Can't find what you need?


• Ask the Community
• Create a Case
Reset Search
 

 

Article

Identity Engines: EAP+; EAPOL+; MSCHAPv2 or 802.1x Client Authentications Fail While All Other Authentication Services Operate Normally

« Go Back

Information

 
TitleIdentity Engines: EAP+; EAPOL+; MSCHAPv2 or 802.1x Client Authentications Fail While All Other Authentication Services Operate Normally
Symptoms

Identity Engines Ignition Server running any software version

Authentication requests from EAP (Extensible Authentication Protocol), EAPOL (Extensible Authentication Protocol over LAN) and MSCHAP (Microsoft Challenge Handshake Authentication Protocol) may unexpectedly stop working on one or more Identity Engines Ignition Servers. All other authentication methods including certificate-based authentication, PAP (Password Authentication Protocol), EAP-TLS (EAP Transport Layer Security), PEAP (Protected EAP), etc continue being served by the same Ignition Server.

If Ignition Server is configured for HA (High Availability) mode with RADIUS VIP service configured authentication issues may be present while one HA member is VIP owner and not present when the alternate HA member is VIP owner.

Such a problem may affect EAP, EAPOL or general 802.1x client authorization and connectivity. Such clients may fail authentication, timeout during authentication attempts and otherwise not be able to access network resources as a result.

Environment
  • Identity Engines
  • All Software Releases
  • 802.1x
Cause

Symptoms of this nature may have different triggers. A summary of areas to investigate are provided below.

Ignition Server Machine Accounts (MA) Not Registered in Active Directory

Each Ignition Server node will register itself against the primary Active Directory Domain server as configured under Ignition Server Dashboard Directory Services. Each of these machine account (MA) registrations will then replicate to all other Active Directory Domain to maintain synchronicity amongst Active Directory Domain Forest members.

Using Ignition Server Dashboard Directory Services Debugger and performing a TestJoin request to the Active Directory Service will fail with the following example response:

Attempting authentication with 192.168.1.254:389
Attempting to join domain
Adding account cn=00805A7C119B,CN=Computers,DC=identityengines,DC=com failed: LDAP Constraint Violation
Authentication failed: Joining the domain failed: LDAP Constraint Violation

Ignition Server Machine Account (MA) Duplicate CNF (Conflict) Records in Active Directory

Under rare circumstances it may be possible that Ignition Server creates a machine account (MA) on two Active Directory domain servers before a replication cycle occurs. This can occur for example if Ignition Server fails over between HA members or the primary Ignition Server determines connectivity to the primary Active Directory is no longer available.

As a result of such duplication Active Directory multi-master replication services will create a CNF (Conflict) machine account and replicate this conflict account amongst domain members. A result of this will be two or more records for the same Ignition Server with an example shown below. CNF accounts will be of the format MAC*CNF:GUID.

00805A7C119B (this is primary MA)
00805A7C119BCNF:990c79cb-f40b-47a1-9545-0d013870568f

During a reboot of either Ignition Server or daily machine account re-registration performed by Ignition Server the primary MA will be deleted but can not be rejoined.

Using Ignition Server Dashboard Directory Services Debugger and performing a TestJoin request to the Active Directory Service will fail with the following example response:

Attempting authentication with 192.168.1.254:389
Attempting to join domain
Adding account cn=00805A7C119B,CN=Computers,DC=identityengines,DC=com failed: LDAP Already exists
Authentication failed: Joining the domain failed: LDAP Already exists

Ignition Server Machine Account (MA) Duplicate DEL (DELeted) Records in Active Directory

Microsoft Windows PCs register to an Active Directory / Windows Server environment, renew their credentials of the computer’s machine account every 30 days.

During renewal, there is a possibility that ADEL record will get created, which is function within Active Directory Recycle Bin / recovery which is duplicate record of machine account.

ADEL record that got created will generate constraint violation that behaves the same way as CNF record.

Either CNF or ADEL records are not created by Ignition Server.
ADEL record ‘stay’ in AD such that the creation of the new MA by Ignition resulted in the "LDAP Constraint Violation" error.

ADEL record sample:  "AABBCCDDEEFF0ADEL:4e7bdcd7-4a46-4e34-b594-f9eb0424b44a

Resolution

Recommended workarounds or solutions for the above causes are noted below:

Ignition Server Machine Accounts (MA) Not Registered in Active Directory

- Ensure permissions for the LDAP service account specified in Directory Services has sufficient privileges to Create *AND* Delete computers (child objects / machine accounts) to the domain. This is easily achieved by associating the LDAP service account in Active Directory with the default "Domain Admins" privilege level.
- Security conscious administrators may not wish to create accounts associated with the default "Domain Admins" privilege level. In such cases the account permissions MUST be modified to Allow "Create all child objects" and "Remove all child objects".

Ignition Server Machine Account (MA) "LDAP Constraint Violation" Due To Duplicate CNF (Conflict) Records in Active Directory

- Periodic monitoring of Active Directory machine account registrations for IDE and removal of the primary MAC and CNF records is advised.
- Diagnose and resolve any replication issues that may be present within the Active Directory domain forest.

 Ignition Server Machine Account (MA) "LDAP Constraint Violation" In Multi Domain Environments

- Two or more child subdomains are configured under two separate Active Directory services and Ignition Cannot Register the MA in both subdomains due to SPN uniqueness restrictions.
- Configure AD to allow duplicate SPNs to be registered in each child subdomain. Please refer to "SPN uniqueness" on technet.microsoft.com or KB3070083.

The above issue is resolved in software 9.3.0 which is available for download.For more information please refer JUPITER-2323 in the 9.3.0 release notes

Ignition Server Machine Account (MA) "LDAP Constraint Violation" Due To Duplicate DEL (DELeted) Records in Active Directory

               -Deleting the DEL record will resolve this issue and also check on other members of Active Directory.

Starting with Identity Engines software release 9.2 (and above) the default Machine Account de-registration / re-registration interval has been changed from once every 24 hours to once every 30 days. It is expected that the frequency of duplicate CNF Machine Accounts will be eliminated.

Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255