Security

 View Only
Expand all | Collapse all

802.1x Failing After User Login

This thread has been viewed 35 times
  • 1.  802.1x Failing After User Login

    Posted 12 days ago

    Hi everyone.  I am encountering an issue where a PC is failing 802.1x authentication once a test user signs into it.  According to the access tracker, the PC passes the EAP TLS authentication, and the correct cert is being pushed down to the machine via Group Policy, but once a user has signed in, I immediately see REJECT message.

    The enforcement policy of the Service is configured as follows:
    Why is the authentication be failing after a user logs on? 


  • 2.  RE: 802.1x Failing After User Login

    Posted 12 days ago

    Hello , i suspect the PC is not configured properly . Especially the network adapter settings . Can you please show the adapter configuration . Because from access tracker i see after user login it not present the username . Be sure the network adapter  must be configured as (machine or user ) this to work .




  • 3.  RE: 802.1x Failing After User Login

    Posted 11 days ago

    Hi OS66, the network adapter settings appear to be correct, and I am pushing these NIC seetings down via a GPO:




  • 4.  RE: 802.1x Failing After User Login

    Posted 12 days ago

    Failed to classify request to service means that there was no matching Service in ClearPass for that request.

    The Input tab for the failing request may show the request attributes, from there you could check your service matches to find out why there is no match. It may be that your client doesn't have a client certificate for user authentication, or isn't configured correctly to find the client certificate for use authentication, and Windows drops back to unauthenticated access which then attempts MAC authentication from the switch.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: 802.1x Failing After User Login

    Posted 11 days ago

    Herman, I took a look at the Input Tab for the failed request, and I show the following Computed attributes:

    I see that the username is being computed as a MAC address, which does not look right to me.  Could this be an issue with how CPPM is fetching attributes from within Active Directory?
    Under my Authentication Source for AD, I show the following query set:



  • 6.  RE: 802.1x Failing After User Login

    Posted 11 days ago

    Hello gmann101 , What we see is the for whatever reason the machine not propagate the username .That's why it not trigger dot1x service . Personally i would check if on the machine under the user personal certificates there is user cert on it --->if it is there next step i would change adapter setting to user authentication only and check how it would go . 




  • 7.  RE: 802.1x Failing After User Login

    Posted 9 days ago

    OS66 - I checked for local computer certificates, and there is one there.  I also disabled the GPO for this machine, and manually went into the NIC adapter setting and changed the setting for authentication mode to "Computer Authentication" only.  Following this, I re-started, and signed back into the PC, and was not disconnected thereafter.

    So machine authentication appears to work, but not user authentication.  What might the next step be to troubleshoot this further?




  • 8.  RE: 802.1x Failing After User Login

    Posted 9 days ago

    Hello gmann101 ,please check for user certificate is it presented there . AFter you clarify this change adapter setting to user authentication . Ans see what will happen and provide a screenshot .




  • 9.  RE: 802.1x Failing After User Login

    Posted 6 days ago

    Thank you for the suggestion.  Upon closer inspection, it turned out that there was no User Certificate being pushed down to the test client PC, due to the Active Directory OU in which the PC resided in.  After moving the PC into the correct OU, and going a GPO update, the User Certificate was then applied, and 802.1x authentication is working for both Computer and User Authentication. 




  • 10.  RE: 802.1x Failing After User Login

    Posted 11 days ago

    This request looks like a MAC authentication, not a 802.1X authentication. So it looks like the configuration that's being pushed is incorrect for this client.

    Maybe you can exempt this (or another client you can test with) from the GPO and first find out the correct configuration. Then find the differences between the working config and what is in the GPO.

    Also, the client-side troubleshooting steps in this document may help as well. As you don't even see that authentication in ClearPass, my guess is that there is something basic in your supplicant config that is set incorrect. If there would be a trust issue with the server certificate, I would at least expect the negotiation to start and either a REJECT or TIMEOUT in the ClearPass.

    This type is issue can be challenging to find the root cause for, so it may be good to work with your Aruba partner or TAC Support for interactive troubleshooting and a broader configuration check.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 11.  RE: 802.1x Failing After User Login

    Posted 6 days ago

    Thanks Herman.  The issue has now been resolved.  This turned out to be an issue with the PC residing within the wrong Active Directory OU within my environment, and therefore it was not receiving a GPO which pushes down the User Cert.