NXC5500 Active Directory Authentication not working with FW 6.10

2

All Replies

  • dca
    dca Posts: 15
    First Comment
    Hi Joslyn,

    The Login on the HTTPS interface via AD is denied because of insufficient rights. But it would work and i can see that there is the connection to the Domain Controller.
    The PC login via RADIUS works.

    with version 6.00 it worked. right after the updated it stopped working (nothing else was changed). so I tried some things and changed the Ports form 389 to 636 and ssl and back. and added a test ssid.

    I have a config backup from right before the update. I can send you this. (I didnt tried to use this)

    regards
  • Zyxel_Joslyn
    Zyxel_Joslyn Posts: 360
    25 Answers First Comment Friend Collector Fourth Anniversary
     Master Member
    Hi Sascha,

    I compared the difference of AD server configuration between 6.00 and 6.10 and found the binddn is different. Accroding to your description, there was nothing changed. Would you like change it back and have a try?
    I also searched for the previous configuration with different firmware version. It seems only v6.10 is different with other version.
    Since I only can see the failed logs, could you help to capture packet when using the same account to login via phone and PC? After finishing the test, please help to collect the diagnostic and provide it to me. I want to realize what the difference is since I cannot reproduce it in my lab.
    Thanks.

    Joslyn
  • dca
    dca Posts: 15
    First Comment
    Hi Joslyn,

    I just found something: the aaa server is configured as in this article https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=014326&lang=EN

    when I disable the Domain Authentication for MSChap I can finally see requests from the NXC on the firewall and on the NXC itself. so the packets reaching the DC and back but still the login ist denied because of reason 23

    when reenable the MSChap Option the requests disappear again. I tried differend users (all Domain Admin) but the result is alway the same.

    I hope this can help.

    regards
  • Zyxel_Joslyn
    Zyxel_Joslyn Posts: 360
    25 Answers First Comment Friend Collector Fourth Anniversary
     Master Member
    Hi Sascha,

    I realized the logs and found the NXC join the AD domain fail. Please refer to the logs as below.

    Could you confirm if the NXC join the AD domain successfully?

    Joslyn
  • dca
    dca Posts: 15
    First Comment
    Hi Joslyn,

    yes there is a computer account for the NXC. but I can delete it and let it rejoin. Is a reboot necessary for that?




    Sascha
  • dca
    dca Posts: 15
    First Comment
    Hi Joslyn,

    I deleted the entry and rebooted the NXC but it doesnt register itself. all settings are 100% correct.
    I did a packet-trace via ssh on the NXC and saw that nothing happens on port 88 (for Kerberos/mschap authentication) same on 464. (did a trace for dns just to be sure it works and saw something)

    so it seems the nxc doesnt try to register. I also did a ping to the FQDN of the domainname and got an answer from the DC.

    and I tried to setup an ad aaa server with the console but the result is the same.

    is it possible to force this?

    Sascha
  • Zyxel_Joslyn
    Zyxel_Joslyn Posts: 360
    25 Answers First Comment Friend Collector Fourth Anniversary
     Master Member
    Hi Sascha,

    Rebooting NXC will not trigger registration process. There must be a client who pretends to pass the authentication. You can use the below CLI commands and observe if the NXC join the domain successfully or not. Please use the administrator account.
    Router> _debug domain-auth test profile-name <AD server profile name> username <domain-auth username> password <domain-auth password>
     If it still fails, please collect the diagnostic again and provide it to me.

    Joslyn
  • dca
    dca Posts: 15
    First Comment
    edited September 2020
    Hi Joslyn,

    the Error message is still Failed to join domain: failed to find DC for domain DCABERLIN - {Operation Failed} The requested operation was unsuccessful.

    I tried some DNS Settings to see if that is the problem. but nothing changed. and still running a packet-trace while running this command schow that the nxc doent try to connect to anything on port 88 for the domain join. But dns is ok. I can ping the fqdn auf the domain normally.

    Sascha

  • Zyxel_Joslyn
    Zyxel_Joslyn Posts: 360
    25 Answers First Comment Friend Collector Fourth Anniversary
     Master Member
    Hi Sascha,

    I still foud the logs as below.

    Could you use the nslookup on the NXC to resolve the realm that you configured on the NXC and realize if it is the same as you configured in the DNS zone forward?
    Thanks.

    Joslyn
  • dca
    dca Posts: 15
    First Comment
    Hi Joslyn,

    the nslookup brings the correct IPs of both our dcs.

    Sascha