Security

Reply
MVP
Posts: 1,111
Registered: ‎10-11-2011

CPPM: Auth fails when account logon is limited to specific workstations

In Active Directory, if we limit an account to only be able to login to a set of workstations using the Log On To account option, authentication in ClearPass fails.  If we lift the log on to restrictions, authentication passes.  I've seen this issue with multiple accounts setup this way.  The auth errors logged are:

 

E=216, R=1

 

MSCHAP: AD status:Invalid workstation (0xc0000070)
MSCHAP: AD status:Invalid workstation (0xc0000070)
MSCHAP: AD status:Logon failure (0xc000006d)
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure

 

Has anyone else seen this?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: CPPM: Auth fails when account logon is limited to specific workstations

Try adding the ClearPass server's computer account to the Log On To list.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: CPPM: Auth fails when account logon is limited to specific workstations

Well, that never dawned on me... Thanks!  I'll give it a try.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: CPPM: Auth fails when account logon is limited to specific workstations

That did the trick!  Thank you.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Contributor II
Posts: 42
Registered: ‎01-03-2014

Re: CPPM: Auth fails when account logon is limited to specific workstations

cappalli

 

I appreciate the feedback from this, I was having a similar issue and I thought at first that LDAP via AD would not allow mschap / mschap-v2, I reviewed the documentation and it said that it was supported. I do know that some Radius servers dont support mschap authentication if your using LDAP and you need to be binded to AD. 

 

I spent a bit of time looking at your post "ClearPass server's computer account to the Log On To list." I looked in the CPPM box and reviewed services and thought maybe the autorization needed to be pointed to the local DB, but that didn't work. I also looked in the source as well where the AD server was listed. 

 

I am not sure exactly where you said to look for the "log on to list". I am still a bit new to CPPM so I am still learning my way around. 

 

Thanks!

Justin Kwasnik | ACMX# 598 | ACCX# 638
MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: CPPM: Auth fails when account logon is limited to specific workstations

justink84,

This change needs to be made in MS Active Directory, not Clearpass.
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Contributor II
Posts: 42
Registered: ‎01-03-2014

Re: CPPM: Auth fails when account logon is limited to specific workstations

thecompnerd,

 

I appreciate the quick response I was thinking it was something AD related. I was a bit confused still though as when using a LDAP server path you never bind the device thats doing LDAP with the domain.

 

I do not have the clearpass server binded to AD so maybe thats whats causing the problem for me. I was pretty sure the docuemntation said using mscap / mscapv2 would work fine with AD LDAP, Open LDAP, Novel... 

 

I assume that your clearpass server was binded to AD, and thats why the computer account in AD is populated?

 

Thanks!

Justin Kwasnik | ACMX# 598 | ACCX# 638
Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: CPPM: Auth fails when account logon is limited to specific workstations

[ Edited ]

You need to join ClearPass to AD for EAP-PEAP/MS-CHAPv2 to work correctly.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 42
Registered: ‎01-03-2014

Re: CPPM: Auth fails when account logon is limited to specific workstations

thecompnerd, 

 

Thanks for the update! I was able to get the super admin account and bind the clearpass server to an additional DC. Once this was completed I didn't have any issues with the current policies I had in place already with my LDAP path and rules. 

 

Some of the other appliances I have used in the past are a bit different and when you bind them to AD, that creates the Authentication Server you will be using. In this case, it still appears you need to create an LDAP server to do lookups, but cant pass the authentication for mschapv2 without the binding. 

 

I apprecaite the quick replies earlier!

Justin Kwasnik | ACMX# 598 | ACCX# 638
Frequent Contributor I
Posts: 72
Registered: ‎04-03-2007

Re: CPPM: Auth fails when account logon is limited to specific workstations

Thanks Guys for posting this. This post saved us from what could have been some very long troubleshooting. Instead we had it resolved in a couple of hours.

 

I had never encountered this until today when installing CPPM for a customer. They were in fact using the option to restrict certain users to certain machines. When we added CPPM to the list of allowed machines it cleared up the issue.

 

The funny thing was the customer had initially pointed out the machine restrictions that these users had and asked if we needed to add CPPM to the list. My reaction was that it wasn't necessary and I didn't see how it could be. Egg on my face...

 

Thanks again for posting this unusual issue. I appreciated it.

Michael McNamee
Sr. Network Engineer - SecurEdge Networks
ACMP / ACDX / AWMP

http://www.securedgenetworks.com/secure-edge-networks-blog/
Search Airheads
Showing results for 
Search instead for 
Did you mean: