AAA, NAC, Guest Access & BYOD

How does ClearPass determine domain of a user when performing MSCHAP authentication ?
Q:

How does ClearPass determine the domain the client belong to during MSCHAP authentication?



A:

For dot1x authentication EAP-PEAP with MSCHAPv2 or MSCHAP authentication, Clearpass will need to be joined to the AD domain allowing it to post and read the MSCHAP reply from AD. 

I am sure we all will have a question in mind on how CPPM is able to determine which domain a client belongs to before posting the MSCHAP query?

For dot1x or MSCHAP authentication, CPPM will first search for the user in the authentication sources mapped to the service. You can also confirm from the access-tracker logs as shown below:

2017-01-20 12:25:21,859    [Th 6 Req 962567 SessId R000df961-06-5882560e] INFO RadiusServer.Radius - rlm_ldap: searching for user a*****z in AD:admmmgc.mmm.com
2017-01-20 12:25:21,859    [Th 6 Req 962567 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - radius_xlat: Running registered xlat function of module authsrc_3029 for string 'Username'
2017-01-20 12:25:21,859    [Th 6 Req 962567 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - rlm_ldap: - ldap_xlat
2017-01-20 12:25:21,859    [Th 6 Req 962567 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - radius_xlat: '(&(sAMAccountName=a*****z)(objectClass=user))'
2017-01-20 12:25:21,859    [Th 6 Req 962567 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - radius_xlat: 'dc=mmm,dc=com'
2017-01-20 12:25:21,859    [Th 6 Req 962567 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - rlm_ldap: ldap_get_conn: Checking Id: 0
2017-01-20 12:25:21,859    [Th 6 Req 962567 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - rlm_ldap: ldap_get_conn: Got Id: 0
2017-01-20 12:25:21,859    [Th 6 Req 962567 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - rlm_ldap: Allocated referral parameters dn = a*****z@mmm.com & password
2017-01-20 12:25:21,859    [Th 6 Req 962567 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - rlm_ldap: performing search in dc=mmm,dc=com, with filter (&(sAMAccountName=a*****z)(objectClass=user))
2017-01-20 12:25:21,861    [Th 6 Req 962567 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - rlm_ldap: Setting Ldap-UserDn = CN=a*****z,OU=Users,OU=MN-Woodbury-Hartford,OU=US,DC=usac,DC=mmm,DC=com
2017-01-20 12:25:21,861    [Th 6 Req 962567 SessId R000df961-06-5882560e] INFO RadiusServer.Radius - rlm_ldap: found user a*****zin AD:admmmgc.mmm.com
2017-01-20 12:25:21,861    [Th 6 Req 962567 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - rlm_ldap: Setting Alternate-Auth-Type = authsrc_3029
2017-01-20 12:25:21,861    [Th 6 Req 962567 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - rlm_ldap: Setting Authentication-Source = AD:admmmgc.mmm.com
2017-01-20 12:25:21,861    [Th 6 Req 962567 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - rlm_ldap: Setting Authentication-Source-Name = 3M_AD_test
2017-01-20 12:25:21,861    [Th 6 Req 962567 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - rlm_ldap: Setting Authentication-Source-Id = 3029
2017-01-20 12:25:21,861    [Th 6 Req 962567 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - rlm_ldap: Setting MS-CHAP-Use-NTLM-Auth = Yes
2017-01-20 12:25:21,861    [Th 6 Req 962567 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - rlm_ldap: Setting NetBIOS-Name = MMM
2017-01-20 12:25:21,861    [Th 6 Req 962567 SessId R000df961-06-5882560e] DEBUG StatsDClient.StatsClient - Formatted StatsD data=QA.us-nacsub-qa02.radius.auth.3M_AD_test.lookup-time:2|ms
2017-01-20 12:25:21,862    [Th 6 Req 962567 SessId R000df961-06-5882560e] DEBUG StatsDClient.StatsClient - Sending StatsD request=QA.us-nacsub-qa02.radius.auth.3M_AD_test.lookup-time:2|ms
2017-01-20 12:25:21,862    [Th 6 Req 962567 SessId R000df961-06-5882560e] INFO RadiusServer.Radius - LDAP/AD User lookup time = 2 ms

1st Priority: Now once the user is found from a particular authentication source. The first preference is given to the domain part which is provided with the username if any. [For example abc@mmm.com or mmm\abc] 

2017-01-20 12:25:57,107 [Th 4 Req 962585 SessId R000df967-06-58825634] DEBUG RadiusServer.Radius - rlm_mschap: No User-Password configured. Cannot create LM-Password.
2017-01-20 12:25:57,107 [Th 4 Req 962585 SessId R000df967-06-58825634] DEBUG RadiusServer.Radius - rlm_mschap: No User-Password configured. Cannot create NT-Password.
2017-01-20 12:25:57,107 [Th 4 Req 962585 SessId R000df967-06-58825634] INFO RadiusServer.Radius - rlm_mschap: MSCHAPv2 username used for challenge computation a4b6azz
2017-01-20 12:25:57,107 [Th 4 Req 962585 SessId R000df967-06-58825634] DEBUG RadiusServer.Radius - rlm_mschap: NetBIOS Name from User-Name attribute usac
2017-01-20 12:25:57,107 [Th 4 Req 962585 SessId R000df967-06-58825634] DEBUG RadiusServer.Radius - rlm_mschap: NetBIOS Name from auth source MMM
2017-01-20 12:25:57,107 [Th 4 Req 962585 SessId R000df967-06-58825634] DEBUG RadiusServer.Radius - rlm_mschap: Using user account name A4B6AZZ fetched from auth source
2017-01-20 12:25:57,107 [Th 4 Req 962585 SessId R000df967-06-58825634] INFO RadiusServer.Radius - rlm_mschap: Using domain usac from User-Name attribute
2017-01-20 12:25:57,107 [Th 4 Req 962585 SessId R000df967-06-58825634] DEBUG RadiusServer.Radius - rlm_mschap: Updating NetBIOS-Name to usac

 

2nd Priority: If there isn't any domain specified with the username during authentication, next CPPM will try to take the NetBios name of the authentication source from where the user was found in the previous step.

2017-01-20 12:25:21,759 [Th 8 Req 962566 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - rlm_mschap: No User-Password configured. Cannot create LM-Password.
2017-01-20 12:25:21,759 [Th 8 Req 962566 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - rlm_mschap: No User-Password configured. Cannot create NT-Password.
2017-01-20 12:25:21,759 [Th 8 Req 962566 SessId R000df961-06-5882560e] INFO RadiusServer.Radius - rlm_mschap: MSCHAPv2 username used for challenge computation a4b6azz
2017-01-20 12:25:21,759 [Th 8 Req 962566 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - rlm_mschap: No Domain component in the User Name
2017-01-20 12:25:21,759 [Th 8 Req 962566 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - rlm_mschap: NetBIOS Name from auth source MMM
2017-01-20 12:25:21,759 [Th 8 Req 962566 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - rlm_mschap: Using user account name A4B6AZZ fetched from auth source
2017-01-20 12:25:21,759 [Th 8 Req 962566 SessId R000df961-06-5882560e] INFO RadiusServer.Radius - rlm_mschap: Using domain MMM from auth source
2017-01-20 12:25:21,760 [Th 8 Req 962566 SessId R000df961-06-5882560e] DEBUG RadiusServer.Radius - rlm_mschap: Updating NetBIOS-Name to MMM

 

3rd Priority: In cases where domain is not specified with the username and if CPPM is unable to determine the NetBIOS name from Authentication source [typically in case of Global Catalog Servers, where we have domains and multiple Subdomain] ClearPass will determine the domain using ObjectSID [Security Identifier]attribute which is fetched during initial search.

2017-01-20 12:34:28,045 [Th 6 Req 962657 SessId R000df9ac-06-58825833] DEBUG RadiusServer.Radius - rlm_ldap: user a****z has attribute sAMAccountName
2017-01-20 12:34:28,045 [Th 6 Req 962657 SessId R000df9ac-06-58825833] DEBUG RadiusServer.Radius - User-Account-Name = " a****z "
2017-01-20 12:34:28,045 [Th 6 Req 962657 SessId R000df9ac-06-58825833] DEBUG RadiusServer.Radius - rlm_ldap: objectSid of user a****z is S-1-5-21-854245398-839522115-725345543-940040
2017-01-20 12:34:28,045 [Th 6 Req 962657 SessId R000df9ac-06-58825833] INFO RadiusServer.Radius - rlm_ldap: found user a****z in AD:adusac-01.usac.mmm.com

 

In scenario's where global catalog servers are used we add CPPM to domain which has trust relation to all the sub-domains and ClearPass will update its samba file with the domainSID attribute as shown below.

[domain_AD]
netbios_name = AD
realm_name = AD.ABC.EDU
domain_fqdn = u****v.ad.abc.edu
winbindd_path = /var/avenda/tips/samba/samba_AD/winbindd_privileged
trusted_domains = UCPSYCH,UCITECSS,UCSURGERY,LAW,AF,UCADS,COMDO,UCLOUD
domain_status = online
alt_name = AD.UC.EDU
domain_sid = S-1-5-21-1757981266-1383384898-725345543
num_trusted_domains = 8
trusted_domain_1 = UCPSYCH,UCPSYCH.UC.EDU,S-1-5-21-1550507792-4200741791-2288126077
trusted_domain_2 = UCITECSS,UCITECSS.UC.EDU,S-1-5-21-1454471165-1326574676-682003330
trusted_domain_3 = UCSURGERY,UCSURGERY.UC.EDU,S-1-5-21-1177238915-1645522239-839522115
trusted_domain_4 = LAW,LAW.AD.UC.EDU,S-1-5-21-1220945662-117609710-725345543
trusted_domain_5 = AF,AF.UC.EDU,S-1-5-21-619124731-2240474253-3705693027

trusted_domain_6 = UCADS,UCADS.UC.EDU,S-1-5-21-2094061547-3365754199-909415149
trusted_domain_7 = COMDO,MEDUC.EDU,S-1-5-21-1060284298-1708537768-1801674531
trusted_domain_8 = UCLOUD,UCLOUD.UC.EDU,S-1-5-21-2361349691-784785941-3894699199

 

The ObjectSID is a unique value used to identify the user which will look like "1.2.840.113556.1.4.146".

This attribute will be compared with the SID attribute of domain/subdomains.  An ObjectSID includes a domain prefix identifier that uniquely identifies the domain and a Relative Identifier (RID) that uniquely identifies the security principal within the domain. 

Now we could see following from the logs:

2017-01-20 12:34:30,553 [Th 9 Req 962670 SessId R000df9ac-06-58825833] DEBUG RadiusServer.Radius - rlm_mschap: No User-Password configured. Cannot create LM-Password.
2017-01-20 12:34:30,553 [Th 9 Req 962670 SessId R000df9ac-06-58825833] DEBUG RadiusServer.Radius - rlm_mschap: No User-Password configured. Cannot create NT-Password.
2017-01-20 12:34:30,554 [Th 9 Req 962670 SessId R000df9ac-06-58825833] INFO RadiusServer.Radius - rlm_mschap: MSCHAPv2 username used for challenge computation a4b6azz
2017-01-20 12:34:30,556 [Th 9 Req 962670 SessId R000df9ac-06-58825833] DEBUG RadiusServer.Radius - rlm_mschap: No Domain component in the User Name
2017-01-20 12:34:30,556 [Th 9 Req 962670 SessId R000df9ac-06-58825833] DEBUG RadiusServer.Radius - rlm_mschap: Unable to determine NetBIOS Name
2017-01-20 12:34:30,556 [Th 9 Req 962670 SessId R000df9ac-06-58825833] DEBUG RadiusServer.Radius - rlm_mschap: Using domain USAC from ObjectSID

 

NOTE: If you enable "Always use NETBIOS name" in the Authentication >> Source, ClearPass will give NetBIOS name the first priority and override the priority.

 

Version History
Revision #:
2 of 2
Last update:
‎03-03-2017 03:48 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.