Security, WIDS/WIPS and Aruba ECS

Reply
MVP
Posts: 702
Registered: ‎03-25-2009

802.1x auth - use windows logon issue

I've got a weird issue with one of my customers.
Have set up an 802.1x ssid terminated on the controller (using the customers certificate) and pointing to an Windows IAS radius server.

When we set up the wireless profile with the proper settings and "use the Windows logon" enabled the authentication fails.
When we uncheck "use windows logon"-checkbox, we get presented with the systray-popup to enter user, passwd and domain. When we enter the windows logon details there.. authentication works.

An obvious difference between the granted and denied access in the radius logs is the Fully-Qualified-User-Name. Not sure why though. The user enters exactly the same info in the windows logon box as in the 802.1x authentication box.
Anyone got an idea why this is happening?

And in case it matters. According to the customer this issue started after we upgraded the controller to 6.0.1.2 and at the same time replaced the factory 802.1x certificate by a certificate provided by the companies CA.
Anyone got an idea what is causing this issue and how to resolve it?

################################################################################
ACCESS DENIED (use windows logon checked)
-------
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 29/06/2011
Time: 14:43:19
User: N/A
Computer: IAS-radius
Description:
User DOMAIN\userx was denied access.
Fully-Qualified-User-Name = DOMAIN\userx
NAS-IP-Address = 1.2.3.4
NAS-Identifier = 1.2.3.4
Called-Station-Identifier = 000B86612940
Calling-Station-Identifier = 001DE027ED77
Client-Friendly-Name = WLAN controller ip 2
Client-IP-Address = 1.2.3.4
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 0
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name =
Authentication-Type = MS-CHAPv2
EAP-Type =
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 07 80 ...?
################################################################################
ACCESS GRANTED (entered logon manualy)
--------
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 29/06/2011
Time: 14:44:21
User: N/A
Computer: IAS-radius
Description:
User DOMAIN\userx was granted access.
Fully-Qualified-User-Name = DOMAIN.be/DOMAIN Users/ICT/IT-Helpdesk/First Lastname
NAS-IP-Address = 1.2.3.4
NAS-Identifier = 1.2.3.4
Client-Friendly-Name = WLAN controller ip 2
Client-IP-Address = 1.2.3.4
Calling-Station-Identifier = 001DE027ED77
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 0
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = Wireless DOMAIN-Data
Authentication-Type = MS-CHAPv2
EAP-Type =

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....


################################################################################
Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba Employee
Posts: 99
Registered: ‎09-08-2010

Re: 802.1x auth - use windows logon issue

Are these clients running Windows 7?

It could be possible that the client machine is attempting to machine authenticate first, as Windows 7 is known to try, and that is failing. I'm guessing, but maybe when you set to prompt for user credentials, Windows 7 avoids the machine authentication step and simply performs a user login.

To verify this theory, check the Windows 7 configuration and ensure that the client machine is only attempting to do user authentication. That should fix it for you.
MVP
Posts: 702
Registered: ‎03-25-2009

Re: 802.1x auth - use windows logon issue


Are these clients running Windows 7?

It could be possible that the client machine is attempting to machine authenticate first, as Windows 7 is known to try, and that is failing. I'm guessing, but maybe when you set to prompt for user credentials, Windows 7 avoids the machine authentication step and simply performs a user login.

To verify this theory, check the Windows 7 configuration and ensure that the client machine is only attempting to do user authentication. That should fix it for you.



Problem is also present on XP machines and as you can see from the radius events above they only offer user credentials, not machine credentials.
Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite
Posts: 19,997
Registered: ‎03-29-2007

Re: 802.1x auth - use windows logon issue

You could be running into bug 53709 where EAP Offload authentication username is truncated to 32 characters. Is the domain so long that it could push the username to more than 32 characters? Try to make it so that the IAS server is doing the certficiate termination. If it works when you do that, you are running into that bug. Please open a case, and support will determine if you have that bug and keep you up to date as to when it can be fixed.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
MVP
Posts: 702
Registered: ‎03-25-2009

Re: 802.1x auth - use windows logon issue




The domain name is extemely short so shouldn't pose a problem.
Can't terminate EAP on the server itself as it only has a server certificate and I cannot seem to get a computer certificate of the CA. Might this be because it's a standalone CA instead of an enterprise one? Not entirely familiar with CA's myself.. yet.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite
Posts: 19,997
Registered: ‎03-29-2007

Re: 802.1x auth - use windows logon issue

When I read your first post, it says that the fully qualified username is wrong in the failed attempts. That means that the username is not found in Active Directory.

- Is the Radius Server part of the domain?
- If it is a standalone CA, do the Windows Machines Trust the certificate?
- In the wireless configuration, do the clients have the "Validate Server Certificate" Option checked?
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
MVP
Posts: 702
Registered: ‎03-25-2009

Re: 802.1x auth - use windows logon issue


When I read your first post, it says that the fully qualified username is wrong in the failed attempts. That means that the username is not found in Active Directory.

- Is the Radius Server part of the domain?
- If it is a standalone CA, do the Windows Machines Trust the certificate?
- In the wireless configuration, do the clients have the "Validate Server Certificate" Option checked?




Well, the failed attempt lists the Fully-Qualified-User-Name as DOMAIN\userx which AD lists as the user-logon-name (pre-windows 2000).
The successful attempt lists it as DOMAIN.be/DOMAIN Users/ICT/IT-Helpdesk/First Lastname. This is basically all the organizational folders with the users first and last name.

When I tested this on our own domain, it's actually the DOMAIN\user that gets logged which is what fails here.

Radius server is registered in AD.
No, no trusted certificates yet. Currently editing the wlan profile to not check the server certificate.
Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: