Colubris TechNote Testing and Troubleshooting Active- Directory Revision 1.3 Mar. 2008 Author: Dave Leger Colubris Networks 200 West St. Suite 300 Waltham, MA 02451 www.colubris.com Page 1
Contents OBJECTIVE... 3 PROCEDURE... 3 ASSUMPTIONS... 3 SETTING UP YOUR MSC... 4 STEP-1 CONFIGURE YOUR MSC TO REACH THE INTERNET;... 4 STEP-2 POINTING TO THE CORRECT DNS SERVER... 4 STEP-3 CONFIGURE A PPTP DYNAMIC ROUTE TO THE ACTIVE DIRECTORY SUBNET... 6 STEP-4 CONFIGURE THE VPN CONNECTION THE COLUBRIS TEST NOC... 7 STEP-5 DO A PING TEST TO THE ACTIVE DIRECTORY/DNS SERVER... 8 STEP-6 JOINING YOUR MSC TO THE ACTIVE DIRECTORY DOMAIN... 9 TESTING AN ACCESS-CONTROLLED USER LOGIN (HTML)... 10 STEP-1 ACTIVATE DEFAULT AC ACTIVE DIRECTORY GROUP ATTRIBUTES... 10 STEP-2 ACTIVATE ACTIVE DIRECTORY AUTHENTICATION ON THE VSC... 12 STEP-3 TESTING A HTML USER LOGIN WITH AD... 13 TESTING AN NON-ACCESS-CONTROLLED USER LOGIN (WPA)... 14 STEP-1 ACTIVATE DEFAULT NON-AC ACTIVE DIRECTORY GROUP ATTRIBUTES... 14 STEP-2 ACTIVATE ACTIVE DIRECTORY AUTHENTICATION ON THE VSC... 16 STEP-3 TESTING A WPA USER LOGIN WITH AD... 17 TROUBLESHOOTING ACTIVE DIRECTORY LOGIN FAILURES... 18 HOW DOES THE MSC JOIN THE ACTIVE DIRECTORY DOMAIN?... 18 HOW DOES THE MSC MAKE AUTHENTICATION REQUESTS?... 19 For HTML-based authentications:... 19 For WPA/802.1x-based authentications:... 20 ERROR MESSAGES:... 21 Error messages while joining the domain:... 21 Error messages while logging users into the domain:... 22 CONFIGURING MICROSOFT EVENT VIEWER:... 26 CONFIGURING EVENT VIEWER:... 26 USING EVENT VIEWER:... 28 Page 2
Objective This document describes how you can test your MSC against a known working Active Directory server. In this case, the AD server is hosted by Colubris Networks, behind a VPN server. Procedure You will configure your MSC to establish a PPTP VPN tunnel to Colubris Technical Support VPN server, then, configure your MSC to join the Support Active Directory server. Then test authentication with a test account Assumptions The MSC5000-series controller is reset to factory defaults. The LAN subnet of the MSC must be 192.168.1.0. The MSC has access to the Internet. The MSC has 5.2.2 or higher installed on it. Page 3
Setting up your MSC Step-1 Configure your MSC to reach the Internet; 1. Connect your MSC to the Internet. It does not need to have a public IP address assignment, but the Internet router MUST permit PPTP connection to be established outbound to the Colubris VPN server. 2. Test by pinging the Colubris Support VPN server IP at 216.191.122.205. 3. Under Service Controller Network Address Allocation, enable the DHCP server. (later used for testing a AD authentication). Step-2 Pointing to the correct DNS server In this exercise, it s very, very important that you point to the DNS server that can resolve the lookup for the _ldap._tcp.support.colubris.com hostname. The MSC will automatically do this in order to find the Active Directory Server IP address. This is the Active Directory server in this exercise which should be resolve to 10.10.10.4, (which also happens to be the DNS server too). So, for the MSC to join the Active Directory Server domain, you MUST override the default DNS settings on the MSC and point to 10.10.10.4 instead. The DNS server of the support.colubris.com domain is the only DNS that can resolve _ldap._tcp.support.colubris.com hostname. Page 4
NOTE: For more information on how it works, refer to the troubleshooting section at the end of the document. Page 5
Step-3 Configure a PPTP Dynamic Route to the Active Directory subnet This is necessary to have a route back to the Active Directory server residing on the 10.10.10.0 network. 1. Under Service Controller Network IP Routes, add the following route for the PPTP Client; Destination: 10.10.10.0 Mask: 255.255.255.0 NOTE: A reciprocal PPTP Server Route to 192.168.1.0 was added to the Colubris Support VPN router, so that it can reach the private subnet (192.168.1.0) of the MSC as well This is useful to know if you decide to setup your own Active Directory Server behind a VPN Router. Page 6
Step-4 Configure the VPN connection the Colubris Test Noc 1. Under Service controller Security PPTP Client, configure the following PPTP account information; PPTP Server address: 216.191.122.205 Domain Name: test.com (must be a different domain from the Active Directory domain) Username: Password: AD-user colubris123 2. Enable the checkbox PPTP Client Configuration in the Grey bar and click Save. (It should eventually show a Green status Light) Page 7
Step-5 Do a ping test to the Active Directory/DNS server This is to verify that the Active Directory server is reachable for DNS requests and Joining; This means that you can successfully ping the Active Directory/DNS server. If you cannot do this, then go back over the previous steps and verify that; a) You added the 10.10.10.4 DNS server to override the default. b) That you added the PPTP Dynamic route. c) That the PPTP Client is successfully connected to the PPTP server. Page 8
Step-6 Joining your MSC to the Active Directory domain 1. Under Service Controller Security Active Directory, configure this page with the following values and CLICK SAVE; Device Name: MSC5000-XXXX (Where XXXX = must be an unused, unique device name, not already existing on the Active Directory server) Windows Domain: support.colubris.com (This is what s appended to the _ldap._tcp hostname used for the DNS lookup) Username: AD-test (This account must have administrative rights in order to add the MSC as a valid device to the active directory schema) Password: Colubris123 2. Then click Join Realm now and refresh the page until joined. You have successfully joined your MSC to Active Directory. Page 9
Testing an Access-Controlled user login (HTML) Step-1 Activate Default AC active Directory Group Attributes 1. Under Service Controller Security Active Directory Active Directory groups attributes section, select the first choice Default AC Active Directory group. Page 10
2. Check on Active checkbox and click save. (This activates an authentication policy for Active Directory authentication requests). Page 11
Step-2 Activate Active Directory authentication on the VSC 1. Under VSC Colubris Networks VSC HTML-based user logins Authentication, select Remote and select Active Directory radio button and click save; Page 12
Step-3 Testing a HTML user login with Active Directory 1. Re-configure your laptop client for DHCP, so that you ll get an IP, DNS and GW address from the MSC. 2. With either a wired or wireless connection to the MSC, open your browser and you should be presented with a HTML login page. 3. Login with the following credentials; Username: Password: AD-test Colubris123 NOTE: At the end of your successful login testing, please disconnect your PPTP tunnel from the Colubris Support VPN router, so that others may also do their tests. Page 13
Testing an non-access-controlled user login (WPA) Step-1 Activate Default non-ac active Directory Group Attributes 1. Under Service Controller Security Active Directory Active Directory groups attributes section, select the second choice Default non-ac Active Directory group. Page 14
2. Check on Active checkbox and click save. (This activates an authentication policy for Active Directory authentication requests). Make sure that accesscontrolled group is NOT selected. Page 15
Step-2 Activate Active Directory authentication on the VSC 3. Create a new VSC called Colubris-WPA and bind it under Default Group VSC Bindings. 4. Under VSC Colubris-WPA Wireless Protection Authentication, select Wireless Protection and Remote and select Active Directory radio button and click save; 5. Next, go to Service Controller Security 802.1x, and increase the Supplicant time-out value to 30 seconds and click Save. This will give you time to enter your username and password, when prompted by the Windows WPA supplicant. Page 16
Step-3 Testing a WPA user login with Active Directory Warning: Non-Access-Controlled VSCs require a DHCP server on the network that the MAPs are connected to, otherwise users may accidentally get an IP address from the MSC and not from the Internet gateway or no IP address at all. This will result in the user being authenticated, but not getting access to the Internet. 1. Re-configure your laptop Wireless client for DHCP, so that you ll get an IP, DNS and GW address from the MSC. 2. Configure your Windows WPA supplicant with a new wireless profile; WPA-Enterprise Disable check for server certificate Disable Use Windows logon account 3. Make a wireless connection to Colubris-WPA 4. Provide the login credentials; Username: Password: AD-test Colubris123 NOTE: At the end of your successful login testing, please disconnect your PPTP tunnel from the Colubris Support VPN router, so that others may also do their tests Page 17
Troubleshooting Active Directory login failures Troubleshooting Active Directory issues will assume that you generally only have access to the MSC itself and not to the AD server; therefore you ll only be able to collect syslogs and traces to hopefully determine the cause of the failure. The troubleshooting will focus on the Colubris syslogs and traces to help you determine the cause of the failure. How does the MSC join the Active Directory domain? The MSC will first do a DNS lookup to find the Active Directory server. It does this by appending the fixed host name _ldap._tcp to the domain suffix support.colubris.com that you supplied. Then the DNS request for _ldap._tcp.support.colubris.com gets a DNS response, (from the Active Directory DNS server), with the IP address for the Active Directory server it self, (which in this case is 10.10.10.4 ), then a Join Request is issued to 10.10.10.4, the Active Directory server. NOTE: The AD server and the DNS server may be the same box, therefore it may resolve to the same IP address, which is fine. Once the join request has completed successfully, the MSC will now appear in the Active Directory schema, under Computers and will now be allowed to send Bind, Search and Authentication requests to the AD server. Page 18
How does the MSC make authentication requests? For HTML-based authentications: HTML-based login requests are proxied by the internal radiusd process, which makes LDAP Search and Bind requests, then uses Kerberos for the Authentication request. First, a DNS SRV request for _ldap._tcp.support.colubris.com is done to find the IP for the AD server. The DNS SRV response replies with 10.10.10.4 A TCP connection is established with 10.10.10.4. An LDAP SearchRequest is made to test the existence of the user account AD-test. The positive response is results=1. An LDAP BindRequest sasl is made in order to make an authentication request using Kerberos. A saslbindinprogress response is received. A DNS SRV request for the _kerberos._udp.support.colubris.com service is done. The DNS SRV response says to refer to the host demo.support.colubris.com for an answer in this case. The IP address 10.10.10.4 is returned for this Kerberos SRV request. The MSC now use LDAP/Kerberos to perform authentication (AS-REQ) for the username AD-test. The result of which, is a successful BindResponse message showing accept-completed value. Page 19
For WPA/802.1x-based authentications: WPA/802.1x login requests use LDAP for Search requests to gather and verify user account and group information, but no Bind or Kerberos authentication is employed. Instead only a series of LDAP searches are done to find the user and his context, then the 802.1x client will be permitted to use MS-CHAPv2 to send an authentication request directly to the NTLM NetLogon service on the AD server for Authentication. On startup the MSC will perform a DNS lookup to find the Active Directory server. On subsequent requests, this lookup will be absent, because it looks like the values is cached. The many searches and responses will take place in order to search for the username in various AD contexts. Finally when the username and groups searches are completely satisfied, the client supplicant will be able to make an MSCHAPv2 authentication request directly to the NTLM NetLogon service of the Active Directory server. When the client receives a successful logon response, it will be reported by Radiusd and IPrules only in the syslog. No answer is seen in the clear on any trace. Note: DCERPC messages are an indication that the client supplicant is making logon requests. Page 20
Error messages: Here is a list of the most common message you will encounter. Error messages while joining the domain: These messages will appear in the syslog and in the Red bar on the Active Directory page. ERROR: Unknown domain err webs Join with domain failed: Unknown domain. o Check that the MSC is configured with the DNS IP of the Domain controller. If not, it will never be able to resolve the _ldap._tcp. hostname correctly. o Make sure you ve entered the domain suffix correctly. If the suffix is incorrect, then the DNS request will fail. ERROR: Unknown domain administrator err webs Join with domain failed: Unknown domain administrator. o Check the account name on Active Directory. o Check that the account has administrator privileges. ERROR: Bad password err webs Join with domain failed: Bad password. o Check that the password is entered correctly. Page 21
Error messages while logging users into the domain: These radiusd error messages only appear in the syslog at the debug or warning level. We do this to be able to display all messages, but distinguish their importance indicated by using a prefix; A: means authentication I: means information E: means error Wrong username: debug radiusd A:Invalid user (Local, Active Directory) or no Active Directory Group match o Check whether the account exists and is spelt correctly. o Check that the Active Directory group is enabled for access-controlled VSCs. Note: The Search results = 0, since the user account cannot be found. Page 22
Wrong password: warning radiusd Could not bind to AD; DNS unreachable? (Preauthentication failed) o This message is not obvious but pre-authentication failure means that Kerberos found the password is incorrect for the username. debug radiusd E:rlm_ldap: AD-test bind to 10.10.10.4:636 failed Unknown error o This message is the result of the above message and means the LDAP bind could not be completed and indicates this as a failure. debug radiusd A:Login incorrect: [AD-test] (from client localhost port 1 cli 00-13-02-7E-20-C6) o This message is the result on the above pre-authentication & Bind failures and radiusd reports that the login account is valid, but the password is wrong. Note: The Search results = 1, but subsequently failed because of the bad password. Page 23
WPA authentication messages: Successful Login: debug radiusd A:Login OK: [AD-test] o Indicates a successful authentication with WPA/802.1x debug radiusd I:rlm_eap_mschapv2: Issuing Challenge o Radiusd sending MS-CHAPv2 challenge to 802.1x client, as part of WPA/802.1x authentication process. Wrong username and/or password: debug radiusd A:Login incorrect (rlm_mschap: Logon failure o This indicates that the clients credentials were not valid and the authentication failed. Note: Multiple MS-CHAPv2 requests may indicate client s failure to authenticate. Page 24
Active Directory connection lost: debug radiusd E:rlm_ldap: ldap_search() failed: LDAP connection lost. o This means that the Active directory did not respond in time and the MSC will retry. This is not a serious error unless subsequent retries also fail continuously, which might indicate a networking problem has occurred. debug radiusd I:rlm_ldap: Attempting reconnect o Indicates that radiusd will re-attempt a connection to the Active directory server. Page 25
Configuring Microsoft Event Viewer: If you have access to the Active Directory Server, you can also configure MS Event Viewer to display logon failures as well as successes. This might provide additional insight into failed logon attempts. Configuring Event Viewer: 1) Go to Start--> All Programs -->Administrative Tools --> Domain Controller Security Policy. 2) Go to Local Policies --> Audit Policy and double-click on "Audit Account Logon events"; 3) Select Success & failure for logon attempts; Page 26
4) Go to Local Policies --> Audit Policy and double-click on "Audit Logon events"; 5) Select Success & failure for logon attempts; Page 27
Using Event Viewer: 6) You can view the login attempts, (successful & failed), in the Event Viewer, under Security; Example Login Attempt; A) You can see a record of the SUCCESSFUL login attempt; Page 28