Security

Reply
Contributor II
Posts: 59
Registered: ‎02-22-2011

ClearPass and AD

I had ClearPass working fine with PEAP and GTC using LDAP as the authentication source. We would like to use MSCHAPv2 and AD, but when I made the 2 following changes, GTC - MSCHAPv2 and changed the source from ldap to AD, I get the following error:

 

rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.

rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

 

On the summary screen of the failed session, it has authentication source none. However, when I look under the authentication source for the service, I have the AD source I created selected.

 

Are there are other changes I need to make changing from GTC and LDAP to MSCHAPv2 and AD?

 

Bob

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: ClearPass and AD

Is ClearPass joined to the domain?  To do PEAP-MSCHAPv2 authentication, it must be joined.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor II
Posts: 59
Registered: ‎02-22-2011

Re: ClearPass and AD

It is part of the domain. Also, from the Authentication -> Sources -> and my AD source, I can click on the seach base dn and that works fine, so I think the DN information is correct. 

 

Bob 

 

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: ClearPass and AD

Is this a single domain or multi domain?   What is the message on the Alerts tab of Access Tracker?  Can you post an export of the Access Tracker event?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor II
Posts: 59
Registered: ‎02-22-2011

Re: Clearness and AD

It's just one single domain.

 

I uploaded the summary and alerts screen from the failed attempt. On the summary screen I'm not sure why it has none listed for Authentication Sources, when LDAP worked it had LDAP listed and when I look at the service, AD is listed as the authentication source.

 

Bob

Guru Elite
Posts: 21,561
Registered: ‎03-29-2007

Re: Clearness and AD

Okay.  Make sure the bind user that you used for the AD source works.  That is all I can see now.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 59
Registered: ‎02-22-2011

Re: Clearness and AD

I have all the Bind information in there, and from the Authentication Sources -> The AD source -> primary tab, I can click on Search Base BN and can search it. Is that all I need to do to verify the Bind information is correct, or is there another verification test?

 

Bob

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Clearness and AD

In your AD Identity Source, do you have the check box for "Allow bind using user password".   This will attempt a bind using the logon attempt username/password, not the bind user.   Try unchecking it.   

 

 

 

3-8-2013 10-38-41 AM.jpg

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor II
Posts: 59
Registered: ‎02-22-2011

Re: Clearness and AD

I tried unckecking that box and it still fails. I'm working with our SE right now, but he is not sure what LDAP works but not AD. One odd thing I noticed, is even thought I'm using AD. I get ldap errors on the log for my session in access tracker.

 

rlm_ldap

rlm_ldap: (re)connection attempt failed

 

Is that normal?

 

Also, I tried to LDAP and MSCHAPv2, but that was also failing, should I be able to use LDAP with MSCHAPv2? From the users guide it looks like that should be possible.

 

Policy Manager can perform MSCHAPv2 and PAP/GTC authentication against any LDAP-compliant directory (for example, Novell eDirectory, OpenLDAP, or Sun Directory Server).

 

Bob

MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Clearness and AD

Can you try testing AD authentication via the CLI?

 

[appadmin@clearpass]# ad auth -u <username> -n <domain NETBIOS name>
password:

 

 

Should result in:

 

INFO -  NT_STATUS_OK: Success (0x0)

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
Showing results for 
Search instead for 
Did you mean: