Analytics & Visibility

Expand all | Collapse all

NAC 5.1.0.140 PEAP Authentication fails if username does not match the exact sAMAccountName

  • 1.  NAC 5.1.0.140 PEAP Authentication fails if username does not match the exact sAMAccountName

    Posted 03-03-2014 08:15
    I upgraded NAC from 5.0.0.232 to 5.1.0.140. After the upgrade the PEAP Authentication of users failed with the error message: "The authentication request was rejected due to NTLM authentication error: Logon failure (0xc000006d)"

    I figured out that this is because the username with which the user logs into windows does not match excactly the sAMAccountName of the Active Directory. E.g.:
    - AD: UserName
    - Winlogin: username

    When the user loggs in withe the exact typo - the authentication is passed.

    I get this out of tag.log:

    If auth passes:

    2014-02-26 13:47:13,424 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 Stripping domain from username: ACME\UserName to be: UserName for LDAP request...
    2014-02-26 13:47:13,424 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 Authenticate user: UserName with LDAP configuration: ACME-AD, ldapAuthType: NTLM_AUTH, ldapDomainName: acme.com, ldapPasswordAttr: null
    2014-02-26 13:47:13,424 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 getNacResponse for MAC: 70-5A-B6-9B-F8-38 => NAC AAA Response [ID:2412, Command: Proxy User To LDAP Server(0x25), Version: NAC Version 5.1.0(7)]
    Proxy To: acme.com
    Stripped UserName: UserName
    Handle MsCHAP User-Name: Do Nothing(0x0)

    If auth fails:

    2014-02-26 13:39:28,650 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 Stripping domain from username: ACME\username to be: username for LDAP request...
    2014-02-26 13:39:28,650 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 Authenticate user: username with LDAP configuration: ACME-AD, ldapAuthType: NTLM_AUTH, ldapDomainName: acme.com, ldapPasswordAttr: null
    2014-02-26 13:39:28,650 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 getNacResponse for MAC: 70-5A-B6-9B-F8-38 => NAC AAA Response [ID:1877, Command: Proxy User To LDAP Server(0x25), Version: NAC Version 5.1.0(7)]
    Proxy To: acme.com
    Stripped UserName: username
    Handle MsCHAP User-Name: Replace MsCHAP User-Name with User-Name(0x1)

    Best Regards,
    Michael


  • 2.  RE: NAC 5.1.0.140 PEAP Authentication fails if username does not match the exact sAMAccountName

    Posted 03-20-2014 17:25
    Hello,

    Can you try to apply the following appliance property to the NAC appliance and see if it resolves the issue:

    Right click the NAC appliance and click "add appliance property"

    Click the small green "add property" button.

    For the property name use: RADIUS_XP_LOCAL_AUTH_FIX_USERNAME
    For the property value use: false

    Make sure there are no extra spaces and it is caps sensitive. If you have multiple appliances add the property accordingly.

    Does this appliance property resolve the issue?

    Thanks
    -Ryan