Radius:IETF:NAS-Port-Type = 19
 Radius:IETFSmiley Frustratedervice-Type = 1
 Radius:IETF:User-Name = host/CPPMMC1.blr.in

Input Computed Attributes -
 Authentication:ErrorCode = 0
 Authentication:Full-Username = host/CPPMMC1.blr.in
 Authentication:InnerMethod = EAP-MSCHAPv2
 Authentication:MacAuth = NotApplicable
 Authentication:NetBIOS-Name = CPPM-LAB
 AuthenticationSmiley SurpriseduterMethod = EAP-PEAP
 AuthenticationSmiley Tongueosture = Unknown
 AuthenticationSmiley Frustratedource = CPPM-AD
 AuthenticationSmiley Frustratedtatus = Machine
 Authentication:Username = CPPMMC1$
 AuthorizationSmiley Frustratedources = CPPM-AD
 Connection:AP-Name = BLR-NDO-RM16
 Connection:Client-Mac-Address = 00:E0Smiley Very Happy5:7D:BB:20
 Connection:Client-Mac-Address-Colon = 00:e0:d5:7d:bb:20
 Connection:Client-Mac-Address-Dot = 00e0.d57d.bb20
 Connection:Client-Mac-Address-Hyphen = 00-e0-d5-7d-bb-20
 Connection:Client-Mac-Address-NoDelim = 00e0d57dbb20
 Connection:Client-Mac-Address-Upper-Hyphen = 00-E0-D5-7D-BB-20
 ConnectionSmiley Very Happyest-IP-Address = 10.30.16.4
 ConnectionSmiley Very Happyest-Port = 1812
 Connection:NAD-IP-Address = 10.30.16.5
 ConnectionSmiley Tonguerotocol = RADIUS
 ConnectionSmiley Frustratedrc-IP-Address = 10.30.16.5
 ConnectionSmiley Frustratedrc-Port = 34102
 ConnectionSmiley FrustratedSID = CPPM-ssid
 DateSmiley Very Happyate-Time = 2016-10-26 17:37:30
 Host:FQDN = CPPMMC1.blr.in
 Host:Name = CPPMMC1

Input Authorization Attributes -
 Authorization:NYACK-AD:HostName = CPPMMC1.blr.in
 Authorization:NYACK-AD:Name = CPPMMC1$
 Authorization:NYACK-ADSmiley SurprisedperatingSystem = Windows 8.1 Enterprise
 Authorization:NYACK-AD:UserDN = CN=CPPMMC1,OU=Mobile Devices,OU=Computers,OU=CPPM-LAB ES,DC=CPPM

Output RADIUS Attributes -
 Radius:Aruba:Aruba-User-Role = Domain-Machine

Accounting Details -
 Account Session ID: host/CPP78617CEE1517-2394C
 Start Timestamp: Oct 26, 2016 17:37:30 IST
 End Timestamp: Still Active
 Status: Active
 Termination Cause: 
 Service Type: 
 Number of Authentication Sessions: 1

 Network Details -
  NAS IP Address: 10.30.16.5:0
  NAS Port Type: Wireless-802.11
  Calling Station ID: 00:E0Smiley Very Happy5:7D:BB:20
  Called Station ID: 00:1C:2E:01:C1:E0
  Framed IP Address: 10.30.226.14
  Account Auth: RADIUS

 Utilization -
  Active Time: 0 secs
  Account Delay Time: 0
  Account Input Octets: 0
  Account Output Octets: 0
  Account Input Packets: 0
  Account Output Packets: 0

 Authentication Session Details -
   Session ID: R00018c45-01-58112219
   Type: Start
   Date/Time: Oct 26, 2016 17:37:30 IST



Solution

Ensure the machine auth request username would be the servicePrincipalName

Version history
Revision #:
2 of 2
Last update:
‎03-18-2017 11:56 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: