none
802.1x EAP-TLS on Alcatel-Lucent VoIP-Phones with NPS 2016

    Pregunta

  • Hello,

    we are currently trying to bring up AAA via dot1x with our Alcatel-Lucent VoIP-Phones and Microsofts NPS 2016. EAP-TLS with Certificates is supported and certificates with the correct chain were imported on the phones.

    But if we take a look into the Event Manager of NPS we can see that there is a request for an ad-user account named like the phone. So we created this user account in AD, as well. But Event Manager throws Event 6272 with Code 16 "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."

    So we're considering, that the user account is searched and selected correctly but the Password might be wrong. Alcatel tells a lot about "using the mac address as the password" (but in fact only for MAC Bypass mode) or using the userneme or just the a string "password".

    Taking a closer look in wireshark Shows that there might not be a Password in the RADIUS-Requst? Here is a short snipped.

    AVP: l=8 t=User-Name(1): ALCIPT
    AVP: l=6 t=Service-Type(6): Framed(2)
    AVP: l=27 t=Vendor-Specific(26) v=ciscoSystems(9)

    Normally, for example on other Windows machines, there will be a encrypted Password AVP right behind the user Name. Is this the correct behaviour? Any ideas? Can we ignore the Password in NPS? Is this a Topic for Alcatel?

    Thanks and regards,

    Jochen


    Viele Grüße<br/> <br/> Jochen Reinecke (MCSA Windows Server 2012)

    martes, 24 de abril de 2018 19:06

Respuestas

  • Hi,
    we were able to finally get a solution. Like Michael told, the Password isn't necessary at all. The machine certificate must be linked to the user account in active directory.
    Thanks for your assistance!
    Regards,
    Jochen
    jueves, 26 de abril de 2018 7:52

Todas las respuestas

  • Hi,

    Had the same issue.
    It is the behavior which is expected, if you have an ALCIPT User in your AD and it is unlocked it should work, never the less the password will not be checked.

    We have some issues regarding the EAP on NPS here, so it be nice if you can keep us updated here as you make some progress.

    regards Michael

    miércoles, 25 de abril de 2018 5:54
  • Hi,
    we were able to finally get a solution. Like Michael told, the Password isn't necessary at all. The machine certificate must be linked to the user account in active directory.
    Thanks for your assistance!
    Regards,
    Jochen
    jueves, 26 de abril de 2018 7:52