Security

In Active Directory, if we limit an account to only be able to login to a set of workstations using the Log On To account option, authentication in ClearPass fails.  If we lift the log on to restrictions, authentication passes.  I've seen this issue with multiple accounts setup this way.  The auth errors logged are:

E=216, R=1

MSCHAP: AD status:Invalid workstation (0xc0000070)
MSCHAP: AD status:Invalid workstation (0xc0000070)
MSCHAP: AD status:Logon failure (0xc000006d)
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure

Has anyone else seen this?

Try adding the ClearPass server's computer account to the Log On To list.

Well, that never dawned on me... Thanks!  I'll give it a try.

That did the trick!  Thank you.

cappalli

I appreciate the feedback from this, I was having a similar issue and I thought at first that LDAP via AD would not allow mschap / mschap-v2, I reviewed the documentation and it said that it was supported. I do know that some Radius servers dont support mschap authentication if your using LDAP and you need to be binded to AD. 

I spent a bit of time looking at your post "ClearPass server's computer account to the Log On To list." I looked in the CPPM box and reviewed services and thought maybe the autorization needed to be pointed to the local DB, but that didn't work. I also looked in the source as well where the AD server was listed. 

I am not sure exactly where you said to look for the "log on to list". I am still a bit new to CPPM so I am still learning my way around. 

Thanks!

thecompnerd,

I appreciate the quick response I was thinking it was something AD related. I was a bit confused still though as when using a LDAP server path you never bind the device thats doing LDAP with the domain.

I do not have the clearpass server binded to AD so maybe thats whats causing the problem for me. I was pretty sure the docuemntation said using mscap / mscapv2 would work fine with AD LDAP, Open LDAP, Novel... 

I assume that your clearpass server was binded to AD, and thats why the computer account in AD is populated?

Thanks!

You need to join ClearPass to AD for EAP-PEAP/MS-CHAPv2 to work correctly.

thecompnerd, 

Thanks for the update! I was able to get the super admin account and bind the clearpass server to an additional DC. Once this was completed I didn't have any issues with the current policies I had in place already with my LDAP path and rules. 

Some of the other appliances I have used in the past are a bit different and when you bind them to AD, that creates the Authentication Server you will be using. In this case, it still appears you need to create an LDAP server to do lookups, but cant pass the authentication for mschapv2 without the binding. 

I apprecaite the quick replies earlier!

Thanks Guys for posting this. This post saved us from what could have been some very long troubleshooting. Instead we had it resolved in a couple of hours.

I had never encountered this until today when installing CPPM for a customer. They were in fact using the option to restrict certain users to certain machines. When we added CPPM to the list of allowed machines it cleared up the issue.

The funny thing was the customer had initially pointed out the machine restrictions that these users had and asked if we needed to add CPPM to the list. My reaction was that it wasn't necessary and I didn't see how it could be. Egg on my face...

Thanks again for posting this unusual issue. I appreciated it.