topic Re: Extreme Control Machine + User authentication fails in ExtremeControl

Extreme Control Machine + User authentication fails

SDR — Fri, 05 Feb 2021 21:21:09 GMT

Hi,

This Topic is a a follow up to

Although, I hopefully configured everything as advised and discussed in above thread,

Machine + User authentication fails. (Machine auth ONLY works fine, now!)

Below is a screenshot of the EvaluationTool result:

I don´t see the mistake….

Re: Extreme Control Machine + User authentication fails

StephanH — Fri, 05 Feb 2021 21:27:42 GMT

Hello SDR,

take the user data you see in Eval Tool. Got to the corresponding LDAP Rule and select test.

Fill in the user data and check if you receive the result that you expect.

Re: Extreme Control Machine + User authentication fails

Miguel-Angel_RO — Fri, 05 Feb 2021 21:31:10 GMT

SDR,

Your rules seems to be wrong.

The non domain machine rule is matching an AD user on a AD computer.

Could you share a screen of the rules?

Mig

Re: Extreme Control Machine + User authentication fails

SDR — Fri, 05 Feb 2021 21:36:55 GMT

We already did and to my understanding, the tests were sucessfull.

Re: Extreme Control Machine + User authentication fails

SDR — Fri, 05 Feb 2021 21:40:20 GMT

See below - as we are still testing, we did not focus on the “actions” (profiles)

Re: Extreme Control Machine + User authentication fails

StephanH — Sat, 06 Feb 2021 01:47:35 GMT

Hello SDR,

your maschine is matching IS NOT in End-System Groups AD machine

and is not matching IS in End-System Groups AD machine

=> Are you 100% sure that the maschine is in the expacted AD group?

That’s why I ask if you can see if the client is in the group (with the LDAP test tool)

Re: Extreme Control Machine + User authentication fails

Miguel-Angel_RO — Sat, 06 Feb 2021 02:36:32 GMT

Hi SDR,

Looking at those screens I see:

From the rules: “Machine and User Auth” is expecting “End-Systems Groups AD machines”
From the evaluation tool: “Th Host ...doesn’t have LDAP attributes..in this inclusive LDAP Host Group End-Systems Groups AD machines”

Looking at the the description of the workflows and scripts from Zdenek we see:

"Add MAC to Domain Computers" is executed when the computer authenticates. The MAC address is added to End-System and the timestamp is created (updated). Consequent User authentication can be combined with the condition of the End-System group. "Clear old End-Systems in the group" checks if the timestamp is older than X hours and old End-Systems are deleted from the group.

From the script description, it means that the HOST (read “End-System”) is to be looked into a group of MAC adresses while you defined and LDAP group in the rule for the statement “End-System is in”.

To make it shorter, you’ll store (for a defined period of time) all the MAC addresses from the AD computers (having been authenticated) in a group and check if the authenticating user is with a computer having his MAC in this group.

I know that the way this script works is not very intuitive (looking for a MAC to see if a computer belongs to an AD domain) but there are some technical constrains on the authentication steps that implies this solution.

Mig

Re: Extreme Control Machine + User authentication fails

StephanH — Sat, 06 Feb 2021 02:58:18 GMT

Hello SDR, hello Mig,

I'm a little confused. What are you trying to implement SDR? Based on your ruleset, I assumed you were using the procedure described here:

https://extremeportal.force.com/ExtrArticleDetail?an=000080814&q=nuc%20802.1x%20ldap%20user%20&_ga=2.117373440.783434873.1612345045-1757759156.15976588

Re: Extreme Control Machine + User authentication fails

Miguel-Angel_RO — Sat, 06 Feb 2021 03:06:36 GMT

That wasn’t my understanding…

SDR, It would be nice to clarify the exact use case and method you are trying to achieve.

Mig

Re: Extreme Control Machine + User authentication fails

SDR — Tue, 09 Feb 2021 22:05:58 GMT

Hello Stephan, Mig,

sorry for delay due to private reasons.

@Miguel-Angel RODRIGUEZ-GARCIA : I thought, you understood my use case, as you gave me several hints, how to get mor close to the solution. Sorry for not beeing detailed enough.

@StephanH : You are right. I followed the linked procedure to realize customers wish:

Authenticate Windows CLIENT based on machine being in the AD.
Authenticate Windows USER on Windows CLIENT based on machine AND User being in the AD.
Reject Non-domain machine.

According to the documents and you assistance here we managed, that

TOP 1) “Authenticate Windows CLIENT based on machine being in the AD.” works.

TOP 2) does not yet work - as documented by my screenshots.

With regards to @StephanH “Are you 100% sure that the maschine is in the expacted AD group?”my anwer is: “I am nearly 100% sure”,….

As we have no remote access to the environment at the moment, I cannot test/verify again.

However, pls clearify what/how to test.

I have to verify once again

if the Host (written exactly like thrown out in the EVAL tool) is found in LDAP-Test (which section? User search? Host search?
if the User (written exactly like thrown out in the EVAL tool) is found in LDAP-Test (which section? User search? Host search?

As soon as I have the result, i´ll post a screenshot.

Thanks + sorry for confusion, again

Stefan

Re: Extreme Control Machine + User authentication fails

StephanH — Tue, 09 Feb 2021 23:49:06 GMT

Hello Stefan,

as I wrote above. If you have two rules with two different checks (is not and is), this is the point you have to investigate first.

In the LDAP test tool use the user search for rules matching an user and the host search for rules matching the host.

You can check which LDAP rule is used via the Eval tool (second tab = 2. Authentication evaluation).

As result you will receive the groups you user/device is in.

If you play arround with these settings you will have a good understanding what happen during the ldap checks in NAC.

Re: Extreme Control Machine + User authentication fails

Miguel-Angel_RO — Wed, 10 Feb 2021 00:00:42 GMT

Stefan,

Are you meeting all the requirements for the LDAP groups?

See documentation:

Mig

Re: Extreme Control Machine + User authentication fails

SDR — Fri, 12 Feb 2021 15:44:40 GMT

Good morning all,

I´m quite desperate. I now have remote access and verified everything + also checked with the Eval-Tool + LDAP-Test-Feature.

Without success.

As shown in an earlier Screenshot, the Eval tool claims, that the Host “MV-xxx.de” does not have LDAP-attributes defined in the LDAP Host Group “End System Groups AD machines”.

Verifying this with LDAP-Test : see below:

So, there IS such an entry.

What I am confused about: This entry is found as “dNSHostName”.

According to ealier mentioned guide, “objectcategory” is defined as attribute for the group.

However, changing this to dnsNostName does not work either.

I checke configuration vs. guide several times…..don´t find the mistake.

Hope you can point out the issue….

Re: Extreme Control Machine + User authentication fails

Tomasz — Sat, 13 Feb 2021 00:40:01 GMT

Hi,

Just a quick question, sorry if I misunderstood anything above. Your End-System Group checks if the device’s objectCategory is cn=computer(...). Is that what you need to check? What is the MV-NB-IT-13 objectCategory?

Quite often group membership in LDAP is checked with attribute like memberOf. dNSHostName is something you define in LDAP configurations for host lookup so when NAC receives auth request with a unique hostname, it can search in LDAP for a relevant device’s details (to match authenticating hostname and its LDAP reference).

Hope that helps,

Tomasz

Re: Extreme Control Machine + User authentication fails

Miguel-Angel_RO — Sat, 13 Feb 2021 18:46:13 GMT

SDR,

As far as I remeber there were some issue for this config on double authentication (user+computer) using an LDAP validation for the computer. A specific agent could be necessary (Cisco does that) with windows.

This is the reason why an alternative with the workflow and script mentioned in my previous posts was done.

As a reminder this way of working is using MAC check instead of LDAP check to validate the computer during a user auth:

Maybe @Zdenek Pala could briefly comment this use case.

Mig

Re: Extreme Control Machine + User authentication fails

SDR — Thu, 18 Feb 2021 20:11:10 GMT

Dear all,

I don´t know why, however I missed the last updates from Tomasz + Miguel.

Sorry, that was not intended.

Luckily it seems, that I could solve the issue by myself in the meantime.

At least, the Eval-Tool now shows a match to the according rule.

As i´m pretty unsure in this topic, I would like to wait for customer to test and confirm the solution.

Afterwards, I´ll update this topic.

Thanks @ALL for your help so far.

Stefan

Re: Extreme Control Machine + User authentication fails

SDR — Fri, 26 Feb 2021 18:35:11 GMT

Dear all,

today customer tested the solution/correction and it worked.

Below my solution/explanation:

In an earlier mentioned documentation (https://extremeportal.force.com/ExtrArticleDetail?an=000080814) I primarily followed it was advised to use “cn” as Host Search Attibute (within the LDAP-configuration of “Domain users”

At least in my environment, this did not work (as shown in above screenshots). The solution was to use “dNSHostName” as Host Search Attibute (which is the default).

Changing this, the configuration worked. Machine AND User-Authentication are passed successfull.

Unfortunately, this solution is already described in https://extremeportal.force.com/ExtrArticleDetail?an=000082479 which I found during my troubleshooting.

In addition to this modification of the solution, I changed the advised order of the Rules.

Instead of

Authenticate and authorise a machine
Authenticate and authorise a machine as a valid domain computer with a valid domain user logged in
Deny a valid user who is on a non-domain (BYOD) computer

In my environment, Rule “2” never will be verified, after a Machine was successfully authenticated.

So, no user-authentication will ever happen.

For that reason, I switched the order of rule 1 and 2 and afterwards, all variations could be verified and authenticated.

Thanks all for your assistance.