Security

Reply
Frequent Contributor I
Posts: 75
Registered: ‎08-12-2011

CPPM Problem whlie using PEAP with MS-CHAPv2

Hi

 

in our company there are a few old clients which cannot use EAP-TLS because there is no support of certificates.

 

So we did the authentication with peap witch MS-Chapv2 so that the users was prompted for username and password which was checked in MS Active Directory.

We did this with an old MS IAS Server.

Now we changed to  CPPM which is working fine for Guest an EAP-TLS Authentication.

But i cannot get PEAP working. Whlie connecting i see following error in access Tracker:

Alerts:

MSCHAP: AD status:No trusted SAM account (0xc000018b) 
MSCHAP: AD status:No trusted SAM account (0xc000018b) 
MSCHAP: AD status:No trusted SAM account (0xc000018b) 
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure

 

In the radius request I find following error:

 

Radius:Microsoft:MS-CHAP-Error\rE=691 R=1

 

 

Does anybody have an idea to fix this problem?

 

We are using:

ClearPass Policy Manager 6.3.4.64924 on CP-VA-5K platform

 

Thanks in advance

Guru Elite
Posts: 8,049
Registered: ‎09-08-2010

Re: CPPM Problem whlie using PEAP with MS-CHAPv2

Are your CPPM servers joined to your AD domain?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 75
Registered: ‎08-12-2011

Re: CPPM Problem whlie using PEAP with MS-CHAPv2

Yes, they are. EAP-TLS checks if there exits a computeraccount in AD, too. So there general connection with AD is working.

Aruba
Posts: 1,638
Registered: ‎04-13-2009

Re: CPPM Problem whlie using PEAP with MS-CHAPv2

Can you confirm that CPPM is not using a read only domain controller during this authentication?   Also check your Authentication Source (primary/backup tab) and see if you can browse the AD tree using the account specified.

 

I would also double check that domain join; even remove and readd.  The check for corresponding account with EAP-TLS is an LDAP lookup; as compared to an 802.1X EAP-MSCHAPv2 authentication.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor I
Posts: 75
Registered: ‎08-12-2011

Re: CPPM Problem whlie using PEAP with MS-CHAPv2

I can browse the AD tree in authentication source setup but how can i do this with the specified user account?

MVP
Posts: 4,120
Registered: ‎07-20-2011

Re: CPPM Problem whlie using PEAP with MS-CHAPv2

2014-09-30 14_47_05-ClearPass Policy Manager - Aruba Networks.png

 

Or From search base

2014-09-30 14_48_47-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba
Posts: 1,638
Registered: ‎04-13-2009

Re: CPPM Problem whlie using PEAP with MS-CHAPv2

Browsing through the authentication source is merely LDAP and proves the bind user information is working (which would give a different error if it was not; but had to make sure).   The authentication process for PEAP-MSCHAPv2 requires that domain membership to be functional to ensure CPPM can read the MSCHAP hash.    Do you have any password servers defined in the domain membership area?  Can you confirm the corresponding object in AD still exists; perhaps try removing and readding it back in.

 

cppm-pwd-servers.png

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor I
Posts: 75
Registered: ‎08-12-2011

Re: CPPM Problem whlie using PEAP with MS-CHAPv2

Thanks a lot, i got it.

 

LDAP browsing works fine, but i noticed, that there was no computer objekt of the clearpass machine in AD.

So I leave Domain an rejoin Domain.

Afterwards it worked.

 

But now there is another problem.

I built up a service wich should match on this PEAP connections like following:

 

Radius:IETF NAS-Port-Type EQUALS Wireless-802.11 (19)

AND

Authentication InnerMethod Equals EAP-MSCHAPv2

 

In AccessTracker I can see in the computed attributes

 

Authentication:InnerMethod     EAP-MSCHAPv2

 

But the Service does not match.

In my setup  I need to handle peap supporting clients with a seperated service.

Any idea? Where is my mistake?

 

Aruba
Posts: 1,638
Registered: ‎04-13-2009

Re: CPPM Problem whlie using PEAP with MS-CHAPv2

That should work as a service rule.   Does that authentication attempt match any service at all?   Can you export the Access Tracker details and attach?

 

Do you need a different service for this?  Or can you use a single service and use role mappings to differentiate?   I have seen customers go this route; with a role mapping for one inner method giving one role and another inner method giving a second role.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor I
Posts: 75
Registered: ‎08-12-2011

Re: CPPM Problem whlie using PEAP with MS-CHAPv2

I found a solution in customizing our "standard" service which uses only eap-tls before.

I added some Conditions in enforcement:

 

ConditionsEnforcement Profiles
1.(Authorization:lvrintern.lvr.de:UserDN  CONTAINS  OU=Test1)
AND  (Authentication:InnerMethod  NOT_EQUALS  EAP-MSCHAPv2)
[Allow Access Profile]
2.(Authentication:InnerMethod  EQUALS  EAP-MSCHAPv2)
AND  (Authorization:lvrintern.lvr.de:memberOf  CONTAINS  Test2)
[Allow Access Profile]

 

In the Other Scenario I wantedt to match a Service for innerMethod EAP-MSCHAPv2 but this did not work. For me it looks like that this "inner" information is not present in Radius Request.

Can you explain when the attributes of "Computed Attributes are evaluated?

Search Airheads
Showing results for 
Search instead for 
Did you mean: