iMC UAM MS AD authentication issue (2522 Views)
Reply
Occasional Advisor
MarcisB
Posts: 14
Registered: ‎01-20-2013
Message 1 of 13 (2,522 Views)

iMC UAM MS AD authentication issue

Hello

 

For several weeks i've been fighting with this problem.
I need to set up UAM authentication with Microsoft AD. Client PC is part of lab domain and thus uses domain certificate without iNode client (the way our customer would like it to be). That means EAP-PEAP with MSCHAPv2
In my lab i have one ProCurve 2824 switch and several virtual servers - one of which runs iMC with UAM, another has AD DC and third is certificate server. I have set up whole structure, imported certificates into iMC etc.

 

iMC and UAM version is the latest:

Intelligent Management Platform (JF378A) iMC PLAT 5.1 SP1 (E0202P05)
User Access Manager (JF388A) iMC UAM 5.1 SP1 (E0301H04)


Unfortunately client authentication fails, in switch traffic capture i see UAM asking switch for MD5 authentication which is immideately refected by windows who wants MSCHAPv2.
in the mschapv2server log file i see the following:

[Feb 19, 2013 11:43:16 AM][Debug]: MSChapAuthServer():addInistialRequestMessage(): dc name is uam.imc.lab
[Feb 19, 2013 11:43:16 AM][Trace]: MSChapAuthServer():addInistialRequestMessage(): tunnel active packet: 00000000h: 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 04 ;................
00000010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................
00000020h: 01 06 74 65 73 74 02 0D 75 61 6D 2E 69 6D 63 2E ;..test..uam.imc.
00000030h: 6C 61 62 03 0A 68 E1 09 F0 F4 0C A7 2A 04 1A 9C ;lab..h......*...
00000040h: 58 28 CE 59 9D 67 80 3B D1 9E 9C 0D 1E 72 6F 26 ;X(.Y.g.;.....ro&
00000050h: 1D 0F 79 01 B1 E1 4D ;..y...M
[Feb 19, 2013 11:43:16 AM][Debug]: Trigger one authentication request as parameters refreshed.
[2013-02-19 11:43:16.494] [Debug] [HashMapForCache::cleanMap]Find expired object...
[2013-02-19 11:43:16.547] [Debug] [MSChapAuth::MSChapAuth]NETLOGON(LVLABIMC2.UAM.IMC.LAB/TESTACCOUNT)
[2013-02-19 11:43:16.564] [Debug] [MSChapAuth::connect]NETLOGON: Connecting DCERPC handle to ncacn_np:10.32.12.29[\PIPE\NETLOGON] with identity uam.imc.lab\testAccount$
[2013-02-19 11:43:16.967] [Info] [MSChapAuth::connect]NETLOGON: Bind successful.
[2013-02-19 11:43:16.990] [Debug] [MSChapAuth::connect]NETLOGON: Session authenticated
[2013-02-19 11:43:16.991] [Debug] [MSChapAuth::getDomainTrusts]getDomainTrusts: Retrieving list of domains
[2013-02-19 11:43:17.0] [Debug] [MSChapAuth::getDomainTrusts]getDomainTrusts: List of domains retrieved successfully: {UAM.IMC.LAB={objectSid=S-1-5-21-57685777-2865964563-3303338050, domain.dns.name=uam.imc.lab, domain.trust.attributes=0x00000000, objectGUID=9E996CE4-317B-41AB-915B-A6431188E686, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=UAM}, ~={objectSid=S-1-5-21-57685777-2865964563-3303338050, domain.dns.name=uam.imc.lab, domain.trust.attributes=0x00000000, objectGUID=9E996CE4-317B-41AB-915B-A6431188E686, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=UAM}, UAM={objectSid=S-1-5-21-57685777-2865964563-3303338050, domain.dns.name=uam.imc.lab, domain.trust.attributes=0x00000000, objectGUID=9E996CE4-317B-41AB-915B-A6431188E686, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=UAM}}
[2013-02-19 11:43:17.19] [Debug] [MSChapAuth::connect]NETLOGON: Secure Channel encryption installed
[Feb 19, 2013 11:43:17 AM][Trace]: The authentication error msg: The account is not found: uam.imc.lab\test, and error code: 4
[2013-02-19 11:43:17.388] [Error] [MSChapAuthProvider::authenticate]MSChap authentication unknown exception. <mscv2js.c.d: The account is not found: uam.imc.lab\test>
mscv2js.c.d: The account is not found: uam.imc.lab\test
at mscv2js.b.a.a(Unknown Source)
at mscv2js.b.b.b(Unknown Source)
at mscv2js.server.f.a(Unknown Source)
at mscv2js.server.h.run(Unknown Source)
at java.lang.Thread.run(Thread.java:662)
[Feb 19, 2013 11:43:17 AM][Trace]: The mschapv2 authentication user msg:The account is not existed on DC.
<java.net.BindException: Cannot assign requested address: Datagram send failed>
java.net.BindException: Cannot assign requested address: Datagram send failed
at java.net.PlainDatagramSocketImpl.send(Native Method)
at java.net.DatagramSocket.send(DatagramSocket.java:625)
at mscv2js.server.g.a(Unknown Source)
at mscv2js.server.f.a(Unknown Source)
at mscv2js.server.h.run(Unknown Source)
at java.lang.Thread.run(Thread.java:662)

 

I have done all installation and configuration according to manuals. EAP-PEAP assisted DC authentication is set up. In the log one can see that UAM asks DC for virtual computer (which i left default), which passes. Then, out from nowhere comes this "test" account which is no way present in iMC. I suspect this is the reason why authentication fails and UAM reverts to MD5.
I created "test" user on DC, but since i have no idea what password should be it still fails.
Can anyone please point me what i am doing wrong?

 

Thanks in advance!
Marcis

Please use plain text.
Honored Contributor
Peter_Debruyne
Posts: 315
Registered: ‎03-21-2011
Message 2 of 13 (2,507 Views)

Re: iMC UAM MS AD authentication issue

Hi,

 

Can you provide some more info on the client supplicant configuration ?

Which client os are you using, if windows, did you configure user or computer auth ?

Can you check the client pc computername, does it happen to be test ?

 

It could be possible that the computer accounts have not be synced between uam and AD (ldap), so when the client pc authenticates with the pc account, it will fail, so uam possibly proposes an alternate auth method (md5), since the peap failed.

 

So make sure the sync the computers container/ou as well as the users container/ou in the ldap sync policies,

 

Best regards,Peter

Please use plain text.
Honored Contributor
LindsayHill
Posts: 713
Registered: ‎11-16-2011
Message 3 of 13 (2,504 Views)

Re: iMC UAM MS AD authentication issue

This doesn't directly fix your problem, but HP released IMC 5.2 today. BYOD is a focus for them right now, so you might like to try out the latest code, see if your problem is still there.

 

My guess is that support is just going to tell you to upgrade anyway.

CCIE 36708 | @northlandboy | lkhill.com
Please use plain text.
Occasional Advisor
MarcisB
Posts: 14
Registered: ‎01-20-2013
Message 4 of 13 (2,491 Views)

Re: iMC UAM MS AD authentication issue

Hello Peter

 

Thanks for the response! :)

 

I attached my ProCurve 2824 switch config.

 

Port 1 is for uplink, ports 2 and 3 are where client authentication goes on.

10.32.12.26 is an address of iMC server

10.32.12.27 is switch's IP

 

i also verified that when i reconfigure RADIUS on switch to talk directly to MS AD DC, it works like charm. Of course i have configured NAP on MS DC.

 

I use Windows 7 PC with windows native buil-in 801.x authenticator. I would prefer to avoid using iNode because this is what our customer wants. On windows i left it at default which is both user and computer authentication.

Client PC computername is "SMNdemo". Only thing close to "test" is testlab domain user "imctest" which i use for logging in.

 

I tried to sync computers OU but it does not work, sync fails because computer accounts are represented by their name with "$" added. And since iMC does not accepts $ sign sync fails totally.

 

Please use plain text.
Occasional Advisor
MarcisB
Posts: 14
Registered: ‎01-20-2013
Message 5 of 13 (2,490 Views)

Re: iMC UAM MS AD authentication issue

Thanks!

I tried 5.2 but it did not solve the issue. I suspect i am doing something wrong but i ran out of ideas what exactly.
Please use plain text.
Visitor
nappy513
Posts: 4
Registered: ‎06-12-2014
Message 6 of 13 (511 Views)

Re: iMC UAM MS AD authentication issue

Resurrecting an old thread here.  Probably going to open a support ticket, but I'm dealing with the same issue in 7.0 E0202.  Device authentication works fine through AD, but I can't get 802.1x to work from MSM APs (MSM controller).  I did find that the EAP type is dictated by the 'default access policy' configured on the access service assigned to the authenticating user.  If certificate authentication isn't defined in the default policy, IMC seems to default to EAP-MD5 as a challenge type (doesn't seem to make too much sense, but it isn't the issue at hand).  At this point, it would have been so much easier to do this in NPS (wtb NAS Id condition), but the customer wants UAM.

 

The authentication failure cause is listed as: E63121::receive no packet from mschapv2server.

 

The request isn't even showing up in the mschapv2 log.  Netstat shows that mschapv2server is running on the port assigned in domain assisted PEAP authentication.

 

I do see the same recurring message in the log about a failure to authenticate with a "domani\test" account--I'm not testing from this.  As the other posters pointed out, no idea what the "test" account is used for or what credentials it is trying to use.  I've tried making a "test" account in AD (reflected below).  Also not sure why IMC would want to change the password for the test account (LDAP error -1073741718).  Not sure where to go from here... hopefully I'm just mising something

 

Details from the mschapv2 log:

[Jun 12, 2014 10:19:14 PM][Debug]: MSChapAuthServer():addInistialRequestMessage(): dc name is domain.local
[2014-06-12 22:19:14.758] [Debug] [MSChapAuth::MSChapAuth]NETLOGON(NPSDC1.domain.local/IMC-VCOMP)
[2014-06-12 22:19:14.761] [Debug] [MSChapAuth::connect]NETLOGON: Connecting DCERPC handle to ncacn_np:10.3.1.10[\PIPE\NETLOGON] with identity domain.local\imc-vcomp$
[2014-06-12 22:19:14.809] [Info] [MSChapAuth::connect]NETLOGON: Bind successful.
[2014-06-12 22:19:14.812] [Debug] [MSChapAuth::connect]NETLOGON: Session authenticated
[2014-06-12 22:19:14.813] [Debug] [MSChapAuth::getDomainTrusts]getDomainTrusts: Retrieving list of domains
[2014-06-12 22:19:14.818] [Debug] [MSChapAuth::getDomainTrusts]getDomainTrusts: List of domains retrieved successfully: {NPS={objectSid=S-1-5-21-2978016226-252322552-2703489708, domain.dns.name=domain.local, domain.trust.attributes=0x00000000, objectGUID=EAB86203-0A5C-408E-BE8B-032C0610D269, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=NPS}, domain.local={objectSid=S-1-5-21-2978016226-252322552-2703489708, domain.dns.name=domain.local, domain.trust.attributes=0x00000000, objectGUID=EAB86203-0A5C-408E-BE8B-032C0610D269, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=NPS}, ~={objectSid=S-1-5-21-2978016226-252322552-2703489708, domain.dns.name=domain.local, domain.trust.attributes=0x00000000, objectGUID=EAB86203-0A5C-408E-BE8B-032C0610D269, domain.trust.type=2, domain.flags=0x0000001D, domain.netbios.name=NPS}}
[2014-06-12 22:19:14.821] [Debug] [MSChapAuth::connect]NETLOGON: Secure Channel encryption installed
[2014-06-12 22:19:14.830] [Debug] [MSChapAuth::mschapv2Validate]ldap fetch error code is -1073741718
[2014-06-12 22:19:14.830] [Error] [MSChapAuthProvider::authenticate]MSChap authentication unknown exception. <mscv2js.c.d: The supplied credentials are invalid: domain.local\test>
mscv2js.c.d: The supplied credentials are invalid: domain.local\test
    at mscv2js.b.a.a(Unknown Source)
    at mscv2js.b.b.b(Unknown Source)
    at mscv2js.server.f.a(Unknown Source)
    at mscv2js.server.i.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:724)

 <java.net.BindException: Cannot assign requested address: Datagram send failed>
java.net.BindException: Cannot assign requested address: Datagram send failed
    at java.net.DualStackPlainDatagramSocketImpl.socketSend(Native Method)
    at java.net.DualStackPlainDatagramSocketImpl.send(DualStackPlainDatagramSocketImpl.java:133)
    at java.net.DatagramSocket.send(DatagramSocket.java:676)
    at mscv2js.server.h.a(Unknown Source)
    at mscv2js.server.f.a(Unknown Source)
    at mscv2js.server.i.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:724)

 

Please use plain text.
Honored Contributor
Peter_Debruyne
Posts: 315
Registered: ‎03-21-2011
Message 7 of 13 (496 Views)

Re: iMC UAM MS AD authentication issue

Hi,

 

What type of EAP auth are you trying to configure ?

AFAIK, EAP PEAP MSCHAPv2 is not possible for computer authentication, only EAP-TLS (client cert based) is possible.

Since you mention the mschapv2server process, I have the impression you are trying to setup EAP PEAP MSCHAPv2, which does not work (yet, I heard this might be included in the future).

 

Please use plain text.
Visitor
nappy513
Posts: 4
Registered: ‎06-12-2014
Message 8 of 13 (490 Views)

Re: iMC UAM MS AD authentication issue

Peter, thanks for the response.

 

Yes, I'm trying to do PEAP MS-CHAPv2, but only for user authentication.  Is this not supported by IMC?  If not, what options are available for 802.1x user authentication?

 

Thanks

Please use plain text.
Honored Contributor
Peter_Debruyne
Posts: 315
Registered: ‎03-21-2011
Message 9 of 13 (479 Views)

Re: iMC UAM MS AD authentication issue

Hi,

 

* eap peap mschapv2 is supported for user auth.

* did you set the Domain controller OS version to "2003 or earlier" ? I know this does not sound intuitive, but the parameter does not link directly to the OS version or domain/forest level, but to some kerberos/mschap auth level type. Most people do not have this enabled on the domain, so the original auth type should be used (described as 2003 or earlier in this parameter).

 

hth,Peter

Please use plain text.
Visitor
nappy513
Posts: 4
Registered: ‎06-12-2014
Message 10 of 13 (468 Views)

Re: iMC UAM MS AD authentication issue

I do have it set at 2003 to match the domain functional level.  I opened a case, so we'll see where this goes.  I'll provide an update once progress is made

 

Thanks

Please use plain text.
Occasional Visitor
denclan
Posts: 1
Registered: ‎07-10-2014
Message 11 of 13 (340 Views)

Re: iMC UAM MS AD authentication issue

Hi,

 

I'm seeing the same issue at the moment on IMC v7.0 . Did you get it resolved?

 

I'm getting client authentication failures with code "E63053::Invalid authentication type" via the IMC interface.

 

Regards,

denclan

Please use plain text.
Visitor
nappy513
Posts: 4
Registered: ‎06-12-2014
Message 12 of 13 (297 Views)

Re: iMC UAM MS AD authentication issue

I made some progress, but the issue certainly isn't completely resolved.  UAM is defiantely one of the more difficult/complicated NAC systems I've deployed.  I'll break this into two parts:

 

First, at one point, with RADIUS, I did get the error you are describing.  I belive I hadn't imported a RADIUS certificate for UAM yet and that was causing it.  Once I generated a cert (had to add a Windows CA for this :( ), I think that was resolved.

