This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Extreme Control Machine + User authentication fails

Extreme Control Machine + User authentication fails

Go to solution
SDR
New Contributor III

‎02-05-2021 01:21 PM


Hi,

This Topic is a a follow up to


 

Although, I hopefully configured everything as advised and discussed in above thread,   

Machine + User authentication fails. (Machine auth ONLY works fine, now!)

Below is a screenshot of  the EvaluationTool result:

 

9b635a8e5ebc40f6a8c66126253d4e30_70302b0d-5609-4778-b310-606ec3098b0f.jpg

 

I don´t see the mistake….

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
SDR
New Contributor III

‎02-26-2021 10:35 AM

Dear all,

today customer tested the solution/correction and it worked.

Below my solution/explanation:

In an earlier mentioned documentation (https://extremeportal.force.com/ExtrArticleDetail?an=000080814)  I primarily followed it was advised to use “cn” as Host Search Attibute (within the LDAP-configuration of “Domain users”

At least in my environment, this did not work (as shown in above screenshots). The solution was to use “dNSHostName” as Host Search Attibute (which is the default).

Changing this, the configuration worked. Machine AND User-Authentication are passed successfull.

Unfortunately, this solution is already described in https://extremeportal.force.com/ExtrArticleDetail?an=000082479 which I found during my troubleshooting.

 

In addition to this modification of the solution, I changed the advised order of the Rules.

Instead of 

  1. Authenticate and authorise a machine
  2. Authenticate and authorise a machine as a valid domain computer with a valid domain user logged in
  3. Deny a valid user who is on a non-domain (BYOD) computer

In my environment, Rule “2” never will be verified, after a Machine was successfully authenticated.

So, no user-authentication will ever happen.

For that reason, I switched the order of rule 1 and 2 and afterwards, all variations could be verified and authenticated.

 

Thanks all for your assistance.

View solution in original post

0 Kudos
16 REPLIES 16

Go to solution
SDR
New Contributor III

‎02-26-2021 10:35 AM

Dear all,

today customer tested the solution/correction and it worked.

Below my solution/explanation:

In an earlier mentioned documentation (https://extremeportal.force.com/ExtrArticleDetail?an=000080814)  I primarily followed it was advised to use “cn” as Host Search Attibute (within the LDAP-configuration of “Domain users”

At least in my environment, this did not work (as shown in above screenshots). The solution was to use “dNSHostName” as Host Search Attibute (which is the default).

Changing this, the configuration worked. Machine AND User-Authentication are passed successfull.

Unfortunately, this solution is already described in https://extremeportal.force.com/ExtrArticleDetail?an=000082479 which I found during my troubleshooting.

 

In addition to this modification of the solution, I changed the advised order of the Rules.

Instead of 

  1. Authenticate and authorise a machine
  2. Authenticate and authorise a machine as a valid domain computer with a valid domain user logged in
  3. Deny a valid user who is on a non-domain (BYOD) computer

In my environment, Rule “2” never will be verified, after a Machine was successfully authenticated.

So, no user-authentication will ever happen.

For that reason, I switched the order of rule 1 and 2 and afterwards, all variations could be verified and authenticated.

 

Thanks all for your assistance.

0 Kudos

Go to solution
SDR
New Contributor III

‎02-18-2021 12:11 PM

Dear all,

I don´t know why, however I missed the last updates from Tomasz + Miguel.

Sorry, that was not intended.

 

Luckily it seems, that I could solve the issue by myself in the meantime.

At least, the Eval-Tool now shows a match to the according rule.

As i´m pretty unsure in this topic, I would like to wait for customer to test and confirm the solution.

Afterwards, I´ll update this topic.

Thanks @ALL for your help so far.

Stefan

0 Kudos

Go to solution
Miguel-Angel_RO
Valued Contributor II

‎02-13-2021 10:46 AM

SDR,

As far as I remeber there were some issue for this config on double authentication (user+computer) using an LDAP validation for the computer. A specific agent could be necessary (Cisco does that) with windows.

This is the reason why an alternative with the workflow and script mentioned in my previous posts was done.

As a reminder this way of working is using MAC check instead of LDAP check to validate the computer during a user auth:

"Add MAC to Domain Computers" is executed when the computer authenticates. The MAC address is added to End-System and the timestamp is created (updated). Consequent User authentication can be combined with the condition of the End-System group. "Clear old End-Systems in the group" checks if the timestamp is older than X hours and old End-Systems are deleted from the group.

 

Maybe @Zdenek Pala could briefly comment this use case.

Mig

 

0 Kudos

Go to solution
Tomasz
Valued Contributor II

‎02-12-2021 04:40 PM

Hi,

 

Just a quick question, sorry if I misunderstood anything above. Your End-System Group checks if the device’s objectCategory is cn=computer(...). Is that what you need to check? What is the MV-NB-IT-13 objectCategory?

Quite often group membership in LDAP is checked with attribute like memberOf. dNSHostName is something you define in LDAP configurations for host lookup so when NAC receives auth request with a unique hostname, it can search in LDAP for a relevant device’s details (to match authenticating hostname and its LDAP reference).

 

Hope that helps,

Tomasz

0 Kudos
GTM-P2G8KFN