Security

Reply
Occasional Contributor II
Posts: 16
Registered: ‎06-20-2014

Macs can Authenticate, windows cannot

Hey all,

First time posting on here and I haven't been able to find a solution to this issue. I'm new to our Aruba enviornment so I apologize for any errors.

 

I'm a network tech working in a district that has two wireless controllers(6000s). Previously they were set up redundantly as primary/secondary and handled all access points on all sites. Now we've set up what was the secondary controller as the primary on another site. 

 

Before we moved the controller both windows and mac machines could authenticate using 802.1x/PEAP MSCHAP. Now windows machnes can ONLY authenticate on the controller that was NOT moved. Our 2nd site that now has it's own wireless controller and allows MAC machines to authenticate but not windows machines. I've made sure that the windows machines trust the certificate and that within the controller "enforce machine authentication" is unchecked. Both controllers were setup by a network engineer highered from outside our organization, so I'm not sure what he did differently when setting up the second controller as another primary. I've looked around the airheads forums and haven't found a thread with the answer.

 

Any and all help is appreciated.

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Macs can Authenticate, windows cannot

What is the RADIUS source for this network?  What do the logs on the RADIUS server say for the Windows clients vs. the Macs?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 16
Registered: ‎06-20-2014

Re: Macs can Authenticate, windows cannot

I just found out that my Radius server(IAS) wasn't set to Log locally. So I suppose I'll have to wait to answer your question until I get some events logged now that i've set it up.... Sorry about that 

Guru Elite
Posts: 21,491
Registered: ‎03-29-2007

Re: Macs can Authenticate, windows cannot

Bnewtonus,

 

You should not have to log locally.  It should all show up in the Event Viewer....



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎06-20-2014

Re: Macs can Authenticate, windows cannot

Okay, out of event viewer this is what I get when I try to login from site 2 on a windows machine:

User bnewton was denied access.
 Fully-Qualified-User-Name = usd260.local/ESC/ESC/CSD/BNewton
 NAS-IP-Address = 192.168.0.6
 NAS-Identifier = Dot1X-HS
 Called-Station-Identifier = 000B86143C80
 Calling-Station-Identifier = 00215C7DF81F
 Client-Friendly-Name = DHS-Wifi
 Client-IP-Address = 172.18.128.241
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 0

 

 

When I setup a log file here is what I get: 

 

192.168.0.6,bnewton,06/20/2014,11:29:52,IAS,DC1,4128,DHS-Wifi,4,192.168.0.6,5,0,32,Dot1X-HS,61,19,31,00215C7DF81F,30,000B86143C80,6,1,12,1100,26,0x000039E70508555344323630,26,0x000039E706104448532D453130302D4150323236,26,0x000039E70A05444853,26,0x000039E70C02,4108,172.18.128.241,4116,0,4155,1,4154,Use
Windows authentication for all
users,4129,USD260\bnewton,4149,Dot1X-Internet-1-HS,25,311 1
172.18.0.19 06/19/2014 01:30:12
27275,4127,11,4130,usd260.local/ESC/ESC/CSD/BNewton,4136,1,4142,0
192.168.0.6,bnewton,06/20/2014,11:29:52,IAS,DC1,4128,DHS-Wifi,25,311 1
172.18.0.19 06/19/2014 01:30:12
27275,4127,11,4130,usd260.local/ESC/ESC/CSD/BNewton,4149,Dot1X-Internet-1-HS,4129,USD260\bnewton,4154,Use
Windows authentication for all
users,4155,1,4116,0,4108,172.18.128.241,4136,3,4142,16

 

 

Not sure if that is any help!

Guru Elite
Posts: 21,491
Registered: ‎03-29-2007

Re: Macs can Authenticate, windows cannot

You have to go all the way to the bottom to the event viewer message to see the reason why the user was denied.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎06-20-2014

Re: Macs can Authenticate, windows cannot

Sorry about that. Reason: "Authentication was unsuccessful because an unknown username or incorrect password was used." 

 

This doesn't makes sense to me, since I'm logging into the same domain with the same SSID we use at the other sites. At the other sites that are on the first controller I can use windows or mac. Here I can only use MAC. 

Guru Elite
Posts: 21,491
Registered: ‎03-29-2007

Re: Macs can Authenticate, windows cannot

Check to make sure that the FQDN username that the controller sees in the event viewer and the AD username are the same.  It is possible that your Windows computer is adding something to the username that makes it not work.  Check the whole eventviewer message and look to see if all of the parameters make sense.  Also make sure that the username is in the OU in AD that it says it is.  If not, that means that the user does not exist for some reason.

 

These are all guesses.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Macs can Authenticate, windows cannot

Have you tried this with more than one Windows machine?   If the wireless profile on Windows is set to "Automatically use my Windows logon name and password" is there is a chance the user is logged in with an older password (cached locally)?   Can you uncheck this field and the "Remember my credentials for this connection time" and see if you get the same failure when manually typing in the username/password combination?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 16
Registered: ‎06-20-2014

Re: Macs can Authenticate, windows cannot

I have tried it on several different windows machines. I also have made sure that the "Automatically use my Windows logon name and password" is unchecked. I also was manually putting in credentials each time. I made sure it wasn't remembering past credentials.

Search Airheads
Showing results for 
Search instead for 
Did you mean: