Security

Reply
New Contributor
Posts: 2
Registered: ‎08-06-2015

ClearPass Denies AD Users, Computers Accept Same Users In Same AD

We have ClearPass 6.5.2, and occasionally have a user who cannot sign into our wireless network.  Authentication to the network is done via 802.1x.  ClearPass is bound to our Active Directory, as are the majority of our computers.

 

Sometimes CP and the AD Domain Controllers will say that a user's username or password is incorrect, but computers allow these users to sign on without a problem.  Having the user change their password always resolves the issue, but it's annoying, and we don't see why a password that works for computers in an AD would break when CP tries to authenticate the user against the same AD.  Here's the error ClearPass gives us:

 

MSCHAP: AD status:Logon failure (0xc000006d)
MSCHAP: AD status:Logon failure (0xc000006d)
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure

 

So far, there are only two things that seem consistent.  We had this problem on our previous FreeRADIUS server that we replaced with ClearPass, meaning the two common threads are the FreeRADIUS software itself and the AD that we're using.

 

We're not sure where else to look for clues, and are hoping that the community has ideas.  I haven't asked TAC yet because the issue seems very inconsistent and, when it happens to a user, we don't ask them to wait an unspecified length of time to get online while everyone around them is enjoying being online and we figure it out.

 

Please let me know if you want more information.  I'm happy to answer questions.  Thanks!

 

Matt

Guru Elite
Posts: 20,572
Registered: ‎03-29-2007

Re: ClearPass Denies AD Users, Computers Accept Same Users In Same AD

You should open a case with TAC in parallel.  This could be very difficult to diagnose here on the forum.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: