03-12-2013 10:17 AM
We have an open ssid with a captive portal authenticating ad users against NPS server. As we are deploying ClearPass, we want to use it as radius server instead of NPS server.
The captive portal login page is on the controller and the clearpass is joined to the domain.
I configured a service on clearpass with active directory as authentication source and PAP as authentication method.
The authentication on captive portal is failing with the following messages.
The alert message:
Error Code: 216
User authentication failed
Cannot select appropriate authentication method.
[Th 41 Req 943 SessId R0000006a-01-513f47d2] INFO RadiusServer.Radius - rlm_pap: No password (or empty password) to check against for for user testaruba. Not setting Auth-Type.
[Th 41 Req 943 SessId R0000006a-01-513f47d2] INFO RadiusServer.Radius - rlm_auth_check: Auth-Type not set.
[Th 41 Req 943 SessId R0000006a-01-513f47d2] ERROR RadiusServer.Radius - rlm_auth_check: Auth-Type not set or authentication methods have not been configured. Rejecting it.
Any thoughts please?
Solved! Go to Solution.
03-12-2013 10:34 AM
Can you please attach the output you can see in the Access Tracker for the failed request (radius input and computed attributes along with the output). Can you please also attach the configuration of the service?
03-13-2013 11:45 AM
Iam using AD with EAP-PEAP and is working correctly. Clearpass is unable to identify PAP in the access request.
CHAP is unchecked in the captive portal profile on the controller.
03-13-2013 12:01 PM
So I guess you have another SSID and service where you are using EAP-PEAP.
Well, the request certainly matches the service, it's strange. Have you tried - just for a test - to add all of the auth methods to the service and see what happens?
03-14-2013 01:11 AM
Have you tried to use the AAA test connection from controller GUI (both mschap and pap - don't forget to add these to the service). What output can you see? Can you please send the full output of the "request logs"?
03-14-2013 08:35 AM
It's quite strange.
What I may suggest is to try to configure your AD server as generic LDAP (not Active Directory) on the CPPM and see what happens. You may also try to use CHAP (captive portal profile and CP service should be modified).
If neither of these helps then I would suggest to open a ticket at Aruba Support.