Security

Reply
Guru Elite

Re: Authentication is OK when I try from the controller to IAS server

Okay.  If you cannot do the CA on Windows 2008, leave termination on.

 

In your auth-tracebuf, I see your computer trying to authenticate with host/VDLSIT01046.veti.ac.ae which means it is using the computer credentials, NOT the user credentials to login.  Machine credentials or machine authentication does not work with termination.  If you are using group policy to configure that client, make sure in the group policy under the IEEE 802.1x tab, the authentication mode is "user authentication'", otherwise it will not work.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor I

Re: Authentication is OK when I try from the controller to IAS server

it was authentecate as "user or computer authentecation " howaver when i changed it to user only i got no authentecation as well,

after restarting the controller i got the below output, is that mean no authentecate requests ? or what?

 

(VEDC-Wireless-Controller) #show auth-tracebuf

Warning: user-debug is enabled on one or more specific MAC addresses;                                                                     

only those MAC addresses appear in the trace buffer.

Auth Trace Buffer -----------------

 

(VEDC-Wireless-Controller) #

(VEDC-Wireless-Controller) #

(VEDC-Wireless-Controller) #

Regards,
M. Alajeely
Guru Elite

Re: Authentication is OK when I try from the controller to IAS server

What you need to do is add the mac address of that client to the user-debug.  The command only shows mac addresses that have been added.  Add that client like this:

 

config t

logging level debugging user-debug mac <mac address of client>

 

It should then show up in the auth-tracebuf


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor I

Re: Authentication is OK when I try from the controller to IAS server

 

I'm getting  the attached output, my username is v90000204

so the authentication in username not computer

any suggestion please

 

 

Regards,
M. Alajeely
Guru Elite

Re: Authentication is OK when I try from the controller to IAS server

It looks like the radius server is responding with mschap failure.  What does the eventviewer on the radius server say?

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor I

Re: Authentication is OK when I try from the controller to IAS server

on the Network Policy  and access service on IAS server i got this information, note that i have no problem in my username and password

 

 

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: NULL SID

Account Name: VETI\v90000204

Account Domain: VETI

Fully Qualified Account Name: VETI\v90000204

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: 000B8661973C

Calling Station Identifier: 00225F399E65

NAS:

NAS IPv4 Address: 10.25.2.42

NAS IPv6 Address: -

NAS Identifier: 10.25.2.42

NAS Port-Type: Wireless - IEEE 802.11

NAS Port: 0

RADIUS Client:

Client Friendly Name: WLC1

Client IP Address: 10.25.20.4

Authentication Details:

Connection Request Policy Name: Use Windows authentication for all users

Network Policy Name: -

Authentication Provider: Windows

Authentication Server: VEDC-BC01.veti.ac.ae

Authentication Type: MS-CHAPv2

EAP Type: -

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Reason Code: 16

Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

 

on the windows log system i got this informations

 

The Network Policy Server service entered the running state.

The Network Policy Server service entered the stopped state.

The Portable Device Enumerator Service service entered the stopped state.

The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.

The Portable Device Enumerator Service service entered the running state.

The Group Policy settings for the user were processed successfully. New settings from 2 Group Policy objects were detected and applied.

User Logon Notification for Customer Experience Improvement Program

The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.

 

 

 

on the windows log security i got

 

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: NULL SID

Account Name: VETI\v90000204

Account Domain: VETI

Fully Qualified Account Name: VETI\v90000204

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: 000B8661973C

Calling Station Identifier: 00225F399E65

NAS:

NAS IPv4 Address: 10.25.2.42

NAS IPv6 Address: -

NAS Identifier: 10.25.2.42

NAS Port-Type: Wireless - IEEE 802.11

NAS Port: 0

RADIUS Client:

Client Friendly Name: WLC1

Client IP Address: 10.25.20.4

Authentication Details:

Connection Request Policy Name: Veti

Network Policy Name: -

Authentication Provider: Windows

Authentication Server: VEDC-BC01.veti.ac.ae

Authentication Type: MS-CHAPv2

EAP Type: -

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Reason Code: 16

Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

 

Regards,
M. Alajeely
Highlighted
Guru Elite

Re: Authentication is OK when I try from the controller to IAS server

Your eventviewer message is lacking critical information needed to figure this out.  If you cannot post the eventviewer message in its entirety, you probably should open a support case so that they can look at it.  If your fqdn is listed as just "VETI\v90000204" that means it did not find your user in active directory.

 

Again, you probably changed a few things, but they are critical to figuring this issue out, so you might want to open a support case.



*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: