Network Management

Hello

 

For several weeks i've been fighting with this problem.
I need to set up UAM authentication with Microsoft AD. Client PC is part of lab domain and thus uses domain certificate without iNode client (the way our customer would like it to be). That means EAP-PEAP with MSCHAPv2
In my lab i have one ProCurve 2824 switch and several virtual servers - one of which runs iMC with UAM, another has AD DC and third is certificate server. I have set up whole structure, imported certificates into iMC etc.

 

iMC and UAM version is the latest:

Intelligent Management Platform (JF378A) iMC PLAT 5.1 SP1 (E0202P05)
User Access Manager (JF388A) iMC UAM 5.1 SP1 (E0301H04)

Unfortunately client authentication fails, in switch traffic capture i see UAM asking switch for MD5 authentication which is immideately refected by windows who wants MSCHAPv2.
in the mschapv2server log file i see the following:

[Feb 19, 2013 11:43:16 AM][Debug]: MSChapAuthServer():addInistialRequestMessage(): dc name is uam.imc.lab
[Feb 19, 2013 11:43:16 AM][Trace]: MSChapAuthServer():addInistialRequestMessage(): tunnel active packet: 00000000h: 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 04 ;................
00000010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000020h: 01 06 74 65 73 74 02 0D 75 61 6D 2E 69 6D 63 2E ;..test..uam.imc.
00000030h: 6C 61 62 03 0A 68 E1 09 F0 F4 0C A7 2A 04 1A 9C ;lab..h......*...
00000040h: 58 28 CE 59 9D 67 80 3B D1 9E 9C 0D 1E 72 6F 26 ;X(.Y.g.;.....ro&
00000050h: 1D 0F 79 01 B1 E1 4D ;..y...M
[Feb 19, 2013 11:43:16 AM][Debug]: Trigger one authentication request as parameters refreshed.
[2013-02-19 11:43:16.494] [Debug] [HashMapForCache::cleanMap]Find expired object...
[2013-02-19 11:43:16.547] [Debug] [MSChapAuth::MSChapAuth]NETLOGON(LVLABIMC2.UAM.IMC.LAB/TESTACCOUNT)
[2013-02-19 11:43:16.564] [Debug] [MSChapAuth::connect]NETLOGON: Connecting DCERPC handle to ncacn_np:10.32.12.29[\PIPE\NETLOGON] with identity uam.imc.lab\testAccount$
[2013-02-19 11:43:16.967] [Info] [MSChapAuth::connect]NETLOGON: Bind successful.
[2013-02-19 11:43:16.990] [Debug] [MSChapAuth::connect]NETLOGON: Session authenticated
[2013-02-19 11:43:16.991] [Debug] [MSChapAuth::getDomainTrusts]getDomainTrusts: Retrieving list of domains
[2013-02-19 11:43:17.0] [Debug] [MSChapAuth::getDomainTrusts]getDomainTrusts: List of domains retrieved successfully: {UAM.IMC.LAB={objectSid=S-1-5-21-57685777-2865964563-3303338050, domain.dns.name=uam.imc.lab, domain.trust.attributes=0x00000000, objectGUID=9E996CE4-317B-41AB-915B-A6431188E686, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=UAM}, ~={objectSid=S-1-5-21-57685777-2865964563-3303338050, domain.dns.name=uam.imc.lab, domain.trust.attributes=0x00000000, objectGUID=9E996CE4-317B-41AB-915B-A6431188E686, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=UAM}, UAM={objectSid=S-1-5-21-57685777-2865964563-3303338050, domain.dns.name=uam.imc.lab, domain.trust.attributes=0x00000000, objectGUID=9E996CE4-317B-41AB-915B-A6431188E686, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=UAM}}
[2013-02-19 11:43:17.19] [Debug] [MSChapAuth::connect]NETLOGON: Secure Channel encryption installed
[Feb 19, 2013 11:43:17 AM][Trace]: The authentication error msg: The account is not found: uam.imc.lab\test, and error code: 4
[2013-02-19 11:43:17.388] [Error] [MSChapAuthProvider::authenticate]MSChap authentication unknown exception. <mscv2js.c.d: The account is not found: uam.imc.lab\test>
mscv2js.c.d: The account is not found: uam.imc.lab\test
at mscv2js.b.a.a(Unknown Source)
at mscv2js.b.b.b(Unknown Source)
at mscv2js.server.f.a(Unknown Source)
at mscv2js.server.h.run(Unknown Source)
at java.lang.Thread.run(Thread.java:662)
[Feb 19, 2013 11:43:17 AM][Trace]: The mschapv2 authentication user msg:The account is not existed on DC.
<java.net.BindException: Cannot assign requested address: Datagram send failed>
java.net.BindException: Cannot assign requested address: Datagram send failed
at java.net.PlainDatagramSocketImpl.send(Native Method)
at java.net.DatagramSocket.send(DatagramSocket.java:625)
at mscv2js.server.g.a(Unknown Source)
at mscv2js.server.f.a(Unknown Source)
at mscv2js.server.h.run(Unknown Source)
at java.lang.Thread.run(Thread.java:662)

 

I have done all installation and configuration according to manuals. EAP-PEAP assisted DC authentication is set up. In the log one can see that UAM asks DC for virtual computer (which i left default), which passes. Then, out from nowhere comes this "test" account which is no way present in iMC. I suspect this is the reason why authentication fails and UAM reverts to MD5.
I created "test" user on DC, but since i have no idea what password should be it still fails.
Can anyone please point me what i am doing wrong?

 

Thanks in advance!
Marcis

#Certificates
#MSCHAPv2
#uam
#ActiveDirectory
#imc
#EAP-PEAP

Hi,

 

Can you provide some more info on the client supplicant configuration ?

Which client os are you using, if windows, did you configure user or computer auth ?

Can you check the client pc computername, does it happen to be test ?

 

It could be possible that the computer accounts have not be synced between uam and AD (ldap), so when the client pc authenticates with the pc account, it will fail, so uam possibly proposes an alternate auth method (md5), since the peap failed.

 

So make sure the sync the computers container/ou as well as the users container/ou in the ldap sync policies,

 

Best regards,Peter

This doesn't directly fix your problem, but HP released IMC 5.2 today. BYOD is a focus for them right now, so you might like to try out the latest code, see if your problem is still there.

 

My guess is that support is just going to tell you to upgrade anyway.

Thanks!

I tried 5.2 but it did not solve the issue. I suspect i am doing something wrong but i ran out of ideas what exactly.

Resurrecting an old thread here.  Probably going to open a support ticket, but I'm dealing with the same issue in 7.0 E0202.  Device authentication works fine through AD, but I can't get 802.1x to work from MSM APs (MSM controller).  I did find that the EAP type is dictated by the 'default access policy' configured on the access service assigned to the authenticating user.  If certificate authentication isn't defined in the default policy, IMC seems to default to EAP-MD5 as a challenge type (doesn't seem to make too much sense, but it isn't the issue at hand).  At this point, it would have been so much easier to do this in NPS (wtb NAS Id condition), but the customer wants UAM.

 

The authentication failure cause is listed as: E63121::receive no packet from mschapv2server.

 

The request isn't even showing up in the mschapv2 log.  Netstat shows that mschapv2server is running on the port assigned in domain assisted PEAP authentication.

 

I do see the same recurring message in the log about a failure to authenticate with a "domani\test" account--I'm not testing from this.  As the other posters pointed out, no idea what the "test" account is used for or what credentials it is trying to use.  I've tried making a "test" account in AD (reflected below).  Also not sure why IMC would want to change the password for the test account (LDAP error -1073741718).  Not sure where to go from here... hopefully I'm just mising something

 

Details from the mschapv2 log:

[Jun 12, 2014 10:19:14 PM][Debug]: MSChapAuthServer():addInistialRequestMessage(): dc name is domain.local
[2014-06-12 22:19:14.758] [Debug] [MSChapAuth::MSChapAuth]NETLOGON(NPSDC1.domain.local/IMC-VCOMP)
[2014-06-12 22:19:14.761] [Debug] [MSChapAuth::connect]NETLOGON: Connecting DCERPC handle to ncacn_np:10.3.1.10[\PIPE\NETLOGON] with identity domain.local\imc-vcomp$
[2014-06-12 22:19:14.809] [Info] [MSChapAuth::connect]NETLOGON: Bind successful.
[2014-06-12 22:19:14.812] [Debug] [MSChapAuth::connect]NETLOGON: Session authenticated
[2014-06-12 22:19:14.813] [Debug] [MSChapAuth::getDomainTrusts]getDomainTrusts: Retrieving list of domains
[2014-06-12 22:19:14.818] [Debug] [MSChapAuth::getDomainTrusts]getDomainTrusts: List of domains retrieved successfully: {NPS={objectSid=S-1-5-21-2978016226-252322552-2703489708, domain.dns.name=domain.local, domain.trust.attributes=0x00000000, objectGUID=EAB86203-0A5C-408E-BE8B-032C0610D269, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=NPS}, domain.local={objectSid=S-1-5-21-2978016226-252322552-2703489708, domain.dns.name=domain.local, domain.trust.attributes=0x00000000, objectGUID=EAB86203-0A5C-408E-BE8B-032C0610D269, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=NPS}, ~={objectSid=S-1-5-21-2978016226-252322552-2703489708, domain.dns.name=domain.local, domain.trust.attributes=0x00000000, objectGUID=EAB86203-0A5C-408E-BE8B-032C0610D269, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=NPS}}
[2014-06-12 22:19:14.821] [Debug] [MSChapAuth::connect]NETLOGON: Secure Channel encryption installed
[2014-06-12 22:19:14.830] [Debug] [MSChapAuth::mschapv2Validate]ldap fetch error code is -1073741718
[2014-06-12 22:19:14.830] [Error] [MSChapAuthProvider::authenticate]MSChap authentication unknown exception. <mscv2js.c.d: The supplied credentials are invalid: domain.local\test>
mscv2js.c.d: The supplied credentials are invalid: domain.local\test
    at mscv2js.b.a.a(Unknown Source)
    at mscv2js.b.b.b(Unknown Source)
    at mscv2js.server.f.a(Unknown Source)
    at mscv2js.server.i.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:724)

 <java.net.BindException: Cannot assign requested address: Datagram send failed>
java.net.BindException: Cannot assign requested address: Datagram send failed
    at java.net.DualStackPlainDatagramSocketImpl.socketSend(Native Method)
    at java.net.DualStackPlainDatagramSocketImpl.send(DualStackPlainDatagramSocketImpl.java:133)
    at java.net.DatagramSocket.send(DatagramSocket.java:676)
    at mscv2js.server.h.a(Unknown Source)
    at mscv2js.server.f.a(Unknown Source)
    at mscv2js.server.i.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:724)

 

Hi,

 

What type of EAP auth are you trying to configure ?

AFAIK, EAP PEAP MSCHAPv2 is not possible for computer authentication, only EAP-TLS (client cert based) is possible.

Since you mention the mschapv2server process, I have the impression you are trying to setup EAP PEAP MSCHAPv2, which does not work (yet, I heard this might be included in the future).

 

Peter, thanks for the response.

 

Yes, I'm trying to do PEAP MS-CHAPv2, but only for user authentication.  Is this not supported by IMC?  If not, what options are available for 802.1x user authentication?

 

Thanks

Hi,

 

* eap peap mschapv2 is supported for user auth.

* did you set the Domain controller OS version to "2003 or earlier" ? I know this does not sound intuitive, but the parameter does not link directly to the OS version or domain/forest level, but to some kerberos/mschap auth level type. Most people do not have this enabled on the domain, so the original auth type should be used (described as 2003 or earlier in this parameter).

 

hth,Peter

I do have it set at 2003 to match the domain functional level.  I opened a case, so we'll see where this goes.  I'll provide an update once progress is made

 

Thanks

Hi,

 

I'm seeing the same issue at the moment on IMC v7.0 . Did you get it resolved?

 

I'm getting client authentication failures with code "E63053::Invalid authentication type" via the IMC interface.

 

Regards,

denclan

I made some progress, but the issue certainly isn't completely resolved.  UAM is defiantely one of the more difficult/complicated NAC systems I've deployed.  I'll break this into two parts:

 

First, at one point, with RADIUS, I did get the error you are describing.  I belive I hadn't imported a RADIUS certificate for UAM yet and that was causing it.  Once I generated a cert (had to add a Windows CA for this :( ), I think that was resolved.

 

Using PEAP/MS-Chapv2 against UAM as a RADIUS server: In one deployment, I found that I was sending the Called-Station-ID context in the wrong format.  I was using the SSID group as an access condition to assign access scenarios in the access service assigned to domain users.  Well, the SSID wasn't read correctly, and this triggered the "E63121::receive no packet from mschapv2server" error (certainly not very imitative of the issue...).  Peter Debruyne's blog (http://abouthpnetworking.com/2014/01/10/msm-with-uam-mac-authentication/) put me on the right track here.  I do get the same issue regarless of how the access devices are configured--HP(ProCurve) or HP(MSM).  So once I changed the Called-Station-ID format in the VSC, it works, but it never works the first time.  When no users have authenticated in about ~an hour, I always get the "E63121::receive no packet from mschapv2server" error on the first authentication attempt (the error log shows a blank next to the SSID field).  After that one error, the next manual attempt will always work.  Still working with HP support on this, but it's unusable for users.  I've set up a NPS server using NAS-ID as a condition for RADIUS in the meantime.  I suspect IMC work work fine if I removed the SSID as a condition, but it's pretty much required for the deployment.

 

On the guest/byod mac auth SSID: I have the same issue right now on two deployments.  It was kinda working on 7.0 E203, but due to the guest self-registration bug mentioned in the patch notes (if they didn’t use self-service, users were getting something like a 'network problem' error on registration request), I since upgraded up to E203P04 then to E203H06 (had to request the newest versions from HP support--only E203P03 is posted to the web), and now I'm getting "E63053::Invalid authentication type" when a user is forwarded to the BYOD portal.  When a user connects, I see the byodanonymous login with the correct mac address as the login name and the correct OS fingerprint, but that user gets the wrong portal page (they get the default HP-branded portal), with "The user is not online" under "User Information".  No idea why the system isn't correctly associating the login.  My setups are all fairly simple, with no L3 hops between the users, the authentication devices (MSM 460s) and the portal forwarding device (H3C switch or a VSR).

 

I'm relatively frustrated at this point, but let me know if this describes what you are facing.  I'll continue to post updates, but I'm working on a few dozen projects at once, so they may be infrequent.  Eventually, I'd like to get EAP-TLS functioning in IMC without iNode... but not for a while.

 

Gary

Hello Peter

 

Thanks for the response! :)

 

I attached my ProCurve 2824 switch config.

 

Port 1 is for uplink, ports 2 and 3 are where client authentication goes on.

10.32.12.26 is an address of iMC server

10.32.12.27 is switch's IP

 

i also verified that when i reconfigure RADIUS on switch to talk directly to MS AD DC, it works like charm. Of course i have configured NAP on MS DC.

 

I use Windows 7 PC with windows native buil-in 801.x authenticator. I would prefer to avoid using iNode because this is what our customer wants. On windows i left it at default which is both user and computer authentication.

Client PC computername is "SMNdemo". Only thing close to "test" is testlab domain user "imctest" which i use for logging in.

 

I tried to sync computers OU but it does not work, sync fails because computer accounts are represented by their name with "$" added. And since iMC does not accepts $ sign sync fails totally.

 

Having the same problem. I'm coming from the Procurve Manager IDM solution which I have working fine - using NPS and AD groups. 802.1x for users & workstations, smart devices (wired and wireless), MAC for voip. 

 

Trying to do the same thing with UAM - docs certainly imply that this should work. But I get the same thing. Wireshark shows IMC radius responding with MD5, not PEAP/MSchap.

 

Got the workstation certificate mode to work. But spolied by PCM - I can see by username where they are logged in with what mac and IP. Response to state change is near instantaneous.

 

Also I use user and workstation authentication, as workstations are in domain...but the IMC LDAP sync brings ws samaccoutname over with a trailing $ - not sure how to remove that.

 

IMC is way harder and much more expensive. Not so happy at the moment.

 

I also have a ticket in w HP - but still trying to sync up for the troubleshooting

 

Neil

 

 

UPDATE: Peter_Dubryn has the answer - even though we at 2008, when I changed the domain level setting for UAM back to 2003 I was able to log in my 802.1x user. Some succes finally. Thx!

 

However - when the user logs in, the autehtnication does not take place - only after I up/down the port. I think this occurs because I'm also trying to authenticate the machine and this currently fails as I haven't syncd the host, so IMC downs the port

Hi,

 

i have a similar problem concerning MSCHAPv2.  I have synchronized AD accounts (LDAP user in IMC) and have one local test user in IMC. I have configured root and server certificate and can authenticate my test user. 

 

If i try an LDAP user i got the error message E63121::receive no packet from mschapv2server

 

My AD is implemented on an 2012 Microsoft Server, i would like to use PEAP with MSCHAPv2 for authentification.

 

IMC Version is 7

 

Thanks in advance

 

Robert

I'm running 2008 so not sure if there is 2012 issue. BUt did you set the domain controller OS version to 2003? Wont' work otherwise. Also 7.1 is latest - are you at that version - some fixes in UAM over 7.0

 

User > User Access Policy > Service Parameters > System Settings > Domain Controller-Assisted PEAP Authentication

Thanks a lot Neil,

 

i used the "v7.0 HP Intelligent Management Center User Access Manager Administrator Guide" for implementing my cases, and there is nothing about "Domain Controller-Assisted PEAP Authentication".

 

Now everything is running, you solved my problem !

---

@NeilR wrote:

I'm running 2008 so not sure if there is 2012 issue. BUt did you set the domain controller OS version to 2003? Wont' work otherwise. Also 7.1 is latest - are you at that version - some fixes in UAM over 7.0

 

User > User Access Policy > Service Parameters > System Settings > Domain Controller-Assisted PEAP Authentication

---

 

 

Merry Christmas in advance

 

Robär

Great! Glad to have helped. Yes running the latest versions. Seems stable and some good improvments .

 

BTW found that info on another post here, I think Mr Debruyne. I think he als posted recdently that a fully patched 2012 AD with latest imc versions was functional now.

Hi NeilR;

 

I did not have any certificate on my IMC server while using PEAP-MSCHAv2, but after adding a Root Certificate Authority and a server certificate, it seems that I managed to get rid of tha "Invalid Authentication Type" error message. after searching the net, I found one of your post again abot configuring Server Parameter (this post) and configured the iMC in that way. but after this point, when I try to connect any client to the switch port, I don't get any log at the "User Access Log > Authentication Failure Log" !! but after taking some captures with Wireshark, I saw that the switch sends many RADIUS Request messages to IMC and after some time, it gets "Reply Message: No This User" from the IMC and rejects the user. but I integrated the IMC with existing AD and can see the AD users list on the IMC while clicking on the "LDAP USERS". it is interesting that, I have one local user on IMC and even loging in with that user, results the same error!! so I'm thinking about the default port that IMC and AD are talking to each other through it (the port while configuring Server Parameters to make iMC to work with PEAP authentication server). the default port is listed as 9812 and I uses Windows 2012 R2 on both of iMC server and AD DC. I defined a filter on Wireshark to find that port, but it seems this port is not used by these devices to talk. do you have any idea abot this?

Since you posted same to both threads, I'll add same reply here for completeness - 

 

If you have a windows Active Directory base for your users, doing it via LDAP makes more sense then trying to add users and passwords. All the PDFS from my posts should give a pretty complete picture on how to do this.

 

Don't think the server certificate should have been required for just UID/Password , but may be something about windows. All my testing had a cert installed, either LDAP user or not.

 

So something easy to overlook may be the user account format setup on the LDAP server. Make sure to include the remove prefix and delimiter \ as that's how the accounts are sent by the clients. see attached screen shot.

 

You should be able to see the account name that the client is sending in Wireshark btw.

 

I'm using all the default ports for everything. However might want to make sure windows firewall is not active on imc, at least until you get everything working.

i had the same issue once i create virtual computer on AD and applyied on 

User>User Access Policy>Service Parameters>System Settings>Domain Controller-Assisted PEAP Authentication

AD authentication works !!!! thanks lot