Rejected NTLM authentication - EAC LDAP integration not working with windows

  • 0
  • 1
  • Problem
  • Updated 7 months ago
  • Solved
We have a LAB running with a basic dot1x setup for NAC and also a very basic AD setup.
I created a few users and integrated the LDAP connection with nac successfully. This all works just fine on MAC based solutions. I can also successfully connect on the wireless network using MAC, Iphone and windows clients.

The problem i am facing is when i connect through a switchport (cable) This works just fine for my mac, altough DHCP takes 20-30 seconds when connection for the first time with dot1x (anyone got any tip on why for this one?)

However, when connecting a Windows machine to a port i do get the login prompt for dot1x (after some fiddling with the adapter settings) but it fails to connect to the network. The response on my NAC is:

Reason:
Rejected NTLM authentication

State Description:
eap_peap: We sent a success, but the client did not agree eap: Failed continuing EAP PEAP (25) session.  EAP sub-module failed

I can not find any information on this, thus i am asking anyone's help first before creating a GTAC ticket. Anyone here whom has seen the same issues?
Photo of Akkertje

Akkertje

  • 256 Points 250 badge 2x thumb

Posted 7 months ago

  • 0
  • 1
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,152 Points 5k badge 2x thumb
Hello,

Would you be able to provide the RADIUS.log with diagnostics enabled?

It looks like you may be having a problem with EAP negotiation. Is the client configured for EAP-PEAP? 

Thanks
-Ryan
Photo of Keene, Scott

Keene, Scott, Employee NMS/GTAC

  • 1,462 Points 1k badge 2x thumb
Hello,

You will likely need to get some debug gathered and configs sent into GTAC.  Does 802.1x work with any Windows End Systems or just certain ones?  Is there an NTLM error code in the error you see?  These error code come from AD...like if someone used the wring password for example.

Is NAC joined to the AD?   This is required if you are terminating 802.1x at the NAC via "LDAP/NTLM" Authentication.  Specific permissions in AD are required for this and pertain to the user that is configured in your LDAP Config.  You can look in the tag.log for to see if NAC was able to join the AD.  SSH to the NAC and type:  nacctl restart
Open the /var/log/tag.log and look for a message that NAC was able to join the AD at or about the time you ran the nacctl command.  If it did not join, then this is likely the main issue.

DHCP issues are typically a result of a failed authentication and are not relevant to 8021.x as this is at Layer 2.

If NAC "is" AD joined, then this is KCS article to troubleshoot why the authentication failed.  You can also submit the debug in a GTAC case:

https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-methodology...



Regards,

Scott Keene
NMS/NAC Support
Extreme GTAC
Photo of Akkertje

Akkertje

  • 256 Points 250 badge 2x thumb
Hi,

Ryan, i can include the logs, but it is alot of information, is there some way i can get it just to u?
The client is configured for EAP-PEAP indeed. I just tried wireless as well on the windows client and it fails as well.

So MAC (and iphone) work fine with dot1x and as expected. only windows seems to be the problem.

@Scott:
Is NAC joined to the AD?
Yes is it. As stated MAC (as in macbook OSX) is working just fine with dot1x, wired and wireless

Does 802.1x work with any Windows End Systems or just certain ones?
I have just the windows 10 to test.

DHCP issues are typically a result of a failed authentication and are not relevant to 8021.x as this is at Layer 2.
I tend to disagree, sure it's layer 2 but when connecting to a port with authentication disabled i get an ip in a second. And when authentication has completed (succeeded) i get an ip really fast after disconnecting and reconnecting the port. And as stated, authentication does not fail.1.0.0.15
(Edited)
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,152 Points 5k badge 2x thumb
Hello,

If you have an extreme portal account you can send the files to our secure FTP site and I can review them: 

https://secure-file.extremenetworks.com

If you have a wireshark trace of the RADIUS communication as well as screenshots of the supplicant I can take a look.

