Security

last person joined: 13 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Authentication is OK when I try from the controller to IAS server

  • 1.  Authentication is OK when I try from the controller to IAS server

    Posted Dec 15, 2011 05:46 AM

    Authentication is OK when I try from the controller to IAS server, but client can not get authentication on their laptops

    can somebody help



  • 2.  RE: Authentication is OK when I try from the controller to IAS server

    Posted Dec 15, 2011 06:14 AM

    Are you doing Captive Portal or WPA2-AES?  Did you look in the IAS Eventviewer under "System" to see the failures?



  • 3.  RE: Authentication is OK when I try from the controller to IAS server

    Posted Dec 18, 2011 01:29 AM
      |   view attached

    Hi

    I'm doing WPA2-AES, i can not see any error on  IAS event viewer logs

    can you check the attached show auth-tracebuf output maybe you can get something

     

     

    Attachment(s)

    pdf
    ARUBA.pdf   11K 1 version


  • 4.  RE: Authentication is OK when I try from the controller to IAS server

    Posted Dec 18, 2011 01:51 AM

    sorry i'm using wpa-tkip

     



  • 5.  RE: Authentication is OK when I try from the controller to IAS server

    Posted Dec 18, 2011 08:35 AM

    Your using "Termination" and you should uncheck it by going to:

     

    configuration> security> authentication>l2 Authentication> 802.1x profiles.  Find the 802.1x profile that corresponds to your WLAN and make sure that "Termination" is unchecked.  

     



  • 6.  RE: Authentication is OK when I try from the controller to IAS server

    Posted Dec 18, 2011 09:23 AM

    it is ticked already and when i trying to connect i got small log in window keep asking me  for username and password then error massage for either username or password error

    in case if i un-ticked it, i'll not get this login small window and i could not connect, it keep showing me (trying to connecting)

    how i can know whether my  IAS server has a certificate or not.



  • 7.  RE: Authentication is OK when I try from the controller to IAS server

    Posted Dec 18, 2011 09:26 AM

    Your IAS server needs to have a certificate and that would be in the remote access policy under Edit Profile> Authentication> EAP Methods> Edit PEAP.

     

    If you don't have a certificate or cannot obtain one, leave Termination Checked, but on your client wireless definition, uncheck "Validate Server Certificate"



  • 8.  RE: Authentication is OK when I try from the controller to IAS server

    Posted Dec 18, 2011 09:36 AM

    i was doing 2nd scenario

    Termination is Checked and  in client wireless definition the "Validate Server Certificate" is unchecked by applying GPO

    but I lost authentication

     

     

     

     



  • 9.  RE: Authentication is OK when I try from the controller to IAS server

    Posted Dec 18, 2011 09:42 AM

    from the auth-tracebuf, it looks like you are doing "machine authentication", which does not work with termination enabled.  You would need to put a certificate on the radius server and uncheck termination for that to work.

     



  • 10.  RE: Authentication is OK when I try from the controller to IAS server

    Posted Dec 19, 2011 01:49 AM

    i'm kind of lost, i could not do the CA on the IAS server 2008,

    i lost guest captive porter window for the Guest SSID as well

    can you tell me how i can rollback and remove "machine authentication"

    i wonna do termination with domain credential only



  • 11.  RE: Authentication is OK when I try from the controller to IAS server

    Posted Dec 19, 2011 06:00 AM

    Okay.  If you cannot do the CA on Windows 2008, leave termination on.

     

    In your auth-tracebuf, I see your computer trying to authenticate with host/VDLSIT01046.veti.ac.ae which means it is using the computer credentials, NOT the user credentials to login.  Machine credentials or machine authentication does not work with termination.  If you are using group policy to configure that client, make sure in the group policy under the IEEE 802.1x tab, the authentication mode is "user authentication'", otherwise it will not work.



  • 12.  RE: Authentication is OK when I try from the controller to IAS server

    Posted Dec 20, 2011 01:15 AM

    it was authentecate as "user or computer authentecation " howaver when i changed it to user only i got no authentecation as well,

    after restarting the controller i got the below output, is that mean no authentecate requests ? or what?

     

    (VEDC-Wireless-Controller) #show auth-tracebuf

    Warning: user-debug is enabled on one or more specific MAC addresses;                                                                     

    only those MAC addresses appear in the trace buffer.

    Auth Trace Buffer -----------------

     

    (VEDC-Wireless-Controller) #

    (VEDC-Wireless-Controller) #

    (VEDC-Wireless-Controller) #



  • 13.  RE: Authentication is OK when I try from the controller to IAS server

    Posted Dec 20, 2011 06:26 AM

    What you need to do is add the mac address of that client to the user-debug.  The command only shows mac addresses that have been added.  Add that client like this:

     

    config t

    logging level debugging user-debug mac <mac address of client>

     

    It should then show up in the auth-tracebuf



  • 14.  RE: Authentication is OK when I try from the controller to IAS server

    Posted Dec 20, 2011 11:06 PM
      |   view attached

     

    I'm getting  the attached output, my username is v90000204

    so the authentication in username not computer

    any suggestion please

     

     

    Attachment(s)

    pdf
    ARUBA Cont.pdf   5K 1 version


  • 15.  RE: Authentication is OK when I try from the controller to IAS server

    Posted Dec 20, 2011 11:09 PM

    It looks like the radius server is responding with mschap failure.  What does the eventviewer on the radius server say?

     



  • 16.  RE: Authentication is OK when I try from the controller to IAS server

    Posted Dec 21, 2011 01:37 AM

    on the Network Policy  and access service on IAS server i got this information, note that i have no problem in my username and password

     

     

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:

    Security ID: NULL SID

    Account Name: VETI\v90000204

    Account Domain: VETI

    Fully Qualified Account Name: VETI\v90000204

    Client Machine:

    Security ID: NULL SID

    Account Name: -

    Fully Qualified Account Name: -

    OS-Version: -

    Called Station Identifier: 000B8661973C

    Calling Station Identifier: 00225F399E65

    NAS:

    NAS IPv4 Address: 10.25.2.42

    NAS IPv6 Address: -

    NAS Identifier: 10.25.2.42

    NAS Port-Type: Wireless - IEEE 802.11

    NAS Port: 0

    RADIUS Client:

    Client Friendly Name: WLC1

    Client IP Address: 10.25.20.4

    Authentication Details:

    Connection Request Policy Name: Use Windows authentication for all users

    Network Policy Name: -

    Authentication Provider: Windows

    Authentication Server: VEDC-BC01.veti.ac.ae

    Authentication Type: MS-CHAPv2

    EAP Type: -

    Account Session Identifier: -

    Logging Results: Accounting information was written to the local log file.

    Reason Code: 16

    Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

     

    on the windows log system i got this informations

     

    The Network Policy Server service entered the running state.

    The Network Policy Server service entered the stopped state.

    The Portable Device Enumerator Service service entered the stopped state.

    The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.

    The Portable Device Enumerator Service service entered the running state.

    The Group Policy settings for the user were processed successfully. New settings from 2 Group Policy objects were detected and applied.

    User Logon Notification for Customer Experience Improvement Program

    The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.

     

     

     

    on the windows log security i got

     

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:

    Security ID: NULL SID

    Account Name: VETI\v90000204

    Account Domain: VETI

    Fully Qualified Account Name: VETI\v90000204

    Client Machine:

    Security ID: NULL SID

    Account Name: -

    Fully Qualified Account Name: -

    OS-Version: -

    Called Station Identifier: 000B8661973C

    Calling Station Identifier: 00225F399E65

    NAS:

    NAS IPv4 Address: 10.25.2.42

    NAS IPv6 Address: -

    NAS Identifier: 10.25.2.42

    NAS Port-Type: Wireless - IEEE 802.11

    NAS Port: 0

    RADIUS Client:

    Client Friendly Name: WLC1

    Client IP Address: 10.25.20.4

    Authentication Details:

    Connection Request Policy Name: Veti

    Network Policy Name: -

    Authentication Provider: Windows

    Authentication Server: VEDC-BC01.veti.ac.ae

    Authentication Type: MS-CHAPv2

    EAP Type: -

    Account Session Identifier: -

    Logging Results: Accounting information was written to the local log file.

    Reason Code: 16

    Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

     



  • 17.  RE: Authentication is OK when I try from the controller to IAS server

    Posted Dec 21, 2011 01:56 AM

    Your eventviewer message is lacking critical information needed to figure this out.  If you cannot post the eventviewer message in its entirety, you probably should open a support case so that they can look at it.  If your fqdn is listed as just "VETI\v90000204" that means it did not find your user in active directory.

     

    Again, you probably changed a few things, but they are critical to figuring this issue out, so you might want to open a support case.