Question

NAC mixed auth UPN+samAccountName

  • 24 February 2020
  • 2 replies
  • 781 views
M

Running 802.1x on our wired network to authenticate domain computers and domain users to the network. This runs fine in most cases, but some users are reporting issues where Windows will accept the login, but 802.1x (the network login part of the login process) fails with invalid credentials. 

 

If they cancel the network login prompt, authentication will eventually succeed in the background, I don't quite understand how and why.

 

The following is an excerpt from the debug logging:

 

2020-02-24 07:36:41,641 DEBUG [com.enterasys.tesNb.server.aaaapi.NacAAARequest] (EacAAARequestHandler (Client: 127.0.0.1:42185):) Not allowing username to be a MAC because the Calling-Station-Id: "A1-B1-C1-D1-E1-F1" does not match the username: "user.name@domain.com"

2020-02-24 07:36:41,642 DEBUG [com.enterasys.tesNb.server.aaaapi.NacAAAServerRequestProcessor] (EacAAARequestHandler (Client: 127.0.0.1:42185):) ESDMAC:9D-53-E1 processRequest NacAAARequest [isFallthroughOnAuthFail=false, prevAAARuleIndex=0, fromInnerTunnel=true, lastResponseCode=255, lastProxyAction=0, proxiedToIp=null, attributes=Client Request RADIUS Attrs: 

Service-Type=2

Module-Failure-Message=mschap: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'

Module-Failure-Message=mschap: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)

Module-Failure-Message=mschap: MS-CHAP2-Response is incorrect

 

There might be an issue with the way we mix UPN and sAMAccountName for authentication. Our LDAP configuration is set to use ‘sAMAccountName’ for ‘User Search Attribute’.

 

Users in our domain login using a mix of these. As NAC strips the domain this isn't really a problem (and Windows never cares anyway), but the actual problem might be not in all cases the UPN matches the sAMAccountName, for example:

 

DOMAIN\Usr1

User.One@Domain.com

 

The obvious solution is to change every useraccount to use a uniform login, but that's simply not an option right now. I do agree this should be a goal though.

 

Can anyone explain how this works? In the logfile above you can see credentials are denied for a login with their UPN, but eventually the user is authenticated in NAC with their sAMAccountName. Their UPN and sAMAccountName in this case do not match.

 

 

2 replies

B
Userlevel 3

Looks like from the log above the mac address is trying to authenticate, usually you will see this an another entry for the username itself.  

On your AAA config for user authentication do you have a wildcard for your auth or do you have domain\ ?

M

I didn't quite understand where the MAC address is coming from. While we're using both MAC and 802.1x auth on our ports, it shouldn't try the MAC address for authentication whenever 802.1x is available.

 

I'm guessing this has something to do with the way Windows handles the login in the background, but I don't know enough about this process to pinpoint this.

 

I guess we should just make our logins more consistent.

Reply