Security

Reply
New Contributor

ClearPass acting as a Radius server - Controllers unable to authenicate with EAP-MSCHAPv2

I just deployed a ClearPass VM wtih LDAP connectivity to a domain controller, TACACS server for network equipment to authenticate and Radius for everything else.  For TACACS and Radius, I have policies setup to use the authentication source going back to my domain or against the LDAP source.  I have been able to confirm that TACACS and radius will work with network and other types of devices.  However, when I attempt to connect the controller up to ClearPass using the radius under Secuirty -> Authentication -> Servers -> Radius & RFC 3576 server, I am able to authenticate only if I allow mschap (not v2).  The moment I remove mschap from the authentication methods, the controller is no loner able to authenticate.  

 

 

Any suggestions of what I should look at to get EAP MSCHAPv2 to work?

Guru Elite

Re: ClearPass acting as a Radius server - Controllers unable to authenicate with EAP-MSCHAPv2

You should be using [EAP PEAP] in your 802.1X service as the authentication method, not [EAP-MSCHAPv2] or [MSCHAP]. Also, make sure your ClearPass servers are joined to the domain. It’s a requirement when using legacy EAP methods like PEAPv0/EAP-MSCHAPv2.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: ClearPass acting as a Radius server - Controllers unable to authenicate with EAP-MSCHAPv2

You should be using [EAP PEAP] in your 802.1X service as the authentication method, not [EAP-MSCHAPv2] or [MSCHAP]. Also, make sure your ClearPass servers are joined to the domain. It’s a requirement when using legacy EAP methods like PEAPv0/EAP-MSCHAPv2.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: ClearPass acting as a Radius server - Controllers unable to authenicate with EAP-MSCHAPv2

Thank you for the quick response.   While i agree with you that [EAP PEAP] should be used, i am unable to find a way to choose a different option within the Controller (See screen shot).    I want all of our "admins" to authenticate into the controllers using ClearPass. 

Guru Elite

Re: ClearPass acting as a Radius server - Controllers unable to authenicate with EAP-MSCHAPv2

So this is only admin access. You mentioned you want network equipment to use TACACS+. So why are you trying to set up RADIUS? I'm confused.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: