NXC5500 Active Directory Authentication not working with FW 6.10
Hello,
I just updated our NXC5500 to Firmware 6.10 this morning. and with that the AD authentication of our smart phone users just stopped working.
there informations in the log like these:
authentication server RADIUS: rejecting the user 'username' and
STA: mac-address has blocked by auth failed (AAA Profile: ad) reason 23 interface:wlan-1-3
nothing else has changed and the radius authentication of the PCs is still working.
I also get an OK from the connection in the AAA Server -> AD option. so there is a working connection to the Server.
Also there are no failed logon attempts on the Domain Controller.
any ideas what could be the problem?
regards
0
Accepted Solution
-
Hi Joslyn,I Downgraded to the version 6.00 yesterday and (except vor reactivating MSChap) changed nothing to the config. Everythings working normal again. The NXC registered its computeraccount in the AD and is authenticating like before.Just to test it I did the Update to version 6.10 agian (maybe there was an unnoticed error) but the discribed error came back.Se we will go on using version 6.00.thanks for your support.Sascha0
All Replies
-
Hi @dca
Could you help to confirm if the date and time on the AD server is the same as NXC5500?
Since there is a restriction for the 6.10, the date and time must be the same to ensure the authentication will be successful.
We need your help to collect some information to analyze. Here are the steps.
1. Enable the packet capture for the AP management interface.
2. Connect the station to the wifi service and try to pass the authentication.
3. Once it fails, please stop the packet packet capture and download the packets from the Files.
4. Collect the diagnostic. Once it is done, please download the file from the Files tab.
By the way, could you share which version you used before?
Joslyn0 -
Hello Joslyn,thank you for your reply. the is a 2 Second gap between the nxc and the DC.I attached the file for you.we used the Version 6.00 before we updated.regardsSascha
0 -
Hi Sascha,
Thanks for the packets. I saw the communication between the NXC and AP; however, I need the negotiation between the NXC and AD server. Could you help to capture the packet for NXC interface which can reach the AD server again? Apologize to cause your any inconvenience.
Moreover, could you provide me the diagnostic? Please also let me know the AD server OS for me.
Thanks.
Joslyn0 -
Hi Joslyn,I send you the file from the Interface that is used for all traffic on the nxc. But I honestly think that there is no traffic to the DC.When I Login from the Webinterface of the NXC the traffic to the DC is shown. But in this file I only tried to logon via the SSID and there is no traffic to the DC I could see.Sascha
0 -
Hi @dca
Yes, you are correct. There is no related traffic between the NXC and DC. Could you provide me the diagnostic and let me know the AD server OS? You can send it to me via private message.
Joslyn0 -
Hi Joslyn,wich Diagnostic do you mean? the one where the login works?The AD Server runs on Server 2012regardsSascha0
-
Hi Sascha,
It is the NXC5500 diagnostic.
This will include many logs, so we can analyze what the reason is.
By the way, confirm the symptom with you. The PC can login without any issue, but phones failed. Please correct me if I am wrong.
Joslyn0 -
Hi Sascha,
I got the diagnostic from the private message already. However, I want to confirm the symptom with you again. The PC stations can pass the radius authentication, but phones failed. Is it correct?
Joslyn0 -
Hi Joslyn,yes thats correct. could you see anything in the file? the bosses here are getting upset. so we may have to think about a workaround with a PSK.Sascha0
-
Hi Sascha,
According to your description, you mentioned only phones cannot pass the authentication; however, from the logs, I cannot see any successful logs. I might need more time to realize the logs. By the way, I see the configuration between 6.00 and 6.10 is different. Does the authentication fail before configuration changed or after?
Joslyn0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight