Windows 7 fails to authenticate against AD on CPPM

By AnandKumar Sukumar posted Jul 11, 2014 12:22 PM


Question :


We have implemented CPPM, and there is one machine(Windows 7) that was authenticating to 802.1X network but now fails authentication.

When we disconnected/reconnected the lan cable or reboot the PC, we could not see any logs from the access tracker.

We have disabled the 802.1X settings in the switch port that the pc is connected and it can connect and get ip address.

We have also upgraded the network card driver and the NIC card is Intel (R) 82579LM Gigabit Network, but none of the above helped in establishing a successful authentication.


Environment Information : This applies to all versions of CPPM


Cause :


This happens when the client authenticates with incorrect machine credentials. The credentials may either be wrong or the user's account's password in the AD would be Expired.


Resolution :


The Access tracker logs would have the below message for the failed authentication.

Alerts for this Request -
Policy server: No radius enforcement profiles applicable for this device. Allowing Access
RADIUS: MSCHAP: AD status:Logon failure (0xc000006d)
MSCHAP: AD status:Logon failure (0xc000006d)
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure.

The above logs means that AD did not reply when we tried to authenticate with the given credentials. CPPM therefore  issued a Reject access.

If the machine authentication fails due to expiration of the domain password we may expect this error message.

The solution is to reset the account password and make sure that machine authentication is happening with correct password.

Note: Even if the default access for the enforcement profile being used is "Allow all", CPPM will still reject the client.

Workaround: The machine is not authenticating because the the pwdbadcount password is incrementing after each failed authentication. If we drop this client from AD and join it again, the pwdbadcount will reset to "ZERO" and authentication would be successful.

1 comment


Oct 13, 2014 07:38 AM


we have cppm with onguard, and we havce faced same issue with onguard,

when domain user password is expired the user can access his pc, but ongurad will failed!!


in our scenerio we have cisco dot1x auth with cppm, we do l2 authentication on port before let user get an ip addreess,

my question how could we let domain user change his domain password account if its expired???


Thank you