This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Extreme Control Machine + User authentication fails

Extreme Control Machine + User authentication fails

Go to solution
SDR
New Contributor III

‎02-05-2021 01:21 PM


Hi,

This Topic is a a follow up to


 

Although, I hopefully configured everything as advised and discussed in above thread,   

Machine + User authentication fails. (Machine auth ONLY works fine, now!)

Below is a screenshot of  the EvaluationTool result:

 

9b635a8e5ebc40f6a8c66126253d4e30_70302b0d-5609-4778-b310-606ec3098b0f.jpg

 

I don´t see the mistake….

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
SDR
New Contributor III

‎02-26-2021 10:35 AM

Dear all,

today customer tested the solution/correction and it worked.

Below my solution/explanation:

In an earlier mentioned documentation (https://extremeportal.force.com/ExtrArticleDetail?an=000080814)  I primarily followed it was advised to use “cn” as Host Search Attibute (within the LDAP-configuration of “Domain users”

At least in my environment, this did not work (as shown in above screenshots). The solution was to use “dNSHostName” as Host Search Attibute (which is the default).

Changing this, the configuration worked. Machine AND User-Authentication are passed successfull.

Unfortunately, this solution is already described in https://extremeportal.force.com/ExtrArticleDetail?an=000082479 which I found during my troubleshooting.

 

In addition to this modification of the solution, I changed the advised order of the Rules.

Instead of 

  1. Authenticate and authorise a machine
  2. Authenticate and authorise a machine as a valid domain computer with a valid domain user logged in
  3. Deny a valid user who is on a non-domain (BYOD) computer

In my environment, Rule “2” never will be verified, after a Machine was successfully authenticated.

So, no user-authentication will ever happen.

For that reason, I switched the order of rule 1 and 2 and afterwards, all variations could be verified and authenticated.

 

Thanks all for your assistance.

View solution in original post

0 Kudos
16 REPLIES 16

Go to solution
SDR
New Contributor III

‎02-12-2021 07:44 AM

Good morning all,

 

I´m quite desperate. I now have remote access and verified everything + also checked with the Eval-Tool + LDAP-Test-Feature.

Without success.

As shown in an earlier Screenshot, the Eval tool claims, that the Host “MV-xxx.de” does not have LDAP-attributes defined in the LDAP Host Group “End System Groups AD machines”.

Verifying this with LDAP-Test : see below:

d29a9d0681c940f98c639011845c2cc1_a8479f22-f8d3-4316-a2c5-07f271ff3550.png

So, there IS such an entry.

What I am confused about: This entry is found as “dNSHostName”.

According to ealier mentioned guide, “objectcategory” is defined as attribute for the group.

d29a9d0681c940f98c639011845c2cc1_f0c3a4c1-a8db-493f-b26f-4d074420a960.png

 However, changing this to dnsNostName does not work either.

 

I checke configuration vs. guide several times…..don´t find the mistake.

Hope you can point out the issue….

0 Kudos

Go to solution
Miguel-Angel_RO
Valued Contributor II

‎02-09-2021 04:00 PM

Stefan,

Are you meeting all the requirements for the LDAP groups?

See documentation:

85f082ce93bb4b37b3fb3fb04d7bdd23_06557724-caf9-4538-8e10-48ef023cad1c.png

Mig

0 Kudos

Go to solution
StephanH
Valued Contributor III

‎02-09-2021 03:49 PM

Hello Stefan,

as I wrote above. If you have two rules with two different checks (is not and is), this is the point you have to investigate first. 

In the LDAP test tool use the user search for rules matching an user and the host search for rules matching the host.

You can check which LDAP rule is used via the Eval tool (second tab = 2. Authentication evaluation).

As result you will receive the groups you user/device is in.

If you play arround with these settings you will have a good understanding what happen during the ldap checks in NAC.

 

 

 

 

Regards Stephan
0 Kudos

Go to solution
SDR
New Contributor III

‎02-09-2021 02:05 PM

Hello Stephan, Mig,

 

sorry for delay due to private reasons.

@Miguel-Angel RODRIGUEZ-GARCIA : I thought, you understood my use case, as you gave me several hints, how to get mor close to the solution. Sorry for not beeing detailed enough.

@StephanH : You are right. I followed the linked procedure to realize customers wish:

 

  1. Authenticate Windows CLIENT based on machine being in the AD.
  2. Authenticate Windows USER on Windows CLIENT based on machine AND User being in the AD. 
  3. Reject Non-domain machine.

According to the documents and you assistance here we managed, that

TOP 1) “Authenticate Windows CLIENT based on machine being in the AD.” works.

TOP 2) does not yet work - as documented by my screenshots.

With regards to   @StephanH  “Are you 100% sure that the maschine is in the expacted AD group?”my anwer is: “I am nearly 100% sure”,….

 

As we have no remote access to the environment at the moment, I cannot test/verify again.

However, pls clearify what/how to test. 

I have to verify once again

  • if the Host (written exactly like thrown out in the EVAL tool) is found in LDAP-Test (which section? User search? Host search?
  • if the User (written exactly like thrown out in the EVAL tool) is found in LDAP-Test (which section? User search? Host search?

As soon as I have the result, i´ll post a screenshot.

 

Thanks + sorry for confusion, again

Stefan

0 Kudos

Go to solution
Miguel-Angel_RO
Valued Contributor II

‎02-05-2021 07:06 PM

That wasn’t my understanding…

SDR, It would be nice to clarify the exact use case and method you are trying to achieve.

Mig

0 Kudos
GTM-P2G8KFN