Security

 View Only
last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM User authentication failed (216)

This thread has been viewed 37 times

  • 1.  CPPM User authentication failed (216)

    Posted Sep 18, 2020 03:00 AM

    Hello dear Aruba community,
    we're having pretty big problems with our ClearPass.
    Every now and then, computers fail to authenticate and generate error 216, but after a few minutes to hours it works again without changing anything.
    We authenticate according to the criteria whether a computer exists in the AD and it is in a special AD group. Basically, the authentication also works, ClearPass would know which enforcement profile has to be drawn.

    I have attached screenshots of the access tracker and the alert. If further data are required, I will be happy to provide them.

     

    Thanks in advance!

     

    Friendly greetings,
    Nicolai



  • 2.  RE: CPPM User authentication failed (216)

    MVP GURU
    Posted Sep 18, 2020 09:12 AM

    Is the client also trying to pass the user credentials as well instead of just machine authentication? What else does the failed access tracker entry have?

     

     



  • 3.  RE: CPPM User authentication failed (216)

    EMPLOYEE
    Posted Sep 18, 2020 01:48 PM

    Could you provide additional details/observation like when you see such failures and accept for Machine authentication?

    Was it an active client and suddenly ended up with such alert?

    Attache the Access Tracker export of one of the failures to check further details.

     

    Note: The machine/computer account also uses password for authentication. The windows computers generally maintains the current/new password and the previous password in the local registry. The computer would start with the new password for authentication and fall back to previous password is any failure occurs.

     

    The Alert you have attached could mean, that AD did not accept the user credentials for those failures. 

     

     



  • 4.  RE: CPPM User authentication failed (216)

    Posted Sep 23, 2020 02:54 AM

    Hello,

    thanks for your answers.

    I have attached the export of the AccessTracker.

     

    Yes, clients are connected and sometimes this error occurs after being asked to reauthenticate. Before and after, the clients work perfectly.

    The error occurs with all machines in the company, very rarely with around 2 machines per week.

     

    We have only specified the computer object as the authentication mode in the 802.1x authentication of the network card via group policy (see appendix "8021X").
    The local user on the PC is a standard user and not employee-specific.
    Strangely enough, it can read out the AD groups and assigns the correct vlan to the PC, so the AD should in principle recognize the PC as valid.

     

    Friendly greetings,
    Nicolai

    Attachment(s)

    zip
    AccessTracker_Export.zip   8 KB 1 version


  • 5.  RE: CPPM User authentication failed (216)

    MVP GURU
    Posted Sep 23, 2020 08:29 AM

    Yea from the logs it looks like an authentication failure to DE51977X.VW-GROUP.COM. Do you have a successful access tracker record for this machine to compare?

     

     



  • 6.  RE: CPPM User authentication failed (216)

    Posted Sep 23, 2020 09:39 AM
      |   view attached

    Yes, it is in the appendix.

    Attachment(s)

    zip
    AccessTracker_successfulAuth.zip   7 KB 1 version


  • 7.  RE: CPPM User authentication failed (216)

    MVP GURU
    Posted Sep 23, 2020 09:49 AM

    Yea I would guess something on the AD server side. Does this happen to the same computer accounts, or is it random? Also is this happening when the user plugs into the wired port, or during a re-auth?

     

     



  • 8.  RE: CPPM User authentication failed (216)

    MVP GURU
    Posted Sep 23, 2020 10:00 AM

    One thing you could try is to remove the CP server from the domain, and then re-add it. I've seen this be the case in some implementations. Maybe see if this is happening only on one CP server, and try it there?

     

     



  • 9.  RE: CPPM User authentication failed (216)

    Posted Sep 23, 2020 10:10 AM

    It's random and happens at re-auth.



  • 10.  RE: CPPM User authentication failed (216)

    EMPLOYEE
    Posted Sep 23, 2020 01:22 PM

    Yeah, the user/computer look up is fine, the error is of MSCHAPv2 authentication failure and returned by the Active Directory. You may need to debug this further from the Active Directory end.

     

    You could search for the event 4776 in the Windows Server/AD.

    Ref - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776

    0xC000006D

    Generic logon failure.

    Some of the potential causes for this:

    An invalid username and/or password was used

    You may also open a TAC case to debug this further.



  • 11.  RE: CPPM User authentication failed (216)

    Posted Nov 16, 2020 09:39 AM

    Dear Saravanan,

    I will now answer in name of Nicolai to this issue. We have now checked the AD logs on the DCs and can't find such a log with 0xC000006D error.
    What do you mean with a TAC case?

    Best regards
    Sebastian



    ------------------------------
    Sebastian Küstner
    ------------------------------

    Original Message


  • 12.  RE: CPPM User authentication failed (216)

    EMPLOYEE
    Posted Nov 16, 2020 12:30 PM
    Hi Sebastian,

    The user/computer logon failure is returned by AD/DC.  
    Please open a TAC case to debug further on this issue, check - https://www.arubanetworks.com/support-services/contact-support

    ------------------------------
    Saravanan Rajagopal
    ------------------------------

    Original Message