Problem:Machine authentication fails when ssid profile pushed via GPO
Diagnostics:Below is the Radius request summary details where the machine authentication fails:
Request Details Summary -
Session Identifier: R0000fd1d-01-580fbf67
Date and Time: Oct 25, 2016 16:24:07 IST
Username: CPPMLAB\CPPMMC1$
End-Host Identifier: 00:E0:D5:7D:BB:20
Access Device IP/Port: 10.30.16.5:0
Audit Posture Status: UNKNOWN (100)
System Posture Status: UNKNOWN (100)
Login Status: REJECT
Policies Used -
Service: CPPM-Wireless
Authentication Method: EAP-PEAP,EAP-MSCHAPv2
Authentication Source: AD:cppmad01.blr.in
Authorization Source:
Roles: [Other]
Enforcement Profiles: [Deny Access Profile]
Service Monitor Mode: Disabled
Input RADIUS Attributes -
Radius:Aruba:Aruba-AP-Group = BLORE-APGrp
Radius:Aruba:Aruba-Essid-Name = CPPM-ssid
Radius:Aruba:Aruba-Location-Id = BLORE-LOCATION
Radius:IETF:Called-Station-Id = 00:1C:2E:01:C1:E0
Radius:IETF:Calling-Station-Id = 00:E0:D5:7D:BB:20
Radius:IETF:Framed-MTU = 768
Radius:IETF:NAS-Identifier = 10.30.16.5
Radius:IETF:NAS-IP-Address = 10.30.16.5
Radius:IETF:NAS-Port = 0
Radius:IETF:NAS-Port-Type = 19
Radius:IETF:Service-Type = 1
Radius:IETF:User-Name = CPPMLAB\\CPPMMC1$
Radius:Microsoft:MS-CHAP2-Response = 0x0a31e2d1612283f6ae3847cef67451663dc70000000000000000000000000000000000000000000000000000000000000000
Radius:Microsoft:MS-CHAP-Challenge = 0x8671287166e73820bcf77e168e1d3292
Radius:Microsoft:MS-CHAP-Error =
E=691 R=1
Input Computed Attributes -
Authentication:ErrorCode = 216
Authentication:Full-Username = CPPMLAB\\CPPMMC1$
Authentication:InnerMethod = EAP-MSCHAPv2
Authentication:MacAuth = NotApplicable
Authentication:NetBIOS-Name = CPPM-LAB
Authentication:OuterMethod = EAP-PEAP
Authentication:Posture = Unknown
Authentication:Status = Failed
Authentication:Username = CPPMMC1$
Connection:AP-Name = BLR-NDO-RM16
Connection:Client-Mac-Address = 00:E0:D5:7D:BB:20
Connection:Client-Mac-Address-Colon = 00:e0:d5:7d:bb:20
Connection:Client-Mac-Address-Dot = 00e0.d57d.bb20
Connection:Client-Mac-Address-Hyphen = 00-e0-d5-7d-bb-20
Connection:Client-Mac-Address-NoDelim = 00e0d57dbb20
Connection:Client-Mac-Address-Upper-Hyphen = 00-E0-D5-7D-BB-20
Connection:Dest-IP-Address = 10.30.16.4
Connection:Dest-Port = 1812
Connection:NAD-IP-Address = 10.30.16.5
Connection:Protocol = RADIUS
Connection:Src-IP-Address = 10.30.16.5
Connection:Src-Port = 34102
Connection:SSID = CPPM-ssid
Date:Date-Time = 2016-10-25 16:24:07
Alerts -
Error Code: 216
Error Category: Authentication failure
Error Message: User authentication failed
Alerts for this Request -
RADIUS: MSCHAP: AD status:Logon failure (0xc000006d)
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure
From the above scenario, we see that Username is CPPMLAB\CPPMMC1$ which is the sAMAccountName in AD. It is observed that when domain machine sends the machine auth request with sAMAccountName, the machine authentication fails.
As the settings are pushed via GPO and to ensure that the domain machine sends the machine auth request as servicePrincipalName, the below registry needs to be modified in domain machine if the machine auth request comes as sAMAccountName to the Clearpass server.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 and change the szName to servicePrincipalName of the machine.
After modifying the above registry, the machine auth request username would be the servicePrincipalName and would be machine authenticated on Clearpass successfully as shown below:
Request Details Summary -
Session Identifier: R00018c45-01-58112219
Date and Time: Oct 26, 2016 17:37:30 IST
Username: host/CPPMMC1.blr.in
End-Host Identifier: 00:E0:D5:7D:BB:20
Access Device IP/Port: 10.30.16.5:0
Audit Posture Status: UNKNOWN (100)
System Posture Status: UNKNOWN (100)
Login Status: ACCEPT
Policies Used -
Service: CPPM-Wireless
Authentication Method: EAP-PEAP,EAP-MSCHAPv2
Authentication Source: AD:cppmad01.blr.in
Authorization Source: CPPM-AD
Roles: [Machine Authenticated], [Other]
Enforcement Profiles: Domain-Machine
Service Monitor Mode: Disabled
Input RADIUS Attributes -
Radius:Aruba:Aruba-AP-Group = BLORE-APGrp
Radius:Aruba:Aruba-Essid-Name = CPPM-ssid
Radius:Aruba:Aruba-Location-Id = BLORE-LOCATION
Radius:IETF:Called-Station-Id = 00:1C:2E:01:C1:E0
Radius:IETF:Calling-Station-Id = 00:E0:D5:7D:BB:20
Radius:IETF:Framed-MTU = 768
Radius:IETF:NAS-Identifier = 10.30.16.5
Radius:IETF:NAS-IP-Address = 10.30.16.5
Radius:IETF:NAS-Port = 0
Radius:IETF:NAS-Port-Type = 19
Radius:IETF:Service-Type = 1
Radius:IETF:User-Name = host/CPPMMC1.blr.in
Input Computed Attributes -
Authentication:ErrorCode = 0
Authentication:Full-Username = host/CPPMMC1.blr.in
Authentication:InnerMethod = EAP-MSCHAPv2
Authentication:MacAuth = NotApplicable
Authentication:NetBIOS-Name = CPPM-LAB
Authentication:OuterMethod = EAP-PEAP
Authentication:Posture = Unknown
Authentication:Source = CPPM-AD
Authentication:Status = Machine
Authentication:Username = CPPMMC1$
Authorization:Sources = CPPM-AD
Connection:AP-Name = BLR-NDO-RM16
Connection:Client-Mac-Address = 00:E0:D5:7D:BB:20
Connection:Client-Mac-Address-Colon = 00:e0:d5:7d:bb:20
Connection:Client-Mac-Address-Dot = 00e0.d57d.bb20
Connection:Client-Mac-Address-Hyphen = 00-e0-d5-7d-bb-20
Connection:Client-Mac-Address-NoDelim = 00e0d57dbb20
Connection:Client-Mac-Address-Upper-Hyphen = 00-E0-D5-7D-BB-20
Connection:Dest-IP-Address = 10.30.16.4
Connection:Dest-Port = 1812
Connection:NAD-IP-Address = 10.30.16.5
Connection:Protocol = RADIUS
Connection:Src-IP-Address = 10.30.16.5
Connection:Src-Port = 34102
Connection:SSID = CPPM-ssid
Date:Date-Time = 2016-10-26 17:37:30
Host:FQDN = CPPMMC1.blr.in
Host:Name = CPPMMC1
Input Authorization Attributes -
Authorization:NYACK-AD:HostName = CPPMMC1.blr.in
Authorization:NYACK-AD:Name = CPPMMC1$
Authorization:NYACK-AD:OperatingSystem = Windows 8.1 Enterprise
Authorization:NYACK-AD:UserDN = CN=CPPMMC1,OU=Mobile Devices,OU=Computers,OU=CPPM-LAB ES,DC=CPPM
Output RADIUS Attributes -
Radius:Aruba:Aruba-User-Role = Domain-Machine
Accounting Details -
Account Session ID: host/CPP78617CEE1517-2394C
Start Timestamp: Oct 26, 2016 17:37:30 IST
End Timestamp: Still Active
Status: Active
Termination Cause:
Service Type:
Number of Authentication Sessions: 1
Network Details -
NAS IP Address: 10.30.16.5:0
NAS Port Type: Wireless-802.11
Calling Station ID: 00:E0:D5:7D:BB:20
Called Station ID: 00:1C:2E:01:C1:E0
Framed IP Address: 10.30.226.14
Account Auth: RADIUS
Utilization -
Active Time: 0 secs
Account Delay Time: 0
Account Input Octets: 0
Account Output Octets: 0
Account Input Packets: 0
Account Output Packets: 0
Authentication Session Details -
Session ID: R00018c45-01-58112219
Type: Start
Date/Time: Oct 26, 2016 17:37:30 IST
SolutionEnsure the machine auth request username would be the servicePrincipalName