Jun 8, 2016 2:19pm
I have a Pulse MAGX600 System Version 5.2R4 (build 32167) with RADIUS license that I'm trying to configure for our network of Alcatel routers and switches. One of the complexities we're working with is that we want to have different levels of access (for NOC staff versus engineers). While testing configurations in our lab I was able to get it to work with just 1 level of access but I may have broken something while trying to configure it to respond with different levels of access.
I've configured profiles on the routers and configured the Pulse to return the RADIUS Attributes required to assign the accounts to the correct profiles, but when I try to log in with either our NOC or Engineer accounts the Pulse logs show they fail with WRONG PASSWORD. But the Pulse box is able to join our domain and authenticate users. When I go to "Auth Servers -> Domain -> Troubleshooting" both Basic Verification and Test User Verification work just fine. When I enter a username/password I do get information showing the user authenticated, and I am given a list of what groups that user is a part of. So it's able to authenticate using the username and password.
I know the issue is NOT that the Alcatel is encrypting the password before sending it to the Pulse box because (a) it's not possible to configure the Alcatel to do that, and (b) we haven't changed the config on the Alcatel and it was working before. The only thing I can think of is that the Pulse's error message of 'STATUS_WRONG_PASSWORD' is some kind of catch-all response that covers multiple error cases.
Here's an example of what I see in the Pulse logs:
Info EAM24806 2016-06-08 10:03:09 - ic - [127.0.0.1] DOMAINnocuser(LAB_REALM) - RADIUS authentication rejected for nocuser (realm 'LAB_REALM') from location-group 'LAB' and attributes are: NAS-IP-Address = 10.1.1.1.210,NAS-Port-Type = 5
Info AUT23457 2016-06-08 10:03:09 - ic - [127.0.0.1] DOMAINnocuser(LAB_REALM) - Login failed using auth server Team (Active Directory). Reason: Failed
Info AUT24327 2016-06-08 10:03:09 - ic - [127.0.0.1] DOMAINnocuser(LAB_REALM) - Primary authentication failed for DOMAINnocuser/Domain from endpoint using 802.1X authentication
Info AUT30923 2016-06-08 10:03:09 - ic - [0.0.0.0] nocuser(LAB_REALM) - Active Directory authentication server 'Domain' : Received NTSTATUS code 'STATUS_WRONG_PASSWORD' .
I'll be asking one of my coworkers to see if they can pull any information on what the domain controller is seeing. In the mean time if anyone can shed some light on this please do. Thanks!