Security

Reply
MVP
Posts: 520
Registered: ‎05-11-2011

802.1x with CCPM and AD - Radius:Microsoft:MS-CHAP-Error

Hello!

 

Encountered an issue in a 802.1x scenario where I use Aruba Controller, ClearPass and Windows 2008R2 AD.

ClearPass is joined to the domain, I've created the AD auth source and required service elements with default auth methods (EAP-PEAP, EAP-TLS, EAP-TTLS, EAP-FAST).

 

ClearPass is in a DMZ and there is a FortiGate firewall restriciting the traffic that passes between AD and ClearPass.

The AD user I'm using for the authentication source is a normal Domain User.

 

When using the Policy Simulation with Active Directory Authentication I get success.

When actually trying a client I get the following in Access Tracker Alerts:

 

RADIUSMSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure

 

This cause a Deny Access.

 

Under Input I see this:

Radius:Microsoft:MS-CHAP2-Response0x0a6cda9649f3d374d070030ff95fa6327ade000000000000000039fbf3022e1b47c311a27caabf0c45e86d155c24b631d9dc
Radius:Microsoft:MS-CHAP-Challenge0x5ad8746b9e96db0da6bffa8dda9644fa
Radius:Microsoft:MS-CHAP-Error
E=691 R=1

 

I've also installed the same scenario in my Lab without these error messages.

 

Anyone got any tips of where the error might be?


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: 802.1x with CCPM and AD - Radius:Microsoft:MS-CHAP-Error

Have you confirm that all the necessary ports are open in the firewall , I experienced a similar issue a few months ago and it was related to the firewall ports weren't open

 

After I added the proper ports I had to remove/re-add the CP server to the domain.

 

 

CPPM to Active Directory
The following is the list of services and their ports used for Active Directory communication:
· UDP Port 88 for Kerberos authentication
· UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
· TCP Port 139 and UDP 138 for File Replication Service between domain controllers. (Probably not necessary for CPPM)
· UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
· TCP and UDP Port 445 for File Replication Service (Probably not necessary for CPPM)
· TCP and UDP Port 464 for Kerberos Password Change
· TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
· TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 520
Registered: ‎05-11-2011

Re: 802.1x with CCPM and AD - Radius:Microsoft:MS-CHAP-Error

Thanks Victor.
When joining to the domain we had everything opened, but the customer restricted the access after. I'll go through this list asap with him to verify.

John

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 520
Registered: ‎05-11-2011

Re: 802.1x with CCPM and AD - Radius:Microsoft:MS-CHAP-Error

 

So we did the following

 

-> Gave the lookup-user Domain Admin

-> Allow-all between clearpass and domain controller

 

No luck

 

-> Left domain

-> Rejoined domain

 

No luck

 

So - now I'm back to the controller to check if I might be missing something in the config there.

 

This is an excerpt from the log on ClearPass:

2014-04-25 09:04:03,619[Th 2 Req 9 SessId R00000000-01-535a08e1] INFO RadiusServer.Radius - rlm_eap_mschapv2: Received MSCHAPv2 Response from client
2014-04-25 09:04:03,619[Th 2 Req 9 SessId R00000000-01-535a08e1] ERROR RadiusServer.Radius - rlm_mschap: default domain not present
2014-04-25 09:04:03,619[Th 2 Req 9 SessId R00000000-01-535a08e1] ERROR RadiusServer.Radius - rlm_mschap: User-Name was not found in the request.
2014-04-25 09:04:03,619[Th 2 Req 9 SessId R00000000-01-535a08e1] ERROR RadiusServer.Radius - rlm_mschap: default domain not present
2014-04-25 09:04:03,619[Th 2 Req 9 SessId R00000000-01-535a08e1] ERROR RadiusServer.Radius - rlm_mschap: User-Name was not found in the request.
2014-04-25 09:04:03,619[Th 2 Req 9 SessId R00000000-01-535a08e1] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
2014-04-25 09:04:03,619

[Th 2 Req 9 SessId R00000000-01-535a08e1] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluatio

 

 

 

 


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 520
Registered: ‎05-11-2011

Re: 802.1x with CCPM and AD - Radius:Microsoft:MS-CHAP-Error

Yet some more information..

 

The customer is using a wildcard certificate, which does not have the FQDN of the CP server in the SAN. Might this be causing issues like this?

 

I've requested that they request a duplicate certificate with SAN equal to the CP servername..


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 520
Registered: ‎05-11-2011

Re: 802.1x with CCPM and AD - Radius:Microsoft:MS-CHAP-Error

 

updates..

 

Replaced the radius certificate with one from the internal CA - which isn't wildcard.

 

Still same error so I'm leaning towards something on the Controller (Aruba 3400 AOS 6.3.0.2).

Config looks right. Requested upgrade to 6.3.1.6 this weekend so we'll see if that changes anything.

 

 


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: 802.1x with CCPM and AD - Radius:Microsoft:MS-CHAP-Error

If you have Windows clients, they won?t connect via an EAP exchange with a wild-card certificate. You can use a wild card in the SAN, but not in the CN of the cert.

Other OSs seem to connect fine, even if the CN is a wild card.

I know I have seen a MS article stating this, but I can?t find it right now. I have seen this a couple times and have had to reissue the cert with a valid FQDN as the CN and the wildcard as a SAN.
MVP
Posts: 520
Registered: ‎05-11-2011

Re: 802.1x with CCPM and AD - Radius:Microsoft:MS-CHAP-Error

Testing with iPad, Android smartphone and win8.

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: 802.1x with CCPM and AD - Radius:Microsoft:MS-CHAP-Error

On the windows server do they have firewall enabled by any chance ?

Do you see anything in the server security or application events ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 520
Registered: ‎05-11-2011

Re: 802.1x with CCPM and AD - Radius:Microsoft:MS-CHAP-Error

Solved the issue.
For some reason the netbios name in the AD auth source wasn't auto-filled when I created the source. This being empty caused this error message in Access Tracker. I entered the short domain name in this Netbios field and things instantly started working.

As far as I could see there was no error message in AD event viewer which made this a tad hard to troubleshoot.

Thanks for the assistance Victor and Olino.

I didn't get a chance to test this with the wildcard cert tho. If I ever get a chance I'll be sure to post about it ;)

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
Showing results for 
Search instead for 
Did you mean: