In our environment, certain random users are unable to authenticate to the domain via wireless; however, the users can login just fine when wired in. Current WLAN setup is:
Cisco ACS 4402
24 Cisco Aironet APs
2 Cisco WCS appliances
Fast Roam enabled
Security Audit events on the ACS give the following Failure Audit:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Time: 10:45:34 AM
User: NT AUTHORITY\SYSTEM
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Source Workstation: CISCO
Error Code: 0xC0000064
During the login sequence (after entering in username), Pre-Auth seems to kick in, assigning an IP to the laptop. After it does that, however, it comes back and says that the Domain is not available for these certain users. Logging in with another account (domain admin or other standard user) connects just fine and authenticates properly.
When looking at events on the WCS, I found the following:
|Client '00:21:6a:28:56:4c (email@example.com, 10.172.1.14)' which was associated with interface '802.11b/g' of AP 'AP102' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.|
I don't believe we have 802.1X enabled, but how do I verify for sure? I've inherited this system, so not all knowledge of it has been given to me. Thanks in advance!
The client exclusion on the controller is because the Radius server failed the client's authentication three times. If you turn off client exclusion on the WLAN you won't see this anymore.
The main issue is that your radius server is failing the authentications. If you look up the error code (0xC0000064) it says that the specified user doesn't exist. The error says the user is trying to logon is axxxx.bxxxxxr. Does this account exist in AD?
The user does exist in AD (I put 'X's in there for privacy-sake) and the user can login to any computer on the domain - so long as it is hooked up via Ethernet. The radius server doesn't like these users for some reason.
Could you point me to the right location to check this? Is it on the radius server or on each controller? Thanks for the help!
The issue isn't on the controller, its between ACS and AD. The controller is proxying the EAP packets between the client and ACS.
To check the group mappings you would go under the External User Database - Database Group Mappings - Windows Database
OK, I can't find anywhere for external database settings on the server. When trying to go to AAA settings, I get this:
As a broad view, I notice that the controllers' Audit Status says "Mismatch":
Under Local EAP, there are no profiles set. Here are some other screenshots of the setup. Like I said, I inherited it. A vendor installed it. I am pretty certain it wasn't done correctly.
Just because you've thought it and I'm an idiot... I was on the WCS... NOT the ACS. Finish telling jokes about me, letting others know that I'm a dork, and then we'll move on. I now have the login for the ACS and will be following your previous instructions.
Okay, looking under Windows Database, all that is listed is \DEFAULT. I would assume that I need to make a new configuration that points to our domain, so I'm going through that process. If I want to allow all domain users access, I should just choose "Users", correct? I don't see "Authenticated Users", so "Users" is my next logical choice. Under that, for ACS Group choice, do I choose Default, or do I choose a group? And with the groups, do I have to maintain those or are they akin to permission levels on a switch or router?
OK, so now I have the ACS actually POINTING to our domain (I still don't know how it's worked up to this point, but whatever), the next question along the same line is:
We do have the occasional person's laptop that just up and disconnects, somewhat randomly. Case in point, a co-worker here in the office will be working along just fine, but suddenly his laptop starts to reconnect to the network and never will authenticate back without having to reboot (and sometimes that doesn't even work). Looking at the "Passed Authentications" report on the ACS, it looks like users that are logged in are doing a re-auth at fairly regular intervals. I'm thinking that, since the ACS wasn't looking in the right place (or ANY place, actually) for users, perhaps users' accounts that are trying to re-auth suddenly can't be found and therefore get dropped and/or temporarily banned. Does that sound logical?