LDAP retries authentication periodically - AD and MX68

JackCheung
New here

LDAP retries authentication periodically - AD and MX68

Hi all. First post, sorry if it's been asked. (I did a search but found nothing.)

 

We have MX95 firewalls and Active Directory integration for authenticating our AnyConnect users.  We are seeing the occasional login failure from the service account used for LDAP integration.  The event on the DC shows:

 

===================================

An account failed to log on.
 
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
 
Logon Type: 3
 
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: ldap.accountname
Account Domain: WORKGROUP
 
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
===================================
 
This event shows every time the DC gets rebooted, and occasionally appears randomly too. The event shows once but only once in a blue moon. In other words the password is OK and never changes, it just gets rejected occasionally.
 
Does anyone else get these? Or does anyone know what could be the cause?  
 
Thanks. 
4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal

Did you check if after the server was restarted all services went up properly?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Hi. Yes, they start fine.  Is it a timing thing - is the authentication attempt happening too quickly before the server gets fully up to speed?

PhilipDAth
Kind of a big deal
Kind of a big deal

Is this definitely the account being used by the MX, rather than users typing in the wrong password when they authenticate?

 

Going sideways - do you have Office 365?  Have you considered authenticating against that directly instead?
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SA... 

Hi.  I don't think it is a user attempting to log in with that username.  It happens each time I reboot a DC.  Also the source workstation in the event message shows as the Meraki MAC address (preceded with an M).  And the logon attempt shows as "WORKGROUP" as opposed to our domain name, leading me to think it is coming from the firewall.  

 

(BTW it's an MX95, not MX68 as originally posted.  Corrected now.  Got confused with another MX we've got.)

 

Never considered the Azure/Entra authentication option.  Looks like you need to get it enabled via a support ticket.  Will do some reading into it though, thanks.  However I get the nagging feeling it ought to "just work" as it is.  

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels