none
802.1x EAP-TLS on Alcatel-Lucent VoIP-Phones with NPS 2016 RRS feed

  • Question

  • Hello,

    we are currently trying to bring up AAA via dot1x with our Alcatel-Lucent VoIP-Phones and Microsofts NPS 2016. EAP-TLS with Certificates is supported and certificates with the correct chain were imported on the phones.

    But if we take a look into the Event Manager of NPS we can see that there is a request for an ad-user account named like the phone. So we created this user account in AD, as well. But Event Manager throws Event 6272 with Code 16 "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."

    So we're considering, that the user account is searched and selected correctly but the Password might be wrong. Alcatel tells a lot about "using the mac address as the password" (but in fact only for MAC Bypass mode) or using the userneme or just the a string "password".

    Taking a closer look in wireshark Shows that there might not be a Password in the RADIUS-Requst? Here is a short snipped.

    AVP: l=8 t=User-Name(1): ALCIPT
    AVP: l=6 t=Service-Type(6): Framed(2)
    AVP: l=27 t=Vendor-Specific(26) v=ciscoSystems(9)

    Normally, for example on other Windows machines, there will be a encrypted Password AVP right behind the user Name. Is this the correct behaviour? Any ideas? Can we ignore the Password in NPS? Is this a Topic for Alcatel?

    Thanks and regards,

    Jochen


    Viele Grüße<br/> <br/> Jochen Reinecke (MCSA Windows Server 2012)

    Tuesday, April 24, 2018 7:06 PM

Answers

  • Hi,
    we were able to finally get a solution. Like Michael told, the Password isn't necessary at all. The machine certificate must be linked to the user account in active directory.
    Thanks for your assistance!
    Regards,
    Jochen
    Thursday, April 26, 2018 7:52 AM

All replies

  • Hi,

    Had the same issue.
    It is the behavior which is expected, if you have an ALCIPT User in your AD and it is unlocked it should work, never the less the password will not be checked.

    We have some issues regarding the EAP on NPS here, so it be nice if you can keep us updated here as you make some progress.

    regards Michael

    Wednesday, April 25, 2018 5:54 AM
  • Hi,
    we were able to finally get a solution. Like Michael told, the Password isn't necessary at all. The machine certificate must be linked to the user account in active directory.
    Thanks for your assistance!
    Regards,
    Jochen
    Thursday, April 26, 2018 7:52 AM
  • Hi.

    Facing the same situation.

    Where did you get the matching certificate from? Guess I need to somehow trust the certificate in the Alcatel-Lucent VoIP-Phones in the NPS right?

    Thanks

    Regards,

    Rob

    Friday, June 5, 2020 10:30 AM