Re: Computer on wireless cannot log onto domain but if i change

rsander · ‎01-12-2011

I have an XP machine that can not log onto a 2003 domain with the a certain name. I have narrowed it down to the name and on wireless. If i put this on the wire it works fine and if i change the name it works fine on wireless. Due to our naming convention this machine needs to be named this and i can not change it. I have included the debug log but i can not make heads or tails of it. Has anyone else had similar problems and what did you do to resolve it?

Stephen Rodriguez · ‎01-12-2011

From the debug:

Jan 12 11:08:46.501: 00:26:82:a4:65:15 Processing Access-Reject for mobile 00:26:82:a4:65:15

The AAA server rejected the client for some reason. Please check the logs of the AAA and see why it failed the client.

Why it works when you change the name of the machine, that is a good question. The two may be related.

Cheers,

Steve

Please remember to rate helpful posts

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

rsander · ‎01-12-2011

Thank you for the response!

I am by no means an avid ACS user but when I look in the ACS at the failed authentication it shows "External DB user invalid or bad password". Is this the log you are referring to? When trying to look up any information on this error all i get is to check the config of the supplicant. I know this machine works if i change the name or plug it into the wire so i know the config is good.

Stephen Rodriguez · ‎01-12-2011

Take a look at the wireless config on that client. Do you have the Machine authentication configured? I'd try toggling that setting.

When you see the External DB error, there are a couple of things it could be:

1.) truly a bad password

2.) ACS hasn't been told what directory to check on non-internal accounts

3.) Windows using the cached credentials, with a non-domain login to the profile

Cheers,

Steve

Please remember to rate helpful posts

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

rsander · ‎01-13-2011

That is the part that gets sticky with me.

1.) truly a bad password

if this was the case then changing the name would still render the computer useless wouldn't it? In this scenario if i change the computer name the wireless works fine so i would assume the certificate is installed correctly.

2.) ACS hasn't been told what directory to check on non-internal accounts

this is an internal computer and again changing the name works fine changing it from xx-xx-ms20 to xx-xx-ms33 allows it work fine. I choose 33 because the last computer in that lab is 32.

3.) Windows using the cached credentials, with a non-domain login to the profile

i can not even log in as it says "domain not available"

There is no where that ACS or WCS stores a computer name as disabled or something like that is there? I see a disabled list in ACS but nothing is in there but i was curious if there was as super secret hiding place Cisco put in that i cant seem to find.

also thank you for all your help.

Stephen Rodriguez · ‎01-13-2011

No, there is no where the the WLC/WCS holds the username, at least not to proxy the authentication with. In ACS, there would be the dynamic user mapping, but the error message is showing that there should be a AD check happening.

The truly odd thing to me, is that when you change the machine name it works. IMO, that would point at something in the machine account in AD.

Cheers,

Steve

Please remember to rate helpful posts

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Computer on wireless cannot log onto domain but if i change name it works.