NAC 5.1.0.140 PEAP Authentication fails if username does not match the exact sAMAccountName

Michael_Kirchne — Mon, 03 Mar 2014 16:15:00 GMT

I upgraded NAC from 5.0.0.232 to 5.1.0.140. After the upgrade the PEAP Authentication of users failed with the error message: "The authentication request was rejected due to NTLM authentication error: Logon failure (0xc000006d)"

I figured out that this is because the username with which the user logs into windows does not match excactly the sAMAccountName of the Active Directory. E.g.:
- AD: UserName
- Winlogin: username

When the user loggs in withe the exact typo - the authentication is passed.

I get this out of tag.log:

If auth passes:

2014-02-26 13:47:13,424 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 Stripping domain from username: ACME\UserName to be: UserName for LDAP request...
2014-02-26 13:47:13,424 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 Authenticate user: UserName with LDAP configuration: ACME-AD, ldapAuthType: NTLM_AUTH, ldapDomainName: acme.com, ldapPasswordAttr: null
2014-02-26 13:47:13,424 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 getNacResponse for MAC: 70-5A-B6-9B-F8-38 => NAC AAA Response [ID:2412, Command: Proxy User To LDAP Server(0x25), Version: NAC Version 5.1.0(7)]
Proxy To: acme.com
Stripped UserName: UserName
Handle MsCHAP User-Name: Do Nothing(0x0)

If auth fails:

2014-02-26 13:39:28,650 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 Stripping domain from username: ACME\username to be: username for LDAP request...
2014-02-26 13:39:28,650 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 Authenticate user: username with LDAP configuration: ACME-AD, ldapAuthType: NTLM_AUTH, ldapDomainName: acme.com, ldapPasswordAttr: null
2014-02-26 13:39:28,650 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 getNacResponse for MAC: 70-5A-B6-9B-F8-38 => NAC AAA Response [ID:1877, Command: Proxy User To LDAP Server(0x25), Version: NAC Version 5.1.0(7)]
Proxy To: acme.com
Stripped UserName: username
Handle MsCHAP User-Name: Replace MsCHAP User-Name with User-Name(0x1)

Best Regards,
Michael

RE: NAC 5.1.0.140 PEAP Authentication fails if username does not match the exact sAMAccountName

Ryan_Yacobucci — Fri, 21 Mar 2014 00:25:00 GMT

Hello,

Can you try to apply the following appliance property to the NAC appliance and see if it resolves the issue:

Right click the NAC appliance and click "add appliance property"

Click the small green "add property" button.

For the property name use: RADIUS_XP_LOCAL_AUTH_FIX_USERNAME
For the property value use: false

Make sure there are no extra spaces and it is caps sensitive. If you have multiple appliances add the property accordingly.

Does this appliance property resolve the issue?

Thanks
-Ryan

topic RE: NAC 5.1.0.140 PEAP Authentication fails if username does not match the exact sAMAccountName in Analytics & Visibility

NAC 5.1.0.140 PEAP Authentication fails if username does not match the exact sAMAccountName

RE: NAC 5.1.0.140 PEAP Authentication fails if username does not match the exact sAMAccountName