Machine authentication fails when ssid profile pushed via GPO

By esupport posted Mar 18, 2017 02:56 PM

  
Mark as Inappropriate
Problem:

Machine authentication fails when ssid profile pushed via GPO



Diagnostics:

Below is the Radius request summary details where the machine authentication fails:

Request Details Summary -
 Session Identifier: R0000fd1d-01-580fbf67
 Date and Time: Oct 25, 2016 16:24:07 IST
 Username: CPPMLAB\CPPMMC1$
 End-Host Identifier: 00:E0:D5:7D:BB:20
 Access Device IP/Port: 10.30.16.5:0
 Audit Posture Status: UNKNOWN (100)
 System Posture Status: UNKNOWN (100)
 Login Status: REJECT

Policies Used -
 Service: CPPM-Wireless
 Authentication Method: EAP-PEAP,EAP-MSCHAPv2
 Authentication Source: AD:cppmad01.blr.in
 Authorization Source: 
 Roles: [Other]
 Enforcement Profiles: [Deny Access Profile]
 Service Monitor Mode: Disabled

Input RADIUS Attributes -
 Radius:Aruba:Aruba-AP-Group = BLORE-APGrp
 Radius:Aruba:Aruba-Essid-Name = CPPM-ssid
 Radius:Aruba:Aruba-Location-Id = BLORE-LOCATION
 Radius:IETF:Called-Station-Id = 00:1C:2E:01:C1:E0
 Radius:IETF:Calling-Station-Id = 00:E0:D5:7D:BB:20
 Radius:IETF:Framed-MTU = 768
 Radius:IETF:NAS-Identifier = 10.30.16.5
 Radius:IETF:NAS-IP-Address = 10.30.16.5
 Radius:IETF:NAS-Port = 0
 Radius:IETF:NAS-Port-Type = 19
 Radius:IETF:Service-Type = 1
 Radius:IETF:User-Name = CPPMLAB\\CPPMMC1$
 Radius:Microsoft:MS-CHAP2-Response = 0x0a31e2d1612283f6ae3847cef67451663dc70000000000000000000000000000000000000000000000000000000000000000
 Radius:Microsoft:MS-CHAP-Challenge = 0x8671287166e73820bcf77e168e1d3292
 Radius:Microsoft:MS-CHAP-Error =
E=691 R=1

Input Computed Attributes -
 Authentication:ErrorCode = 216
 Authentication:Full-Username = CPPMLAB\\CPPMMC1$
 Authentication:InnerMethod = EAP-MSCHAPv2
 Authentication:MacAuth = NotApplicable
 Authentication:NetBIOS-Name = CPPM-LAB
 Authentication:OuterMethod = EAP-PEAP
 Authentication:Posture = Unknown
 Authentication:Status = Failed
 Authentication:Username = CPPMMC1$
 Connection:AP-Name = BLR-NDO-RM16
 Connection:Client-Mac-Address = 00:E0:D5:7D:BB:20
 Connection:Client-Mac-Address-Colon = 00:e0:d5:7d:bb:20
 Connection:Client-Mac-Address-Dot = 00e0.d57d.bb20
 Connection:Client-Mac-Address-Hyphen = 00-e0-d5-7d-bb-20
 Connection:Client-Mac-Address-NoDelim = 00e0d57dbb20
 Connection:Client-Mac-Address-Upper-Hyphen = 00-E0-D5-7D-BB-20
 Connection:Dest-IP-Address = 10.30.16.4
 Connection:Dest-Port = 1812
 Connection:NAD-IP-Address = 10.30.16.5
 Connection:Protocol = RADIUS
 Connection:Src-IP-Address = 10.30.16.5
 Connection:Src-Port = 34102
 Connection:SSID = CPPM-ssid
 Date:Date-Time = 2016-10-25 16:24:07

Alerts -
 Error Code: 216
 Error Category: Authentication failure
 Error Message: User authentication failed
 Alerts for this Request -
   RADIUS: MSCHAP: AD status:Logon failure (0xc000006d)
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure

 

From the above scenario, we see that Username is CPPMLAB\CPPMMC1$ which is the sAMAccountName in AD. It is observed that when domain machine sends the machine auth request with sAMAccountName, the machine authentication fails.

As the settings are pushed via GPO and to ensure that the domain machine sends the machine auth request as servicePrincipalName, the below registry needs to be modified in domain machine if the machine auth request comes as sAMAccountName to the Clearpass server.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 and change the szName to servicePrincipalName of the machine. 

 

After modifying the above registry, the machine auth request username would be the servicePrincipalName and would be machine authenticated on Clearpass successfully as shown below:

Request Details Summary -
 Session Identifier: R00018c45-01-58112219
 Date and Time: Oct 26, 2016 17:37:30 IST
 Username: host/CPPMMC1.blr.in
 End-Host Identifier: 00:E0:D5:7D:BB:20
 Access Device IP/Port: 10.30.16.5:0
 Audit Posture Status: UNKNOWN (100)
 System Posture Status: UNKNOWN (100)
 Login Status: ACCEPT

Policies Used -
 Service: CPPM-Wireless
 Authentication Method: EAP-PEAP,EAP-MSCHAPv2
 Authentication Source: AD:cppmad01.blr.in
 Authorization Source: CPPM-AD
 Roles: [Machine Authenticated], [Other]
 Enforcement Profiles: Domain-Machine
 Service Monitor Mode: Disabled

Input RADIUS Attributes -
 Radius:Aruba:Aruba-AP-Group = BLORE-APGrp
 Radius:Aruba:Aruba-Essid-Name = CPPM-ssid
 Radius:Aruba:Aruba-Location-Id = BLORE-LOCATION
 Radius:IETF:Called-Station-Id = 00:1C:2E:01:C1:E0
 Radius:IETF:Calling-Station-Id = 00:E0:D5:7D:BB:20
 Radius:IETF:Framed-MTU = 768
 Radius:IETF:NAS-Identifier = 10.30.16.5
 Radius:IETF:NAS-IP-Address = 10.30.16.5
 Radius:IETF:NAS-Port = 0
 Radius:IETF:NAS-Port-Type = 19
 Radius:IETF:Service-Type = 1
 Radius:IETF:User-Name = host/CPPMMC1.blr.in

Input Computed Attributes -
 Authentication:ErrorCode = 0
 Authentication:Full-Username = host/CPPMMC1.blr.in
 Authentication:InnerMethod = EAP-MSCHAPv2
 Authentication:MacAuth = NotApplicable
 Authentication:NetBIOS-Name = CPPM-LAB
 Authentication:OuterMethod = EAP-PEAP
 Authentication:Posture = Unknown
 Authentication:Source = CPPM-AD
 Authentication:Status = Machine
 Authentication:Username = CPPMMC1$
 Authorization:Sources = CPPM-AD
 Connection:AP-Name = BLR-NDO-RM16
 Connection:Client-Mac-Address = 00:E0:D5:7D:BB:20
 Connection:Client-Mac-Address-Colon = 00:e0:d5:7d:bb:20
 Connection:Client-Mac-Address-Dot = 00e0.d57d.bb20
 Connection:Client-Mac-Address-Hyphen = 00-e0-d5-7d-bb-20
 Connection:Client-Mac-Address-NoDelim = 00e0d57dbb20
 Connection:Client-Mac-Address-Upper-Hyphen = 00-E0-D5-7D-BB-20
 Connection:Dest-IP-Address = 10.30.16.4
 Connection:Dest-Port = 1812
 Connection:NAD-IP-Address = 10.30.16.5
 Connection:Protocol = RADIUS
 Connection:Src-IP-Address = 10.30.16.5
 Connection:Src-Port = 34102
 Connection:SSID = CPPM-ssid
 Date:Date-Time = 2016-10-26 17:37:30
 Host:FQDN = CPPMMC1.blr.in
 Host:Name = CPPMMC1

Input Authorization Attributes -
 Authorization:NYACK-AD:HostName = CPPMMC1.blr.in
 Authorization:NYACK-AD:Name = CPPMMC1$
 Authorization:NYACK-AD:OperatingSystem = Windows 8.1 Enterprise
 Authorization:NYACK-AD:UserDN = CN=CPPMMC1,OU=Mobile Devices,OU=Computers,OU=CPPM-LAB ES,DC=CPPM

Output RADIUS Attributes -
 Radius:Aruba:Aruba-User-Role = Domain-Machine

Accounting Details -
 Account Session ID: host/CPP78617CEE1517-2394C
 Start Timestamp: Oct 26, 2016 17:37:30 IST
 End Timestamp: Still Active
 Status: Active
 Termination Cause: 
 Service Type: 
 Number of Authentication Sessions: 1

 Network Details -
  NAS IP Address: 10.30.16.5:0
  NAS Port Type: Wireless-802.11
  Calling Station ID: 00:E0:D5:7D:BB:20
  Called Station ID: 00:1C:2E:01:C1:E0
  Framed IP Address: 10.30.226.14
  Account Auth: RADIUS

 Utilization -
  Active Time: 0 secs
  Account Delay Time: 0
  Account Input Octets: 0
  Account Output Octets: 0
  Account Input Packets: 0
  Account Output Packets: 0

 Authentication Session Details -
   Session ID: R00018c45-01-58112219
   Type: Start
   Date/Time: Oct 26, 2016 17:37:30 IST



Solution

Ensure the machine auth request username would be the servicePrincipalName

0 comments
2 views