All Topics » Pulse Policy Secure



RADIUS authentication responding with 'STATUS_WRONG_PASSWORD' despite Troubleshooting confirming password is correct


emailsbecker
Contributor (0)
Jun 8, 2016 2:19pm
Hi all,

I have a Pulse MAGX600 System Version 5.2R4 (build 32167) with RADIUS license that I'm trying to configure for our network of Alcatel routers and switches. One of the complexities we're working with is that we want to have different levels of access (for NOC staff versus engineers). While testing configurations in our lab I was able to get it to work with just 1 level of access but I may have broken something while trying to configure it to respond with different levels of access.

I've configured profiles on the routers and configured the Pulse to return the RADIUS Attributes required to assign the accounts to the correct profiles, but when I try to log in with either our NOC or Engineer accounts the Pulse logs show they fail with WRONG PASSWORD. But the Pulse box is able to join our domain and authenticate users. When I go to "Auth Servers -> Domain -> Troubleshooting" both Basic Verification and Test User Verification work just fine. When I enter a username/password I do get information showing the user authenticated, and I am given a list of what groups that user is a part of. So it's able to authenticate using the username and password.

I know the issue is NOT that the Alcatel is encrypting the password before sending it to the Pulse box because (a) it's not possible to configure the Alcatel to do that, and (b) we haven't changed the config on the Alcatel and it was working before. The only thing I can think of is that the Pulse's error message of 'STATUS_WRONG_PASSWORD' is some kind of catch-all response that covers multiple error cases.

Here's an example of what I see in the Pulse logs:

Info EAM24806 2016-06-08 10:03:09 - ic - [127.0.0.1] DOMAINnocuser(LAB_REALM)[] - RADIUS authentication rejected for nocuser (realm 'LAB_REALM') from location-group 'LAB' and attributes are: NAS-IP-Address = 10.1.1.1.210,NAS-Port-Type = 5

Info AUT23457 2016-06-08 10:03:09 - ic - [127.0.0.1] DOMAINnocuser(LAB_REALM)[] - Login failed using auth server Team (Active Directory). Reason: Failed

Info AUT24327 2016-06-08 10:03:09 - ic - [127.0.0.1] DOMAINnocuser(LAB_REALM)[] - Primary authentication failed for DOMAINnocuser/Domain from endpoint using 802.1X authentication

Info AUT30923 2016-06-08 10:03:09 - ic - [0.0.0.0] nocuser(LAB_REALM)[] - Active Directory authentication server 'Domain' : Received NTSTATUS code 'STATUS_WRONG_PASSWORD' .

I'll be asking one of my coworkers to see if they can pull any information on what the domain controller is seeing. In the mean time if anyone can shed some light on this please do. Thanks!



emailsbecker
Contributor (0)
Jun 8, 2016 2:44pm
Well ... disregard this whole post. It turns out that (a) I misunderstood a line of config in the Alcatels and that it is possible to modify the encryption of the password as it sends it to the Pulse box, and (b) the passwords didn't match on the Alcatel and the Pulse box.

We actually purchased three of the Pulse boxes so we could have redundancy and a spare, and after getting RADIUS working with one level of authentication I decided to leave that as it was and attempt the multiple-level config on a different Pulse box. It turns out that Pulse box had a typo in its password. Once that was corrected authentication started working correctly.