Is your Service configured for EAP-PEAP only as of now?
Not prompting you for a password maybe a different issue.
I may suggest trying a Clean Auth (out of the box) AD Auth Source configuration first, before adding any additional filters or the badpwdcount function.
Is your priority Machine Auth or User Auth?
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
------------------------------
Original Message:
Sent: Mar 14, 2024 09:01 AM
From: pmonardo
Subject: AD lookup Error message in access tracker Reason=[, (error=4) Size limit exceeded].
If I remove the badpwdcount, I only do machine auth and it works. Meaning, I forget the SSID and I double click it to connect....doesn't prompt me for user/pass.
Before removing the badpwdcount, it prompted me for user/pass, rejected.
Query now looks like this (not sure if its correct) but it returns a result when doing a search in the filter.
(|(&(objectCategory=person)(&(objectClass=user)(sAMAccountName=%{Authentication:Username})))((&(objectCategory=person)&(objectClass=user)(userPrincipalName=%{Authentication:Username}))))
trying authentication now and it fails....
scratching my head....
FYI - Their AD is a mess....
------------------------------
Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP
Original Message:
Sent: Mar 13, 2024 05:09 PM
From: Zak Chalupka
Subject: AD lookup Error message in access tracker Reason=[, (error=4) Size limit exceeded].
Do you see the "error=4" message if if you remove the badpwdcount filter check/restriction?
If so you may add (objectCategory=person) to the filter as well to narrow down further.
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: Mar 13, 2024 04:33 PM
From: pmonardo
Subject: AD lookup Error message in access tracker Reason=[, (error=4) Size limit exceeded].
yup for sure. Filter is as follows which is a slight modification the standard filter.
(&(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(!(badPwdCount>=4)))
We also tried
(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username}))(!(badPwdCount>=4)))
Attributes are standard.
------------------------------
Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP
Original Message:
Sent: Mar 13, 2024 03:40 PM
From: Zak Chalupka
Subject: AD lookup Error message in access tracker Reason=[, (error=4) Size limit exceeded].
Is the Output of the Enforcement, in this case, as expected?
You would likely want to review [in your AD Auth Source] the configured attributes and thus the LDAP filter. This may show you why this query is running away. The LDAP server has a max as to what it will return.
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
Original Message:
Sent: Mar 13, 2024 01:39 PM
From: pmonardo
Subject: AD lookup Error message in access tracker Reason=[, (error=4) Size limit exceeded].
Anyone seen this before.?
Trying to migrate a customer to use EAP-TEAP but starting slow and validating EAP-PEAP works first to make sure role derivation and vlan's are properly assigned but running into this issue below.
Interesting thing is if I forget the SSID and attempt to double click it, it will do machine auth only anda connect, role assigned and in the proper vlan.
------------------------------
Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP
------------------------------