Security

I just deployed a ClearPass VM wtih LDAP connectivity to a domain controller, TACACS server for network equipment to authenticate and Radius for everything else.  For TACACS and Radius, I have policies setup to use the authentication source going back to my domain or against the LDAP source.  I have been able to confirm that TACACS and radius will work with network and other types of devices.  However, when I attempt to connect the controller up to ClearPass using the radius under Secuirty -> Authentication -> Servers -> Radius & RFC 3576 server, I am able to authenticate only if I allow mschap (not v2).  The moment I remove mschap from the authentication methods, the controller is no loner able to authenticate.  

 

 

Any suggestions of what I should look at to get EAP MSCHAPv2 to work?

You should be using [EAP PEAP] in your 802.1X service as the authentication method, not [EAP-MSCHAPv2] or [MSCHAP]. Also, make sure your ClearPass servers are joined to the domain. It’s a requirement when using legacy EAP methods like PEAPv0/EAP-MSCHAPv2.

You should be using [EAP PEAP] in your 802.1X service as the authentication method, not [EAP-MSCHAPv2] or [MSCHAP]. Also, make sure your ClearPass servers are joined to the domain. It’s a requirement when using legacy EAP methods like PEAPv0/EAP-MSCHAPv2.

Thank you for the quick response.   While i agree with you that [EAP PEAP] should be used, i am unable to find a way to choose a different option within the Controller (See screen shot).    I want all of our "admins" to authenticate into the controllers using ClearPass. 

So this is only admin access. You mentioned you want network equipment to use TACACS+. So why are you trying to set up RADIUS? I'm confused.