Security

802.1x authentication problem - mobile devices
The main problem is the blocking of domain accounts for failed attempts.
A case is described below:
I have two Controller 7210 and ClearPass (CPPM) HW-5K is working well integrated the configuration 802.1x service.

A) The problem is that the policies have active accounts, which indicates that after 6 failed attempt your account is locked. Also, the policy extends their account that should change the password every month.

These policies accounts is generating problems because the account is locked every time they change passwords for their accounts. This problem has become critical as users use their mobile devices (Iphone, Ipad, Android, BlackBerry, etc.) to connect to the network 802.1x because the entity as permitted.

Then when you change their account passwords these mobile devices are automatically trying to connect to the erroneous passwords and that is where the accounts are blocked.

Solutions executed:

1. This configuration has been performed to prevent failed password attempts to block the account, (& (& (sAMAccountName =% {Authentication: Username}) (objectClass = user)) ((badPwdCount> = 4))!) but the query does not work. Because it reviewed in consultation with the servers from the CPPM, showed that the option "badPwdCount" did not increase at each attempt.

Detect that the client had 4 active directory and the "Source" of ClearPass only consulted the primary servidore and even teniedo three backup does not consult others, except the primary is down. [attached image 1]

B) Another problem, this happens with mobile devices (Iphone, Ipad) when the user changed the password of the account, the device asks for the new password on the second attempt, but when the new password is placed fails to complete the autenticcion because in ClearPass log shows that it is not the correct password.

In other mobile devices does not ask the new password just try and try until the account lock.

The only way it has been for soluionar this problem is that in mobile devices (Iphone, Ipad, Android, etc) eliminate 802.1x network already created and reconnecting again and it works again.

how could solve is problem?
I could indicate whether this behavior Iphone and other mobiles dipsositivos is so or I need some settings in the ClearPass or Controller.

#7210

The problem you have explained is exactly why certificates are the preferred authentication method for BYOD. Do you have onboard licenses?

The other thing you can do is change your blacklist count on the controller to say, 3. After 3 bad authentications, the device will be wirelessly blacklisted (can't associate) for 15 minutes (by default).


Thanks,
Tim

Hi Cappalli:

 

No, I have no onboard licenses

the blacklist is not enabled on the controller or some acl. The mobile devices do not fall into blacklist.
What happens is that the mobiles devices try many times with the wrong password and that is where the user's account is blocked and therefore can not connect to the network.

 

Regards.

John

This solution does not work for me (&(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(!(badPwdCount>=4)))  because there are multiple domain controllers where users can connect,

It is true this attribute is not replicated in AD, but if the source of the bad passwords are coming from ClearPass, then the domain controller that ClearPass is using for authentication should be incrementing this count; then subsequent attempts by ClearPass to this same domain controller should eventually result in user not found when the count exceeds your threshold.

You're on the right track.   Try editing your filter to the following:

 

(&(&(sAMAccountName=%{Authentication:Username})(objectClass=user)(badPwdCount<=4)))

 

The result will be "user not found" in Access Tracker; but at least it won't lock them out.

 

To solve this problem with mobile devices and password changes, Certificates are typically used on; using EAP-TLS authentication.    This can be done with ClearPass Onboarding or through other provisioning methods (manual, MDM, etc.)

Hi Clembo:

 

This conaulta not working because the client I have 4 servers and domain users when they log can do so at any of them, but their session is replicated to all. Therefore, when the ClearPass consulat your primary server (image 1) is the user and not the other query servers that are as backup.

 

Regards.

Each enviornment may be different, but if the authentication source in ClearPass is set to use a particular server as Primary, it should always use that one not the backup servers (assuming it is up and functional).    Thus, the bad password count should increment on that server.  

 

If the filter won't work for you, I suggest you explore certificate/EAP-TLS based authentication.  If OnBoarding is not an option, then you can look at using Microsoft ADCS as an option.

Hi Clembo:

I commented a little look what's happening:

I have configured in the CPPM sources the siguinete way:
Primary: srvad01
Backup1: srvad02
backup2: srvad03
Backup3: srvad04

 

and ClearPass when making the query to validate user data always sends the query to the primary (srvad01), I mention this because in the log never consulted backup servers. Then, when the user enters the password at the times indicated erroneously ssid hang your account. and when it is reviewed on servers where your account is bloqeuo that was on the server (srvad03).

 

I do not understand that the only ClearPass consulting the primary but hangs on the second server backup.

 

This is the log that shows me:

 

Policies Used -
Service: wlanEnterprice
Authentication Method: EAP-PEAP,EAP-MSCHAPv2
Authentication Source: AD:srvad01.pe.igrupo
Authorization Source: [Insight Repository], AuthSourceLdapAD
Roles:
Enforcement Profiles: [Allow Access Profile]
Service Monitor Mode: Disabled

Alerts -
Error Code: 216
Error Category: Authentication failure
Error Message: User authentication failed
Alerts for this Request -
RADIUS: MSCHAP: AD status:Logon failure (0xc000006d)
MSCHAP: AD status:Logon failure (0xc000006d)
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure

We have the same problem. Our Ldaps query is based on netscaler. So we create a virtual service on the netscaler that listens port 637 and then we bind our primary server to this virtual server. For redundancy we bind secondary server to another virtual service. In the and we have two virtual service. One of them is primary the other one is secondary. The secondary one is not direct addressable one. We bind the secondary virtual server to the primary virtual server. In other words Define the secondary one as a backup virtual server. In conculusion your AD queries has been sent only one server at a time. So you can check the badPwdCount correctly. But another problem was occured at that time. The problem is if a client enter its password wrong three times, The account is not locked on the AD but clearpass doesnt create a query for this account after all.

Hi, we have set the below filer in Authentication Source.

"(&(& (sAMAccountName=%{Authentication:Username})(objectClass=user))(!(badPwdCount>=3)))"

 

This works fine for all the smartphones users. however, our domain machines are getting REJECT due to badpwdcount which is not supposed to be rejected because its not set for user authentication but just

computer authentication of the machine is the part of the autherised domain.

 

The enforcement policy for the  domain machines are set

(Tips:Role  EQUALS  [Machine Authenticated]) only.

 

My question is why the machines are counted as badpwdcount ?