Thanks
-Ryan
Photo of Keene, Scott

Keene, Scott, Employee NMS/GTAC

  • 1,462 Points 1k badge 2x thumb
If you can open a GTAC case we will take a look at the debug.  We will need the exported events, tag.log, radius.log, and the MAC address of the End System.  Thanks.
Photo of Akkertje

Akkertje

  • 256 Points 250 badge 2x thumb
Ryan,

I just uploaded the files with the note being this topic. The files have your name infront aswell.
What part of the supplicant would u like to see?

This is a wireless client btw (windows 10 ofcourse)
(Edited)
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,152 Points 5k badge 2x thumb
Hello,

I suggest opening a ticket with GTAC. This will require additional investigation.

From what I can tell the client is rejecting the EAP-Success provided by the NAC. 

Debug of the reject: 

Wed Jan 24 15:21:23 2018 : Debug: (194) eap_peap: Client rejected our response.  The password is probably incorrect
Wed Jan 24 15:21:23 2018 : ERROR: (194) eap_peap: We sent a success, but the client did not agree
Wed Jan 24 15:21:23 2018 : ERROR: (194) eap: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
Wed Jan 24 15:21:23 2018 : Debug: (194) eap: Sending EAP Failure (code 4) ID 153 length 4
Wed Jan 24 15:21:23 2018 : Debug: (194) eap: Failed in EAP select
Wed Jan 24 15:21:23 2018 : Debug: (194)     modsingle[authenticate]: returned from eap (rlm_eap) for request 194
Wed Jan 24 15:21:23 2018 : Debug: (194)     [eap] = invalid
Wed Jan 24 15:21:23 2018 : Debug: (194)   } # authenticate = invalid
Wed Jan 24 15:21:23 2018 : Debug: (194) Failed to authenticate the user
Wed Jan 24 15:21:23 2018 : Debug: (194) Using Post-Auth-Type Reject


Trace indicates successful transmission and acceptance of the RADIUS server certificate.


Debug indicates successful NTLM authentication and NT-HASH returned from Active Directory. 

Wed Jan 24 15:21:23 2018 : Debug: (192) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
Wed Jan 24 15:21:23 2018 : Debug: (192) mschap:    --> --nt-response=a1341a1585a1a260b28880e33dd1b4513253f1fb40150b66
Wed Jan 24 15:21:23 2018 : Debug: (192) mschap: Program returned code (0) and output 'NT_KEY: F7D858C45869D7002C9E2F00968C25C3'
Wed Jan 24 15:21:23 2018 : Debug: (192) mschap: Adding MS-CHAPv2 MPPE keys
Wed Jan 24 15:21:23 2018 : Debug: (192)     modsingle[authenticate]: returned from mschap (rlm_mschap) for request 192
Wed Jan 24 15:21:23 2018 : Debug: (192)     [mschap] = ok
Wed Jan 24 15:21:23 2018 : Debug: (192)     if (reject) {
Wed Jan 24 15:21:23 2018 : Debug: (192)     if (reject)  -> FALSE
Wed Jan 24 15:21:23 2018 : Debug: (192)   } # Auth-Type MS-CHAP = ok
Wed Jan 24 15:21:23 2018 : Debug: (192) MSCHAP Success


It appears that NAC sent the final "EAP-Success" and the client returned a failure instead of the final EAP success message that would result in a RADIUS accept. 


Potentially a trace on the client side would shed more light, but I would highly suggest going through GTAC at this point. 

I found a few freeRADIUS threads, but the referenced "files" keyword I haven't found in the NAC's freeRADIUS files.


1. http://lists.freeradius.org/pipermail/freeradius-users/2016-August/084441.html 

This is referencing a "users" file that may have been misconfigured, have you modified any of the freeRADIUS configurations in your deployment directly?

2. https://superuser.com/questions/940829/radius-wifi-not-working-on-windows-8-1-and-windows-10-with-do...

This article suspects possible driver issues causing the problem. Have you updated drivers?

3. http://lists.freeradius.org/pipermail/freeradius-users/2010-August/048137.html

A samba bug was identified. 8.0 NAC is using Samba 4.3.11 so if you're on 8.0 it's not applicable.


Thanks
-Ryan
Photo of Akkertje

Akkertje

  • 256 Points 250 badge 2x thumb
Guys,

Thanks for assisting. After upgrading the drivers all was fine.