I'm having a particularly annoying issue with some Aruba switches and NPS/RADIUS, and need help getting my head out of the weeds. I'm using NPS to authentication management logins for ssh and the webui (peap-mschapv2) . Everything works just fine when using good credentials, but I need a sanity check on what's supposed to happen with bad credentials.
When bad credentials are supplied, I would expect the NPS server to DENY the request and log a 'reason 8' NPS error code (bad username or password). However, NPS is discarding the request when a bad password is supplied. As a result, the switch hangs like a lame duck until the auth attempt times out. When a bad username is supplied, then the NPS server denies the requests and the switch immediately prompts you for creds to be reentered.
The NPS event logs state to check the system event logs, but nothing of any use is there. Is this just the expected behavior, or is there something not right here? Anybody seen this before and have suggestion on where to look next?
Here's an abbreviated NPS error message when a request is discarded:
Network Policy Server discarded the request for a user. Authentication Details: Connection Request Policy Name: Network Connections Network Policy Name: Network Authentication Authentication Provider: Windows Authentication Server: <server>.<domain>.com Authentication Type: EAP EAP Type: - Account Session Identifier: - Reason Code: 1 Reason: An internal error occurred. Check the system event log for additional information.
Here's an abbreviated NPS log for a Denied request (bad username)
Network Policy Server denied access to a user. Authentication Details: Connection Request Policy Name: Network Connections Network Policy Name: - Authentication Provider: Windows Authentication Server: <server>.<domain>.com Authentication Type: EAP EAP Type: - Account Session Identifier: - Logging Results: Accounting information was written to the local log file. Reason Code: 8 Reason: The specified user account does not exist.
Here's an abbreviated NPS log for a successful request:
Network Policy Server granted access to a user. Authentication Details: Connection Request Policy Name: Network Connections Network Policy Name: Network Authentication Authentication Provider: Windows Authentication Server: <server>.<domain>.com Authentication Type: PEAP EAP Type: Microsoft: Secured password (EAP-MSCHAP v2) Account Session Identifier: - Logging Results: Accounting information was written to the local log file.
And, here is the switch config:
radius-server key <secret> radius-server host <ip> aaa authentication login privilege-mode #note that the appropriate RADIUS attribute is setup for this feature and works as expected. aaa authentication web login peap-mschapv2 local aaa authentication web enable peap-mschapv2 local aaa authentication ssh login peap-mschapv2 local aaa authentication ssh enable peap-mschapv2 local
No comments:
Post a Comment