Security

Hello all,

We have an open ssid with a captive portal authenticating ad users against NPS server. As we are deploying ClearPass, we want to use it as radius server instead of NPS server.

The captive portal login page is on the controller and the clearpass is joined to the domain.

I configured a service on clearpass with active directory as authentication source and PAP as authentication method.

The authentication on captive portal is failing with the following messages. 

The alert message:
Error Code: 216
User authentication failed
Cannot select appropriate authentication method.

Request log:
[Th 41 Req 943 SessId R0000006a-01-513f47d2] INFO RadiusServer.Radius - rlm_pap: No password (or empty password) to check against for for user testaruba. Not setting Auth-Type.
[Th 41 Req 943 SessId R0000006a-01-513f47d2] INFO RadiusServer.Radius - rlm_auth_check: Auth-Type not set.
[Th 41 Req 943 SessId R0000006a-01-513f47d2] ERROR RadiusServer.Radius - rlm_auth_check: Auth-Type not set or authentication methods have not been configured. Rejecting it.

Any thoughts please?  

Can you please attach the output you can see in the Access Tracker for the failed request (radius input and computed attributes along with the output). Can you please also attach the configuration of the service?

Hi Zsolt,

Thank you for the help.

I attached the service configuration and the access tracker error .

Attachment(s)

CPPM AD test.docx   309 KB 1 version

Is the connection to the AD working?

Are you sure that using CHAP is not selected in the Captive portal profile on the controller?

Hi,

Iam using AD with EAP-PEAP and is working correctly. Clearpass is unable to identify PAP in the access request. 

CHAP is unchecked in the captive portal profile on the controller.

Thanks.

So I guess you have another SSID and service where you are using EAP-PEAP.

Well, the request certainly matches the service, it's strange. Have you tried - just for a test - to add all of the auth methods to the service and see what happens?

Yes, I have another ssid using EAP-PEAP but on clearpass i used the same service to do the test after i added almost all

auth methods without success.

Have you tried to use the AAA test connection from controller GUI (both mschap and pap - don't forget to add these to the service). What output can you see? Can you please send the full output of the "request logs"?

Hi,

mschap authenticate successfully but not pap from the controller.

I attached both request logs.

Thanks.

Attachment(s)

Request_Logs_pap.zip   1 KB 1 version

Request_Logs_mschap.zip   2 KB 1 version

It's quite strange.

What I may suggest is to try to configure your AD server as generic LDAP (not Active Directory) on the CPPM and see what happens. You may also try to use CHAP (captive portal profile and CP service should be modified).

If neither of these helps then I would suggest to open a ticket at Aruba Support.

Hi,

Authentication with Captive Portal against AD or LDAP is working now :smileyvery-happy:.

My error was on the AD source, I had unchecked Allow bind using user password.

Thank you zshusveti for your help.

Glad to hear that it works.

Btw how was it possible that it was working but with PAP authentication?