Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Random users unable to auth to domain

In our environment, certain random users are unable to authenticate to the domain via wireless; however, the users can login just fine when wired in. Current WLAN setup is:

Cisco ACS 4402

WPA2-Enterprise/LEAP

24 Cisco Aironet APs

2 Cisco WCS appliances

Pre-Auth enabled

Fast Roam enabled

Security Audit events on the ACS give the following Failure Audit:

Event Type: Failure Audit

Event Source: Security

Event Category: Account Logon

Event ID: 680

Date: 4/27/2010

Time: 10:45:34 AM

User: NT AUTHORITY\SYSTEM

Computer: MGRMC-WCS

Description:

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon account:axxxx.bxxxxxr

Source Workstation: CISCO

Error Code: 0xC0000064

During the login sequence (after entering in username), Pre-Auth seems to kick in, assigning an IP to the laptop. After it does that, however, it comes back and says that the Domain is not available for these certain users. Logging in with another account (domain admin or other standard user) connects just fine and authenticates properly.

When looking at events on the WCS, I found the following:

Client '00:21:6a:28:56:4c (axxxx.bxxxxxr@mtgraham.org, 10.172.1.14)' which was associated with interface '802.11b/g' of AP 'AP102' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.

I don't believe we have 802.1X enabled, but how do I verify for sure? I've inherited this system, so not all knowledge of it has been given to me. Thanks in advance!

10 REPLIES
Gold

Re: Random users unable to auth to domain

The client exclusion on the controller is because the Radius server failed the client's authentication three times.  If you turn off client exclusion on the WLAN you won't see this anymore.

The main issue is that your radius server is failing the authentications.  If you look up the error code (0xC0000064) it says that the specified user doesn't exist.  The error says the user is trying to logon is axxxx.bxxxxxr.  Does this account exist in AD?

 

New Member

Re: Random users unable to auth to domain

The user does exist in AD (I put 'X's in there for privacy-sake) and the user can login to any computer on the domain - so long as it is hooked up via Ethernet. The radius server doesn't like these users for some reason.

Gold

Re: Random users unable to auth to domain

You might want to check you group mappings in ACS to make sure it is searching the correct groups in AD for these users.

New Member

Re: Random users unable to auth to domain

Could you point me to the right location to check this? Is it on the radius server or on each controller? Thanks for the help!

Gold

Re: Random users unable to auth to domain

The issue isn't on the controller, its between ACS and AD.  The controller is proxying the EAP packets between the client and ACS.

To check the group mappings you would go under the External User Database  - Database Group Mappings - Windows Database

New Member

Re: Random users unable to auth to domain

OK, I can't find anywhere for external database settings on the server. When trying to go to AAA settings, I get this:

As a broad view, I notice that the controllers' Audit Status says "Mismatch":

Under Local EAP, there are no profiles set. Here are some other screenshots of the setup. Like I said, I inherited it. A vendor installed it. I am pretty certain it wasn't done correctly.

New Member

Re: Random users unable to auth to domain

Just because you've thought it and I'm an idiot... I was on the WCS... NOT the ACS. Finish telling jokes about me, letting others know that I'm a dork, and then we'll move on. I now have the login for the ACS and will be following your previous instructions.

New Member

Re: Random users unable to auth to domain

Okay, looking under Windows Database, all that is listed is \DEFAULT. I would assume that I need to make a new configuration that points to our domain, so I'm going through that process. If I want to allow all domain users access, I should just choose "Users", correct? I don't see "Authenticated Users", so "Users" is my next logical choice. Under that, for ACS Group choice, do I choose Default, or do I choose a group? And with the groups, do I have to maintain those or are they akin to permission levels on a switch or router?

New Member

Re: Random users unable to auth to domain

OK, so now I have the ACS actually POINTING to our domain (I still don't know how it's worked up to this point, but whatever), the next question along the same line is:

We do have the occasional person's laptop that just up and disconnects, somewhat randomly. Case in point, a co-worker here in the office will be working along just fine, but suddenly his laptop starts to reconnect to the network and never will authenticate back without having to reboot (and sometimes that doesn't even work). Looking at the "Passed Authentications" report on the ACS, it looks like users that are logged in are doing a re-auth at fairly regular intervals. I'm thinking that, since the ACS wasn't looking in the right place (or ANY place, actually) for users, perhaps users' accounts that are trying to re-auth suddenly can't be found and therefore get dropped and/or temporarily banned. Does that sound logical?

New Member

Random users unable to auth to domain

I'm trying to solve a simular issue and cam across this other Post from Microsoft:

http://support.microsoft.com/kb/947861

2850
Views
0
Helpful
10
Replies