This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- RE: Rejected NTLM authentication - EAC LDAP integr...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Rejected NTLM authentication - EAC LDAP integration not working with windows
Rejected NTLM authentication - EAC LDAP integration not working with windows
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā01-24-2018 12:29 PM
We have a LAB running with a basic dot1x setup for NAC and also a very basic AD setup.
I created a few users and integrated the LDAP connection with nac successfully. This all works just fine on MAC based solutions. I can also successfully connect on the wireless network using MAC, Iphone and windows clients.
The problem i am facing is when i connect through a switchport (cable) This works just fine for my mac, altough DHCP takes 20-30 seconds when connection for the first time with dot1x (anyone got any tip on why for this one?)
However, when connecting a Windows machine to a port i do get the login prompt for dot1x (after some fiddling with the adapter settings) but it fails to connect to the network. The response on my NAC is:
Reason:
Rejected NTLM authentication
State Description:
eap_peap: We sent a success, but the client did not agree eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed
I can not find any information on this, thus i am asking anyone's help first before creating a GTAC ticket. Anyone here whom has seen the same issues?
I created a few users and integrated the LDAP connection with nac successfully. This all works just fine on MAC based solutions. I can also successfully connect on the wireless network using MAC, Iphone and windows clients.
The problem i am facing is when i connect through a switchport (cable) This works just fine for my mac, altough DHCP takes 20-30 seconds when connection for the first time with dot1x (anyone got any tip on why for this one?)
However, when connecting a Windows machine to a port i do get the login prompt for dot1x (after some fiddling with the adapter settings) but it fails to connect to the network. The response on my NAC is:
Reason:
Rejected NTLM authentication
State Description:
eap_peap: We sent a success, but the client did not agree eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed
I can not find any information on this, thus i am asking anyone's help first before creating a GTAC ticket. Anyone here whom has seen the same issues?
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā01-24-2018 01:16 PM
Hello,
If you have an extreme portal account you can send the files to our secure FTP site and I can review them:
https://secure-file.extremenetworks.com
If you have a wireshark trace of the RADIUS communication as well as screenshots of the supplicant I can take a look.
Thanks
-Ryan
If you have an extreme portal account you can send the files to our secure FTP site and I can review them:
https://secure-file.extremenetworks.com
If you have a wireshark trace of the RADIUS communication as well as screenshots of the supplicant I can take a look.
Thanks
-Ryan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā01-24-2018 01:11 PM
Hi,
Ryan, i can include the logs, but it is alot of information, is there some way i can get it just to u?
The client is configured for EAP-PEAP indeed. I just tried wireless as well on the windows client and it fails as well.
So MAC (and iphone) work fine with dot1x and as expected. only windows seems to be the problem.
@Scott:
Is NAC joined to the AD?
Yes is it. As stated MAC (as in macbook OSX) is working just fine with dot1x, wired and wireless
Does 802.1x work with any Windows End Systems or just certain ones?
I have just the windows 10 to test.
DHCP issues are typically a result of a failed authentication and are not relevant to 8021.x as this is at Layer 2.
I tend to disagree, sure it's layer 2 but when connecting to a port with authentication disabled i get an ip in a second. And when authentication has completed (succeeded) i get an ip really fast after disconnecting and reconnecting the port. And as stated, authentication does not fail.1.0.0.15
Ryan, i can include the logs, but it is alot of information, is there some way i can get it just to u?
The client is configured for EAP-PEAP indeed. I just tried wireless as well on the windows client and it fails as well.
So MAC (and iphone) work fine with dot1x and as expected. only windows seems to be the problem.
@Scott:
Is NAC joined to the AD?
Yes is it. As stated MAC (as in macbook OSX) is working just fine with dot1x, wired and wireless
Does 802.1x work with any Windows End Systems or just certain ones?
I have just the windows 10 to test.
DHCP issues are typically a result of a failed authentication and are not relevant to 8021.x as this is at Layer 2.
I tend to disagree, sure it's layer 2 but when connecting to a port with authentication disabled i get an ip in a second. And when authentication has completed (succeeded) i get an ip really fast after disconnecting and reconnecting the port. And as stated, authentication does not fail.1.0.0.15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā01-24-2018 12:41 PM
Hello,
You will likely need to get some debug gathered and configs sent into GTAC. Does 802.1x work with any Windows End Systems or just certain ones? Is there an NTLM error code in the error you see? These error code come from AD...like if someone used the wring password for example.
Is NAC joined to the AD? This is required if you are terminating 802.1x at the NAC via "LDAP/NTLM" Authentication. Specific permissions in AD are required for this and pertain to the user that is configured in your LDAP Config. You can look in the tag.log for to see if NAC was able to join the AD. SSH to the NAC and type: nacctl restart
Open the /var/log/tag.log and look for a message that NAC was able to join the AD at or about the time you ran the nacctl command. If it did not join, then this is likely the main issue.
DHCP issues are typically a result of a failed authentication and are not relevant to 8021.x as this is at Layer 2.
If NAC "is" AD joined, then this is KCS article to troubleshoot why the authentication failed. You can also submit the debug in a GTAC case:
https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-methodology...
Regards,
Scott Keene
NMS/NAC Support
Extreme GTAC
You will likely need to get some debug gathered and configs sent into GTAC. Does 802.1x work with any Windows End Systems or just certain ones? Is there an NTLM error code in the error you see? These error code come from AD...like if someone used the wring password for example.
Is NAC joined to the AD? This is required if you are terminating 802.1x at the NAC via "LDAP/NTLM" Authentication. Specific permissions in AD are required for this and pertain to the user that is configured in your LDAP Config. You can look in the tag.log for to see if NAC was able to join the AD. SSH to the NAC and type: nacctl restart
Open the /var/log/tag.log and look for a message that NAC was able to join the AD at or about the time you ran the nacctl command. If it did not join, then this is likely the main issue.
DHCP issues are typically a result of a failed authentication and are not relevant to 8021.x as this is at Layer 2.
If NAC "is" AD joined, then this is KCS article to troubleshoot why the authentication failed. You can also submit the debug in a GTAC case:
https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-methodology...
Regards,
Scott Keene
NMS/NAC Support
Extreme GTAC
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā01-24-2018 12:33 PM
Hello,
Would you be able to provide the RADIUS.log with diagnostics enabled?
It looks like you may be having a problem with EAP negotiation. Is the client configured for EAP-PEAP?
Thanks
-Ryan
Would you be able to provide the RADIUS.log with diagnostics enabled?
It looks like you may be having a problem with EAP negotiation. Is the client configured for EAP-PEAP?
Thanks
-Ryan
