Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Machine Authentication Difficulty

This thread has been viewed 2 times

  • 1.  Machine Authentication Difficulty

    Posted Aug 02, 2012 11:26 AM

    Alrighty guys, I'm apparently stuck on stupid here.  This is my situation.  I have two locations.  Our main location is a master 3600 with two local 3600's running Aruba OS 5.0.4.7 supporting 300+ AP 105 units running only the base license.  This is configured with two networks, one a WPA2 Enterprise network (PEAP/MSCHAPv2) and one an open network secured by captive portal.  The WPA2 network authenticates against a Windows 2008 R2 server running NPS for our RADIUS server and allowing both user/password and certificate authentication.  Our own employer assigned machines are configured to use machine authentication only, we do not care who the user is as long as it's one of our own machines.  All is well at the main location.

     

    Our new location is a different story.  Here again we're using a 3600, but here we have Aruba OS 6.1.3.3 as we're supporting AP 135 units which require 6.x.  In addition, this location has the PEF-NG license due to some future plans we have for this location.  I've configured the networks identically to the main location.  Personal machines and mobile devices work perfectly using WPA2 Enterprise and supplying usernames and passwords.  But our own machines fail to log on.  Watching from the monitor, I never even see the client on the controller.  Normally while anyone is attempting to authenticate, I'll at least see them in the monitor in the logon role.  On the NPS side of things, we see the proper policies being applied to the request, but obviously no authentication is occurring.

     

    Things that we knew would trip us up and have already looked at:

     

    * This remote location is connected back to the main location via a site to site VPN tunnel, and shares the same IP numbering scheme as the main campus.  The NPS is configured to allow a certain pair of /16 networks that provide our wireless access.  The new network falls into this scheme.

     

    * The controller has been added as a valid client for the NPS.

     

    Once upon a while back, the AD admin and I found a utility that showed us authentication successes and failures, and I seem to recall this utility NOT being the normal system logs.  This helped IMMENSELY in troubleshooting that issue at that time.  Anyone happen to know what that is?  Primarily though, anyone have any idea what I've missed here?  Seems to me that I've missed something stupidly here and I'm going to kick myself.

     

    Thanks for your help!


    #3600


  • 2.  RE: Machine Authentication Difficulty

    Posted Aug 02, 2012 12:14 PM

    can you post a copy of one of the NPS events in question?



  • 3.  RE: Machine Authentication Difficulty

    Posted Aug 03, 2012 10:09 AM

    We enabled tracing, and here's what we're seeing:

     

    [960] 08-03 09:47:08:441: NT-SAM Names handler received request with user identity host/DQ1GGT1.ad.xxx.xxx.
[960] 08-03 09:47:08:441: Successfully cracked username.
[960] 08-03 09:47:08:441: SAM-Account-Name is "AD\DQ1GGT1$".
[960] 08-03 09:47:08:441: Successfully created new RAP Based EAP session for user AD\DQ1GGT1$.
[960] 08-03 09:47:08:441: No AUTHENTICATION extensions, continuing
[960] 08-03 09:47:08:441: NT-SAM Authentication handler received request for AD\DQ1GGT1$.
[960] 08-03 09:47:08:441: Validating windows user account AD\DQ1GGT1$
[960] 08-03 09:47:08:441: Sending LDAP search to dc2.ad.xxx.xxx.
[960] 08-03 09:47:08:441: Successfully validated windows account AD\DQ1GGT1$.
[960] 08-03 09:47:08:441: Allowed EAP type: 25
[960] 08-03 09:47:08:441: Succesfully created EAP Host session with session id 3122984
[960] 08-03 09:47:08:441: Processing output from EAP: action:1
[960] 08-03 09:47:08:441: Inserting outbound EAP-Message of length 6.
[960] 08-03 09:47:08:441: Issuing Access-Challenge.
[960] 08-03 09:47:08:441: No AUTHORIZATION extensions, continuing
[2804] 08-03 09:47:08:472: Successfully retrieved session (3122984) for user AD\DQ1GGT1$.
[2804] 08-03 09:47:08:472: No AUTHENTICATION extensions, continuing
[2804] 08-03 09:47:08:472: Processing output from EAP: action:1
[2804] 08-03 09:47:08:472: Inserting outbound EAP-Message of length 155.
[2804] 08-03 09:47:08:472: Issuing Access-Challenge.
[2804] 08-03 09:47:08:472: No AUTHORIZATION extensions, continuing
[960] 08-03 09:47:08:504: Successfully retrieved session (3122984) for user AD\DQ1GGT1$.
[960] 08-03 09:47:08:504: No AUTHENTICATION extensions, continuing
[960] 08-03 09:47:08:504: Processing output from EAP: action:1
[960] 08-03 09:47:08:504: Inserting outbound EAP-Message of length 43.
[960] 08-03 09:47:08:504: Issuing Access-Challenge.
[960] 08-03 09:47:08:504: No AUTHORIZATION extensions, continuing
[2804] 08-03 09:47:08:535: Successfully retrieved session (3122984) for user AD\DQ1GGT1$.
[2804] 08-03 09:47:08:535: No AUTHENTICATION extensions, continuing
[2804] 08-03 09:47:08:535: Processing output from EAP: action:1
[2804] 08-03 09:47:08:535: Inserting outbound EAP-Message of length 59.
[2804] 08-03 09:47:08:535: Issuing Access-Challenge.
[2804] 08-03 09:47:08:535: No AUTHORIZATION extensions, continuing
[960] 08-03 09:47:08:550: Successfully retrieved session (3122984) for user AD\DQ1GGT1$.
[960] 08-03 09:47:08:550: No AUTHENTICATION extensions, continuing
[960] 08-03 09:47:08:566: Processing output from EAP: action:1
[960] 08-03 09:47:08:566: Inserting outbound EAP-Message of length 43.
[960] 08-03 09:47:08:566: Issuing Access-Challenge.
[960] 08-03 09:47:08:566: No AUTHORIZATION extensions, continuing
[2804] 08-03 09:47:08:597: Successfully retrieved session (3122984) for user AD\DQ1GGT1$.
[2804] 08-03 09:47:08:597: No AUTHENTICATION extensions, continuing
[2804] 08-03 09:47:08:597: Processing output from EAP: action:1
[2804] 08-03 09:47:08:597: Inserting outbound EAP-Message of length 1096.
[2804] 08-03 09:47:08:597: Issuing Access-Challenge.
[2804] 08-03 09:47:08:597: No AUTHORIZATION extensions, continuing
[960] 08-03 09:47:08:628: Successfully retrieved session (3122984) for user AD\DQ1GGT1$.
[960] 08-03 09:47:08:628: No AUTHENTICATION extensions, continuing
[960] 08-03 09:47:08:628: Processing output from EAP: action:1
[960] 08-03 09:47:08:628: Inserting outbound EAP-Message of length 1096.
[960] 08-03 09:47:08:628: Issuing Access-Challenge.
[960] 08-03 09:47:08:628: No AUTHORIZATION extensions, continuing
[2804] 08-03 09:47:08:660: Successfully retrieved session (3122984) for user AD\DQ1GGT1$.
[2804] 08-03 09:47:08:660: No AUTHENTICATION extensions, continuing
[2804] 08-03 09:47:08:660: Processing output from EAP: action:1
[2804] 08-03 09:47:08:660: Inserting outbound EAP-Message of length 1096.
[2804] 08-03 09:47:08:660: Issuing Access-Challenge.
[2804] 08-03 09:47:08:660: No AUTHORIZATION extensions, continuing
[960] 08-03 09:47:08:691: Successfully retrieved session (3122984) for user AD\DQ1GGT1$.
[960] 08-03 09:47:08:691: No AUTHENTICATION extensions, continuing
[960] 08-03 09:47:08:691: Processing output from EAP: action:1
[960] 08-03 09:47:08:691: Inserting outbound EAP-Message of length 233.
[960] 08-03 09:47:08:691: Issuing Access-Challenge.
[960] 08-03 09:47:08:691: No AUTHORIZATION extensions, continuing

     



  • 4.  RE: Machine Authentication Difficulty

    Posted Aug 03, 2012 10:15 AM

    Thanks for the log.  I see an entry in there that it is doing an LDAP search of dc2.  Can you confirm whether are you are doing EAP termination on the controller in question?  Under 802.1x Authentication Profile for that AAA Profile.   If are you terminating EAP on the controller, machine authentication will not work.



  • 5.  RE: Machine Authentication Difficulty

    Posted Aug 03, 2012 10:28 AM

    No, we're terminating at the NPS server.

     

    Screen Shot 2012-08-03 at 10.26.40 AM.png



  • 6.  RE: Machine Authentication Difficulty

    Posted Aug 03, 2012 10:44 AM

    Just wanted to make sure.  How about on the NPS side?  What do the corresponding Event Log entries look like?



  • 7.  RE: Machine Authentication Difficulty

    Posted Aug 03, 2012 01:01 PM

    We've found the culprit.  It's Deep Security, our firewall running on the NPS.  We keep receiving a "First Fragment Too Small" error coming from the remote campus Aruba Controller.  When we disabled the firewall filter on the NIC, machines authenticated with no issue.  Now I have to figure out why the error is being thrown.  The only thing I can figure is the VPN link is playing games with the method used by certificate authentication.

     

    At this point I have two options:

     

    1 - Try playing with the VPN link to resolve this issue

     

    2 - Get a RADIUS server installed locally much quicker than I'd wanted to

     

    Since I have to have this working by 8/13, I'm doing both at once :-)

     

    If anyone has any suggestions on tweaking Juniper SRX-100 configurations to avoid this problem, I'll gladly hear them :-)



  • 8.  RE: Machine Authentication Difficulty

    Posted Aug 14, 2012 11:35 AM

    The final solution was implementing the local RADIUS server.  Once that was up, everything worked flawlessly.  Everyone file that one in the back of your heads if you use Deep Security :-)