I upgraded NAC from 5.0.0.232 to 5.1.0.140. After the upgrade the PEAP Authentication of users failed with the error message: "The authentication request was rejected due to NTLM authentication error: Logon failure (0xc000006d)"
I figured out that this is because the username with which the user logs into windows does not match excactly the sAMAccountName of the Active Directory. E.g.:
- AD: UserName
- Winlogin: username
When the user loggs in withe the exact typo - the authentication is passed.
I get this out of tag.log:
If auth passes:
2014-02-26 13:47:13,424 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 Stripping domain from username: ACME\UserName to be: UserName for LDAP request...
2014-02-26 13:47:13,424 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 Authenticate user: UserName with LDAP configuration: ACME-AD, ldapAuthType: NTLM_AUTH, ldapDomainName: acme.com, ldapPasswordAttr: null
2014-02-26 13:47:13,424 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 getNacResponse for MAC: 70-5A-B6-9B-F8-38 => NAC AAA Response [ID:2412, Command: Proxy User To LDAP Server(0x25), Version: NAC Version 5.1.0(7)]
Proxy To: acme.com
Stripped UserName: UserName
Handle MsCHAP User-Name: Do Nothing(0x0)
If auth fails:
2014-02-26 13:39:28,650 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 Stripping domain from username: ACME\username to be: username for LDAP request...
2014-02-26 13:39:28,650 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 Authenticate user: username with LDAP configuration: ACME-AD, ldapAuthType: NTLM_AUTH, ldapDomainName: acme.com, ldapPasswordAttr: null
2014-02-26 13:39:28,650 DEBUG [NacAAAServerRequestProcessor] ESDMAC:9B-F8-38 getNacResponse for MAC: 70-5A-B6-9B-F8-38 => NAC AAA Response [ID:1877, Command: Proxy User To LDAP Server(0x25), Version: NAC Version 5.1.0(7)]
Proxy To: acme.com
Stripped UserName: username
Handle MsCHAP User-Name: Replace MsCHAP User-Name with User-Name(0x1)
Best Regards,
Michael