Network Management

My setup is simple :).

Computer + User autenticated by UAM using 802.1X with EAP-TLS (Certificates from internal CA).

Switches are comware-based (5120/5130/5500). iMC 7.1 with latest patch (10) and UAM 7.1 E302 with p10.

What I want to achieve is:
Computer after boot will be able to login to limited network with access to domain controller and DHCP, antivirus update, WSUS and nothing else.

User after login will get full access to his resources.

User can login to network using certificate (EAP-TLS) to UAM, so user authentication part is fully functional included VLAN assignement. Can work with resources etc.

But I am not able to authorize the computer. Any idea will help.

UAM setup:

I imported CA certificate. I generated certificate for IMC (with correct common-name).

I setup LDAP connection and synchronization. Test is OK. Synchronization is working properly.

I setup user-policy and user-service with appropriate filter to AD - this part is functional

I setup computer-policy and computer-service.

I create Computer-type user with login Computer and assign appropriate policy created in last step.

So I can see in All access users this account.

Windows setup:

I created autoenroll group policy to create certificates for both, users and computers. Verified, certificates are created for computer and for user properly. (and I saw it on the desktop in correct containers).

I created Wired-Autoconfig setup. Authentication: Both computer and user, SmartCard or other Certificate, 802.1X according standard. SingleSignOn enabled, different login VLAN ticked.

Issue: Radius get back information, that no user found so access denied.

E63018: The user does not exist or has not subscribed for this service.. that is the message I get from RADIUS/UAM

I enabled debug in IMC and get this:

 EapProc.auth: Begin.  [CEapProcess::eapAttribute]begin eapAttribute().  [CEapProcess::eapAttribute]end eapAttribute().  EapProc.handlr: begin.  [CEapProcess::eapValidation]begin eapValidation().  [CEapProcess::eapValidation]end eapValidation().  [CEapProcess::eapIdentity]begin eapIdentity().  [CEapProcess::eapIdentity]end eapIdentity().  [CEapProcess::parseIdentity]begin parseIdentity().  [CEapProcess::parseIdentity]end parseIdentity().  chkTmpLdapUsr: User[WIFILABPC$] non sync-a-n.  EapProc.fndEapTypeFromDB: find computer account(WIFILABPC$) in ldap service.  chkAccScene: 0 row found for WIFILABPC$.  [checkIfBYODauthUser] The user name is not equal to MAC.  ifSecondAuthConfig the third party authentication has not been configured yet.  chkAccScene: User[WIFILABPC$] subscribe no service .  fndEapType calling chkAccScenario(WIFILABPC$,2C-41-38-11-5F-5C) returns 63018 [V-T-O:0_0_0,SSID:0,MAC:0,AREA:0,IP:0,AP:0].  EapProc.handlr: outer fndEapType failed for [host/WIFILABPC.domain.lan]  [CEapProcess::eapBuildds]begin eapBuildds().  [CEapProcess::eapBuildds]end eapBuildds().  [commonEap::getAttrFromPacket]no attribute of Framed-IP-Address.  [CEapProcess::parseIdentity]begin parseIdentity().  [CEapProcess::parseIdentity]end parseIdentity().  User(host/WIFILABPC.domain.lan2C:41:38:11:5F:5C) auth fail and plus in auth feil map.  [[CEapProcess::eapCompose] Reply_Message:E63018: The user does not exist or has not subscribed for this service..  chkAccScene: 0 row found for host/WIFILABPC.domain.lan.  [checkIfBYODauthUser] The user name is not equal to MAC.  ifSecondAuthConfig the third party authentication has not been configured yet.  chkAccScene: User[host/WIFILABPC.ave-labs.lan] subscribe no service .  Begin replyPrivateAttribute(), auth step is 2,AttrPolicyId is 0,DeviceTypeId is 1100  Call replyPrivateAttribute() successfully.  The length of State is 12226656  [CEapTask::svc]Send packet to:192.168.188.15

So the user cannot be found in database. Yes it doesn´t exist in UAM, but exist in AD. So where can be problem?

I have this setup on switches:

port-security enable

radius scheme rad-scheme1
 server-type extended
 primary authentication 10.10.100.23 key simple hp

 primary accounting 10.10.100.23 key simple hp

 timer realtime-accounting 3
 accounting-on enable

quit

domain domain.lan
 authentication lan-access radius-scheme rad-scheme1
 authorization lan-access radius-scheme rad-scheme1
 accounting lan-access radius-scheme rad-scheme1
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable

quit

interface GigabitEthernet1/0/1
 port-security port-mode userlogin-secure-ext
 undo dot1x handshake
 dot1x mandatory-domain domain.lan
 undo dot1x multicast-trigger
 dot1x unicast-trigger

Quit

I have 802.1x running with user and computer authentication. I'm using UAM with LDAP for the users. For the workstations, you must use the computer account, which serves as the owner of the all the computer logins.

I have a few posts with examples discussing this. But basically install the root cert from your domain, and then tell your clients to trust the root ca for your domain. Set user or computer authentication

But - this feature got broken in UAM versions past 7.1 E0302 until the latest release 7.1 E0302P10  - readme says that its fixed - I have not had a chance to load and test it.

So if you are using versions in between those then computer authentication via PEAP ms-chap will not work.  Either roll back or roll forward.

Hope this helps

I am using E302P10. But you lead me to the root of problem (EAP-PEAP,TLS,PEAP-mschap). Thanks for reply, I will test it.

Everything was wrong. Patch 10 was the real cause. After upgrading to E302P13 and later (P16 now), all is working now.

When you say "For the workstations, you must use the computer account" you imported device from AD with LDAP ? 

When using UAM, IMC has two levels of user information: A base userID for information about the user, and an Access UserID which has information for accessing the network for each device a User might use.

So one User ID can have multiple User Access IDs, such as an 802.1x credential and a MAC authentication

Since UAM manages port level security, you are using it because you don't want untrusted devices gaining access. Once a host authtenicates at the port level, IMC can give access to specific VLANs with the right level of access. Then when the user logs into the workstation, the user access information is presented and IMC can give a different set of access to the user.

The reason for the computer to authenticate in addition to the user, is so that the machine can get access to the network and talk to a domain controller, and then authenticate the user. On windows systems, a user can only log into to a domain computer if they have previoulsy successfully authenticated, or the computer is connected to a network with a DC that can verify the user's credentials

IMC has been configured with a single User Account called "computer" which is the base user for any workstations authenticating with a host name, not a user name. So if I had two computers in my domain trying to authenticate, Domain\WS01 & Domain\WS02, they would both be stored as 2 separate access user accounts under the user "computer"

If IMC is using AD via LDAP as the user directory, since the host don't "present" credentials to IMC, only users, IMC uses a "virtual computer" object to proxy authentication in AD for other "real" hosts. You have to create a Virtual computer entry in AD as a host, then give IMC this information and set a password. IMC then uses this "proxy" host to authenticate on behalf of the workstations via LDAP.

This is configured in the LDAP Server section under MS-CHAP V2 authentication. 

On the workstation, when 802.1x is enabled, the authentication would be then set for "user or computer" to use both.

See the IMC User Access Manager Administrator Guide for more specifc information.

Hope I answered your question