 

Using PEAP/MS-Chapv2 against UAM as a RADIUS server: In one deployment, I found that I was sending the Called-Station-ID context in the wrong format.  I was using the SSID group as an access condition to assign access scenarios in the access service assigned to domain users.  Well, the SSID wasn't read correctly, and this triggered the "E63121::receive no packet from mschapv2server" error (certainly not very imitative of the issue...).  Peter Debruyne's blog (http://abouthpnetworking.com/2014/01/10/msm-with-uam-mac-authentication/) put me on the right track here.  I do get the same issue regarless of how the access devices are configured--HP(ProCurve) or HP(MSM).  So once I changed the Called-Station-ID format in the VSC, it works, but it never works the first time.  When no users have authenticated in about ~an hour, I always get the "E63121::receive no packet from mschapv2server" error on the first authentication attempt (the error log shows a blank next to the SSID field).  After that one error, the next manual attempt will always work.  Still working with HP support on this, but it's unusable for users.  I've set up a NPS server using NAS-ID as a condition for RADIUS in the meantime.  I suspect IMC work work fine if I removed the SSID as a condition, but it's pretty much required for the deployment.

 

On the guest/byod mac auth SSID: I have the same issue right now on two deployments.  It was kinda working on 7.0 E203, but due to the guest self-registration bug mentioned in the patch notes (if they didn’t use self-service, users were getting something like a 'network problem' error on registration request), I since upgraded up to E203P04 then to E203H06 (had to request the newest versions from HP support--only E203P03 is posted to the web), and now I'm getting "E63053::Invalid authentication type" when a user is forwarded to the BYOD portal.  When a user connects, I see the byodanonymous login with the correct mac address as the login name and the correct OS fingerprint, but that user gets the wrong portal page (they get the default HP-branded portal), with "The user is not online" under "User Information".  No idea why the system isn't correctly associating the login.  My setups are all fairly simple, with no L3 hops between the users, the authentication devices (MSM 460s) and the portal forwarding device (H3C switch or a VSR).

 

I'm relatively frustrated at this point, but let me know if this describes what you are facing.  I'll continue to post updates, but I'm working on a few dozen projects at once, so they may be infrequent.  Eventually, I'd like to get EAP-TLS functioning in IMC without iNode... but not for a while.

 

Gary

Please use plain text.
Occasional Contributor
NeilR
Posts: 6
Registered: ‎11-24-2010
Message 13 of 13 (250 Views)

Re: iMC UAM MS AD authentication issue

[ Edited ]

Having the same problem. I'm coming from the Procurve Manager IDM solution which I have working fine - using NPS and AD groups. 802.1x for users & workstations, smart devices (wired and wireless), MAC for voip. 

 

Trying to do the same thing with UAM - docs certainly imply that this should work. But I get the same thing. Wireshark shows IMC radius responding with MD5, not PEAP/MSchap.

 

Got the workstation certificate mode to work. But spolied by PCM - I can see by username where they are logged in with what mac and IP. Response to state change is near instantaneous.

 

Also I use user and workstation authentication, as workstations are in domain...but the IMC LDAP sync brings ws samaccoutname over with a trailing $ - not sure how to remove that.

 

IMC is way harder and much more expensive. Not so happy at the moment.

 

I also have a ticket in w HP - but still trying to sync up for the troubleshooting

 

Neil

 

 

UPDATE: Peter_Dubryn has the answer - even though we at 2008, when I changed the domain level setting for UAM back to 2003 I was able to log in my 802.1x user. Some succes finally. Thx!

 

However - when the user logs in, the autehtnication does not take place - only after I up/down the port. I think this occurs because I'm also trying to authenticate the machine and this currently fails as I haven't syncd the host, so IMC downs the port

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation