cancel
Showing results for 
Search instead for 
Did you mean: 

Rejected NTLM authentication - EAC LDAP integration not working with windows

Rejected NTLM authentication - EAC LDAP integration not working with windows

Akkertje
New Contributor
We have a LAB running with a basic dot1x setup for NAC and also a very basic AD setup.
I created a few users and integrated the LDAP connection with nac successfully. This all works just fine on MAC based solutions. I can also successfully connect on the wireless network using MAC, Iphone and windows clients.

The problem i am facing is when i connect through a switchport (cable) This works just fine for my mac, altough DHCP takes 20-30 seconds when connection for the first time with dot1x (anyone got any tip on why for this one?)

However, when connecting a Windows machine to a port i do get the login prompt for dot1x (after some fiddling with the adapter settings) but it fails to connect to the network. The response on my NAC is:

Reason:
Rejected NTLM authentication

State Description:
eap_peap: We sent a success, but the client did not agree eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed

I can not find any information on this, thus i am asking anyone's help first before creating a GTAC ticket. Anyone here whom has seen the same issues?

8 REPLIES 8

Ryan_Yacobucci
Extreme Employee
Hello,

If you have an extreme portal account you can send the files to our secure FTP site and I can review them:

https://secure-file.extremenetworks.com

If you have a wireshark trace of the RADIUS communication as well as screenshots of the supplicant I can take a look.

Thanks
-Ryan

Akkertje
New Contributor
Hi,

Ryan, i can include the logs, but it is alot of information, is there some way i can get it just to u?
The client is configured for EAP-PEAP indeed. I just tried wireless as well on the windows client and it fails as well.

So MAC (and iphone) work fine with dot1x and as expected. only windows seems to be the problem.

@Scott:
Is NAC joined to the AD?
Yes is it. As stated MAC (as in macbook OSX) is working just fine with dot1x, wired and wireless

Does 802.1x work with any Windows End Systems or just certain ones?
I have just the windows 10 to test.

DHCP issues are typically a result of a failed authentication and are not relevant to 8021.x as this is at Layer 2.
I tend to disagree, sure it's layer 2 but when connecting to a port with authentication disabled i get an ip in a second. And when authentication has completed (succeeded) i get an ip really fast after disconnecting and reconnecting the port. And as stated, authentication does not fail.1.0.0.15

Keene__Scott
Extreme Employee
Hello,

You will likely need to get some debug gathered and configs sent into GTAC. Does 802.1x work with any Windows End Systems or just certain ones? Is there an NTLM error code in the error you see? These error code come from AD...like if someone used the wring password for example.

Is NAC joined to the AD? This is required if you are terminating 802.1x at the NAC via "LDAP/NTLM" Authentication. Specific permissions in AD are required for this and pertain to the user that is configured in your LDAP Config. You can look in the tag.log for to see if NAC was able to join the AD. SSH to the NAC and type: nacctl restart
Open the /var/log/tag.log and look for a message that NAC was able to join the AD at or about the time you ran the nacctl command. If it did not join, then this is likely the main issue.

DHCP issues are typically a result of a failed authentication and are not relevant to 8021.x as this is at Layer 2.

If NAC "is" AD joined, then this is KCS article to troubleshoot why the authentication failed. You can also submit the debug in a GTAC case:

https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-methodology...

Regards,

Scott Keene
NMS/NAC Support
Extreme GTAC

Ryan_Yacobucci
Extreme Employee
Hello,

Would you be able to provide the RADIUS.log with diagnostics enabled?

It looks like you may be having a problem with EAP negotiation. Is the client configured for EAP-PEAP?

Thanks
-Ryan
GTM-P2G8KFN