How does ClearPass perform MSCHAPv2 authentication across AD
Once the client and the server negotiate an EAP Method like EAP-PEAP with MSCHAPV2 as the inner method, ClearPass tries to authenticate AD users doing MSCHAPv2 as stated below
- CPPM generates an Authenticator Challenge (random bytes) and sends it to the client.
- The Client's 802.1x Supplicant generates a Peer Challenge.
- Using that Peer Challenge along with the Authenticator Challenge(received from CPPM in Step 1), User Name and User Password the Supplicant generates an NT Response as specified in RFC https://tools.ietf.org/html/rfc2759#section-8
- The Supplicant then sends the Peer Challenge (generated in step 2 by it) and NT Response calculated in step 3 to CPPM.
- CPPM retrieves the sAMAccountName of the user from AD via LDAP search
- CPPM calculates a Challenge hash using the Peer Challenge received from Client, Authenticator Challenge(sent by ClearPass in Step 1) and User Name sent by supplicant as specified in https://tools.ietf.org/html/rfc2759#section-8
- CPPM sends sAMAccountName, domain name, Challenge hash calculated in step 6 and NT Response received from the client to the domain controller via the Winbind instance for that domain which gets created when ClearPass is made part of the domain.
- The AD responds with the NTSTATUS Message indicating the status of the authentication. 0x00000000 STATUS_SUCCESS stands for a success.
- Based on the Status Message returned from the Domain Controller ClearPass deems the authentication as a success or failure.
Each status message has a different context.Please find the details about other status messages from this link https://msdn.microsoft.com/en-us/library/cc704588.aspx
However the process described above would vary slightly if the parameter to "Re-attempt AD login with different Username formats" is set to TRUE available from ClearPass version6.4. That is known to be required for certain legacy AD Environments where they have accounts exported from a Windows 2000 Domain.
ClearPass would try modifying the username format used in challenge hash computation when the option is set to TRUE. ClearPass tries 3 formats as a part of this. The 1st format is as stated above where it uses the username sent by client for the Challenge hash computation.
The 2nd format would be the samaccountname in the exact case as fetched from the authsource for the challenge hash computation.
The 3rd format is the full username of the user with the domain part as presented by the client for the challenge hash computation.