cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Rejected NTLM authentication - EAC LDAP integration not working with windows

Rejected NTLM authentication - EAC LDAP integration not working with windows

Akkertje
New Contributor
We have a LAB running with a basic dot1x setup for NAC and also a very basic AD setup.
I created a few users and integrated the LDAP connection with nac successfully. This all works just fine on MAC based solutions. I can also successfully connect on the wireless network using MAC, Iphone and windows clients.

The problem i am facing is when i connect through a switchport (cable) This works just fine for my mac, altough DHCP takes 20-30 seconds when connection for the first time with dot1x (anyone got any tip on why for this one?)

However, when connecting a Windows machine to a port i do get the login prompt for dot1x (after some fiddling with the adapter settings) but it fails to connect to the network. The response on my NAC is:

Reason:
Rejected NTLM authentication

State Description:
eap_peap: We sent a success, but the client did not agree eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed

I can not find any information on this, thus i am asking anyone's help first before creating a GTAC ticket. Anyone here whom has seen the same issues?

8 REPLIES 8

Akkertje
New Contributor
Guys,

Thanks for assisting. After upgrading the drivers all was fine.

Ryan_Yacobucci
Extreme Employee
Hello,

I suggest opening a ticket with GTAC. This will require additional investigation.

From what I can tell the client is rejecting the EAP-Success provided by the NAC.

Debug of the reject:

Wed Jan 24 15:21:23 2018 : Debug: (194) eap_peap: Client rejected our response. The password is probably incorrect
Wed Jan 24 15:21:23 2018 : ERROR: (194) eap_peap: We sent a success, but the client did not agree
Wed Jan 24 15:21:23 2018 : ERROR: (194) eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed
Wed Jan 24 15:21:23 2018 : Debug: (194) eap: Sending EAP Failure (code 4) ID 153 length 4
Wed Jan 24 15:21:23 2018 : Debug: (194) eap: Failed in EAP select
Wed Jan 24 15:21:23 2018 : Debug: (194) modsingle[authenticate]: returned from eap (rlm_eap) for request 194
Wed Jan 24 15:21:23 2018 : Debug: (194) [eap] = invalid
Wed Jan 24 15:21:23 2018 : Debug: (194) } # authenticate = invalid
Wed Jan 24 15:21:23 2018 : Debug: (194) Failed to authenticate the user
Wed Jan 24 15:21:23 2018 : Debug: (194) Using Post-Auth-Type Reject

Trace indicates successful transmission and acceptance of the RADIUS server certificate.

Debug indicates successful NTLM authentication and NT-HASH returned from Active Directory.

Wed Jan 24 15:21:23 2018 : Debug: (192) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
Wed Jan 24 15:21:23 2018 : Debug: (192) mschap: --> --nt-response=a1341a1585a1a260b28880e33dd1b4513253f1fb40150b66
Wed Jan 24 15:21:23 2018 : Debug: (192) mschap: Program returned code (0) and output 'NT_KEY: F7D858C45869D7002C9E2F00968C25C3'
Wed Jan 24 15:21:23 2018 : Debug: (192) mschap: Adding MS-CHAPv2 MPPE keys
Wed Jan 24 15:21:23 2018 : Debug: (192) modsingle[authenticate]: returned from mschap (rlm_mschap) for request 192
Wed Jan 24 15:21:23 2018 : Debug: (192) [mschap] = ok
Wed Jan 24 15:21:23 2018 : Debug: (192) if (reject) {
Wed Jan 24 15:21:23 2018 : Debug: (192) if (reject) -> FALSE
Wed Jan 24 15:21:23 2018 : Debug: (192) } # Auth-Type MS-CHAP = ok
Wed Jan 24 15:21:23 2018 : Debug: (192) MSCHAP Success

It appears that NAC sent the final "EAP-Success" and the client returned a failure instead of the final EAP success message that would result in a RADIUS accept.

Potentially a trace on the client side would shed more light, but I would highly suggest going through GTAC at this point.

I found a few freeRADIUS threads, but the referenced "files" keyword I haven't found in the NAC's freeRADIUS files.

1. http://lists.freeradius.org/pipermail/freeradius-users/2016-August/084441.html

This is referencing a "users" file that may have been misconfigured, have you modified any of the freeRADIUS configurations in your deployment directly?

2. https://superuser.com/questions/940829/radius-wifi-not-working-on-windows-8-1-and-windows-10-with-do...

This article suspects possible driver issues causing the problem. Have you updated drivers?

3. http://lists.freeradius.org/pipermail/freeradius-users/2010-August/048137.html

A samba bug was identified. 8.0 NAC is using Samba 4.3.11 so if you're on 8.0 it's not applicable.

Thanks
-Ryan

Akkertje
New Contributor
Ryan,

I just uploaded the files with the note being this topic. The files have your name infront aswell.
What part of the supplicant would u like to see?

This is a wireless client btw (windows 10 ofcourse)

Keene__Scott
Extreme Employee
If you can open a GTAC case we will take a look at the debug. We will need the exported events, tag.log, radius.log, and the MAC address of the End System. Thanks.

GTM-P2G8KFN