This morning we upgraded two of our 5k clearpass boxes from 6.6.9 to 6.6.10. When those boxes were rebooted, an error appeared in the event log: 'Failed to start cpass-domain-server_[institution name]'. This was fixed by restarting the domain service.
Since the update, all AD auths using MSCHAPv2 on those boxes results in a timeout. The error appears in the access tracker:
MSCHAP: AD status:{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure
The logs show a similar error, with the addition of this:
ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
The server that remains on 6.6.9 is unaffected by this behaviour, and the 6.6.10 servers can handle non-MSCHAPv2 authentications fine.
The release notes for 6.6.10 show a few small changes in AD auth behaviour: release notes. Could this explain the problem?