Security

Reply
Frequent Contributor I
Posts: 66
Registered: ‎02-02-2012

ClearPass and AD users authentication

Hello all,

We have an open ssid with a captive portal authenticating ad users against NPS server. As we are deploying ClearPass, we want to use it as radius server instead of NPS server.

The captive portal login page is on the controller and the clearpass is joined to the domain.

 

I configured a service on clearpass with active directory as authentication source and PAP as authentication method.

 

The authentication on captive portal is failing with the following messages. 

The alert message:
Error Code: 216
User authentication failed
Cannot select appropriate authentication method.

Request log:
[Th 41 Req 943 SessId R0000006a-01-513f47d2] INFO RadiusServer.Radius - rlm_pap: No password (or empty password) to check against for for user testaruba. Not setting Auth-Type.
[Th 41 Req 943 SessId R0000006a-01-513f47d2] INFO RadiusServer.Radius - rlm_auth_check: Auth-Type not set.
[Th 41 Req 943 SessId R0000006a-01-513f47d2] ERROR RadiusServer.Radius - rlm_auth_check: Auth-Type not set or authentication methods have not been configured. Rejecting it.

Any thoughts please?  

Frequent Contributor II
Posts: 114
Registered: ‎12-02-2011

Re: ClearPass and AD users authentication

Can you please attach the output you can see in the Access Tracker for the failed request (radius input and computed attributes along with the output). Can you please also attach the configuration of the service?

Frequent Contributor I
Posts: 66
Registered: ‎02-02-2012

Re: ClearPass and AD users authentication

Hi Zsolt,

 

Thank you for the help.

I attached the service configuration and the access tracker error .

 

 

Frequent Contributor II
Posts: 114
Registered: ‎12-02-2011

Re: ClearPass and AD users authentication

Is the connection to the AD working?

Are you sure that using CHAP is not selected in the Captive portal profile on the controller?

Frequent Contributor I
Posts: 66
Registered: ‎02-02-2012

Re: ClearPass and AD users authentication

Hi,

 

Iam using AD with EAP-PEAP and is working correctly. Clearpass is unable to identify PAP in the access request. 

CHAP is unchecked in the captive portal profile on the controller.

 

Thanks.

 

 

 

Frequent Contributor II
Posts: 114
Registered: ‎12-02-2011

Re: ClearPass and AD users authentication

So I guess you have another SSID and service where you are using EAP-PEAP.

 

Well, the request certainly matches the service, it's strange. Have you tried - just for a test - to add all of the auth methods to the service and see what happens?

Frequent Contributor I
Posts: 66
Registered: ‎02-02-2012

Re: ClearPass and AD users authentication

Yes, I have another ssid using EAP-PEAP but on clearpass i used the same service to do the test after i added almost all

auth methods without success.

 

Frequent Contributor II
Posts: 114
Registered: ‎12-02-2011

Re: ClearPass and AD users authentication

Have you tried to use the AAA test connection from controller GUI (both mschap and pap - don't forget to add these to the service). What output can you see? Can you please send the full output of the "request logs"?

Frequent Contributor I
Posts: 66
Registered: ‎02-02-2012

Re: ClearPass and AD users authentication

Hi,

 

mschap authenticate successfully but not pap from the controller.

I attached both request logs.

 

Thanks.

Frequent Contributor II
Posts: 114
Registered: ‎12-02-2011

Re: ClearPass and AD users authentication

It's quite strange.

What I may suggest is to try to configure your AD server as generic LDAP (not Active Directory) on the CPPM and see what happens. You may also try to use CHAP (captive portal profile and CP service should be modified).

If neither of these helps then I would suggest to open a ticket at Aruba Support.

Search Airheads
Showing results for 
Search instead for 
Did you mean: