Security

Reply
Frequent Contributor II

ClearPass Kerberos auth against AD

During review of our 802.1x architecture we found reference to the "Active Directory" type of ClearPass authentication source as using NTLMv2.  One of our requirements was to enable Kerberos instead of NTLMv2.

 

I've set up Kerberos as an authentication source, but it does not appear to be able to authenticate a user using a test TACACS+ type service policy.  I'm seeing the following error

 

2018-03-16-tacacs-fail.PNG

I'm unsure what the above means.  Does it mean that I've incorrectly configured my Kerberos authentication source, or that it is configured correctly but the AD servers I specified are not responding correctly?

rwin = 0
Guru Elite

Re: ClearPass Kerberos auth against AD

TACACS+ uses PAP so you’ll need to use a standard AD auth source.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II

Re: ClearPass Kerberos auth against AD

Thanks Tim! I think that pretty much answers my question... :)

What services other than TACACS+ does Kerberos authentication not work with? 

rwin = 0
Guru Elite

Re: ClearPass Kerberos auth against AD

It’s dictated by the client authentication method. For example, PEAPv0/EAP-MSCHAPv2 requires NTLM for MSCHAP.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: