01-12-2011 12:07 PM - edited 07-03-2021 07:39 PM
I have an XP machine that can not log onto a 2003 domain with the a certain name. I have narrowed it down to the name and on wireless. If i put this on the wire it works fine and if i change the name it works fine on wireless. Due to our naming convention this machine needs to be named this and i can not change it. I have included the debug log but i can not make heads or tails of it. Has anyone else had similar problems and what did you do to resolve it?
01-12-2011 12:29 PM
From the debug:
Jan 12 11:08:46.501: 00:26:82:a4:65:15 Processing Access-Reject for mobile 00:26:82:a4:65:15
The AAA server rejected the client for some reason. Please check the logs of the AAA and see why it failed the client.
Why it works when you change the name of the machine, that is a good question. The two may be related.
Cheers,
Steve
Please remember to rate helpful posts
01-12-2011 12:44 PM
Thank you for the response!
I am by no means an avid ACS user but when I look in the ACS at the failed authentication it shows "External DB user invalid or bad password". Is this the log you are referring to? When trying to look up any information on this error all i get is to check the config of the supplicant. I know this machine works if i change the name or plug it into the wire so i know the config is good.
01-12-2011 01:01 PM
Take a look at the wireless config on that client. Do you have the Machine authentication configured? I'd try toggling that setting.
When you see the External DB error, there are a couple of things it could be:
1.) truly a bad password
2.) ACS hasn't been told what directory to check on non-internal accounts
3.) Windows using the cached credentials, with a non-domain login to the profile
Cheers,
Steve
Please remember to rate helpful posts
01-13-2011 05:02 AM
That is the part that gets sticky with me.
1.) truly a bad password
if this was the case then changing the name would still render the computer useless wouldn't it? In this scenario if i change the computer name the wireless works fine so i would assume the certificate is installed correctly.
2.) ACS hasn't been told what directory to check on non-internal accounts
this is an internal computer and again changing the name works fine changing it from xx-xx-ms20 to xx-xx-ms33 allows it work fine. I choose 33 because the last computer in that lab is 32.
3.) Windows using the cached credentials, with a non-domain login to the profile
i can not even log in as it says "domain not available"
There is no where that ACS or WCS stores a computer name as disabled or something like that is there? I see a disabled list in ACS but nothing is in there but i was curious if there was as super secret hiding place Cisco put in that i cant seem to find.
also thank you for all your help.
01-13-2011 07:09 AM
No, there is no where the the WLC/WCS holds the username, at least not to proxy the authentication with. In ACS, there would be the dynamic user mapping, but the error message is showing that there should be a AD check happening.
The truly odd thing to me, is that when you change the machine name it works. IMO, that would point at something in the machine account in AD.
Cheers,
Steve
Please remember to rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide