NAC 5.1.0.140 PEAP Authentication fails if username does not match the exact sAMAccountName

  • 0
  • 1
  • Problem
  • Updated 5 years ago
  • Solved
I upgraded NAC from 5.0.0.232 to 5.1.0.140. After the upgrade the PEAP Authentication of users failed with the error message: "The authentication request was rejected due to NTLM authentication error:  Logon failure (0xc000006d)"

I figured out that this is because the username with which the user logs into windows does not match excactly the sAMAccountName of the Active Directory. E.g.: 
- AD: UserName
- Winlogin: username

When the user loggs in withe the exact typo - the authentication is passed.

I get this out of tag.log:

If auth passes:

2014-02-26 13:47:13,424 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 Stripping domain from username: ACME\UserName to be: UserName for LDAP request... 
2014-02-26 13:47:13,424 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 Authenticate user: UserName with LDAP configuration: ACME-AD, ldapAuthType: NTLM_AUTH, ldapDomainName: acme.com, ldapPasswordAttr: null 
2014-02-26 13:47:13,424 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 getNacResponse for MAC: 70-5A-B6-9B-F8-38 => NAC AAA Response [ID:2412, Command: Proxy User To LDAP Server(0x25), Version: NAC Version 5.1.0(7)] 
Proxy To: acme.com
Stripped UserName: UserName
Handle MsCHAP User-Name: Do Nothing(0x0) 


If auth fails:

2014-02-26 13:39:28,650 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 Stripping domain from username: ACME\username to be: username for LDAP request... 
2014-02-26 13:39:28,650 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 Authenticate user: username with LDAP configuration: ACME-AD, ldapAuthType: NTLM_AUTH, ldapDomainName: acme.com, ldapPasswordAttr: null 
2014-02-26 13:39:28,650 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 getNacResponse for MAC: 70-5A-B6-9B-F8-38 => NAC AAA Response [ID:1877, Command: Proxy User To LDAP Server(0x25), Version: NAC Version 5.1.0(7)] 
Proxy To: acme.com
Stripped UserName: username
Handle MsCHAP User-Name: Replace MsCHAP User-Name with User-Name(0x1) 
 
Best Regards,
Michael
Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb

Posted 5 years ago

  • 0
  • 1
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,322 Points 5k badge 2x thumb
Hello,

Can you try to apply the following appliance property to the NAC appliance and see if it resolves the issue:

Right click the NAC appliance and click "add appliance property"

Click the small green "add property" button.

For the property name use: RADIUS_XP_LOCAL_AUTH_FIX_USERNAME
For the property value use: false

Make sure there are no extra spaces and it is caps sensitive. If you have multiple appliances add the property accordingly.

Does this appliance property resolve the issue?

Thanks
-Ryan