Hello,
we are currently trying to bring up AAA via dot1x with our Alcatel-Lucent VoIP-Phones and Microsofts NPS 2016. EAP-TLS with Certificates is supported and certificates with the correct chain were imported on the phones.
But if we take a look into the Event Manager of NPS we can see that there is a request for an ad-user account named like the phone. So we created this user account in AD, as well. But Event Manager throws Event 6272 with Code 16 "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."
So we're considering, that the user account is searched and selected correctly but the Password might be wrong. Alcatel tells a lot about "using the mac address as the password" (but in fact only for MAC Bypass mode) or using the userneme or just the a string "password".
Taking a closer look in wireshark Shows that there might not be a Password in the RADIUS-Requst? Here is a short snipped.
AVP: l=8 t=User-Name(1): ALCIPT
AVP: l=6 t=Service-Type(6): Framed(2)
AVP: l=27 t=Vendor-Specific(26) v=ciscoSystems(9)
Normally, for example on other Windows machines, there will be a encrypted Password AVP right behind the user Name. Is this the correct behaviour? Any ideas? Can we ignore the Password in NPS? Is this a Topic for Alcatel?
Thanks and regards,
Jochen