Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Kerberos auth against AD

This thread has been viewed 16 times

  • 1.  ClearPass Kerberos auth against AD

    Posted Mar 16, 2018 04:45 PM

    During review of our 802.1x architecture we found reference to the "Active Directory" type of ClearPass authentication source as using NTLMv2.  One of our requirements was to enable Kerberos instead of NTLMv2.

     

    I've set up Kerberos as an authentication source, but it does not appear to be able to authenticate a user using a test TACACS+ type service policy.  I'm seeing the following error

     

    2018-03-16-tacacs-fail.PNG

    I'm unsure what the above means.  Does it mean that I've incorrectly configured my Kerberos authentication source, or that it is configured correctly but the AD servers I specified are not responding correctly?



  • 2.  RE: ClearPass Kerberos auth against AD
    Best Answer

    EMPLOYEE
    Posted Mar 16, 2018 04:47 PM
    TACACS+ uses PAP so you’ll need to use a standard AD auth source.


  • 3.  RE: ClearPass Kerberos auth against AD

    Posted Mar 16, 2018 04:49 PM

    Thanks Tim! I think that pretty much answers my question... :)

    What services other than TACACS+ does Kerberos authentication not work with? 



  • 4.  RE: ClearPass Kerberos auth against AD

    EMPLOYEE
    Posted Mar 16, 2018 04:52 PM
    It’s dictated by the client authentication method. For example, PEAPv0/EAP-MSCHAPv2 requires NTLM for MSCHAP.