Windows 7 fails to authenticate against AD on CPPM
We have implemented CPPM, and there is one machine(Windows 7) that was authenticating to 802.1X network but now fails authentication.
When we disconnected/reconnected the lan cable or reboot the PC, we could not see any logs from the access tracker.
We have disabled the 802.1X settings in the switch port that the pc is connected and it can connect and get ip address.
We have also upgraded the network card driver and the NIC card is Intel (R) 82579LM Gigabit Network, but none of the above helped in establishing a successful authentication.
Environment Information : This applies to all versions of CPPM
This happens when the client authenticates with incorrect machine credentials. The credentials may either be wrong or the user's account's password in the AD would be Expired.
The Access tracker logs would have the below message for the failed authentication.
Alerts for this Request -
Policy server: No radius enforcement profiles applicable for this device. Allowing Access
RADIUS: MSCHAP: AD status:Logon failure (0xc000006d) \nMSCHAP: AD status:Logon failure (0xc000006d) \nMSCHAP: Authentication failed\nEAP-MSCHAPv2: User authentication failure.
The above logs means that AD did not reply when we tried to authenticate with the given credentials. CPPM therefore issued a Reject access.
If the machine authentication fails due to expiration of the domain password we may expect this error message.
The solution is to reset the account password and make sure that machine authentication is happening with correct password.
Note: Even if the default access for the enforcement profile being used is "Allow all", CPPM will still reject the client.
Workaround: The machine is not authenticating because the the pwdbadcount password is incrementing after each failed authentication. If we drop this client from AD and join it again, the pwdbadcount will reset to "ZERO" and authentication would be successful.