Wired Intelligent Edge (Campus Switching and Routing)

Issue with user authentication (802.1x/DOT1x) when user name has domain name in it

MVP
MVP
Problem:

End devices that support 802.1x send the username as a response to the RADIUS request sent from the authenticator. The value in the username is used to search the credentials in AD or local user repository in CLEARPASS. If the end-user belongs to a domain then the supplied username will include the domain information which poses problems.



Diagnostics:

If Clearpass is used as the authentication server you will see the below error message when the username sent does not match the entries in the repository.

 

Here the username that is sent might have the domain name included in it and the local repository would not have the username with domain entry saved in it.

The debug in the switch will have below entries

debug|LOG_INFO|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_RADIUS|Validation succeeded for the packet recevied from 192.168.1.133:1812 (13) for RADIUS request context 0xffff8840eaa0 client request id 31 radius id 30 .
2020-03-22T10:17:49.566+00:00 port-accessd[2836]: debug|LOG_INFO|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_RADIUS|Received Access-Reject response for the request context 0xffff8840eaa0 client request id 31 radius id 30 sent by 802.1x

The Clearpass will send a reject for this request as it is unable to fetch the credentials from the repository.

 

 



Solution

You need to disable the addition of the domain name from the client itself using the below steps:

1.Uncheck the remember my credentials checkbox

2.Uncheck the use my logon name in EAP MSCHAPv2

3. Doing this, the username sent will not be appended with the domain name and the client will be authenticated successfully

Version history
Revision #:
1 of 1
Last update:
‎05-11-2020 07:20 AM
Updated by: