Security

Reply
Contributor II
Posts: 52
Registered: ‎12-11-2012

Clearpass 802.1x Auth - Locking out Account

[ Edited ]

We are currently runing clearpass 6.2.6.62196 and we are getting calls all day long from clients fustrated with their AD account getting locked out. What we are noticing in Asset-Tracker "show logs" when a user enter their password incorrectly, Clearpass is passing the raduis MSCHAP 3 times. Well, our security setting in AD only allows 3 login failures before yours account will be locked out. 

 

Why is Clearpass passing the bad login credetntial 3 time per login attempt? HELP!!!!

 

 

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Clearpass 802.1x Auth - Locking out Account

[ Edited ]

ClearPass is not blocking anything. If AD is set to 3 bad attempts, and the device has the bad credentials stored, the account will be disabled and the device will be denied access.

 

You either need to increase or disable your lockout setting.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 52
Registered: ‎12-11-2012

Re: Clearpass 802.1x Auth - Locking out Account

I am not saying Clearpass is locking out account. What we are seeing is Clearpass is passing 3 attempt to AD with the bad login password and AD locks them out. Why is Cleapass passing the attempt 3 times and not only one time? Because of this, our user only have one shot to put their passwork correctly instead of 3 times. 

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Clearpass 802.1x Auth - Locking out Account

The device may be attempting to authenticate multiple times.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 21,007
Registered: ‎03-29-2007

Re: Clearpass 802.1x Auth - Locking out Account


chan.khen wrote:

We are currently runing clearpass 6.2.6.62196 and we are getting calls all day long from clients fustrated with their AD account getting locked out. What we are noticing in Asset-Tracker "show logs" when a user enter their password incorrectly, Clearpass is passing the raduis MSCHAP 3 times. Well, our security setting in AD is after 3 login failusre, you account will be locked out. 

 

Why is Clearpass passing the bad login credetntial 3 time per login attempt? HELP!!!!

 

 


What you should do is implement Password history check (N-2):  "Before a Windows Server 2003 operating system increments badPwdCount, it checks the invalid password against the password history. If the password is the same as one of the last two entries that are in the password history,badPwdCount is not incremented for both NTLM and the Kerberos protocol. This change to domain controllers should reduce the number of lockouts that occur because of user error." - http://technet.microsoft.com/en-us/library/cc780271(v=ws.10).aspx



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 52
Registered: ‎12-11-2012

Re: Clearpass 802.1x Auth - Locking out Account

i can understand if this is coming from mobile device users...this is all laptop users. NO mobile devices.

 

 

Guru Elite
Posts: 21,007
Registered: ‎03-29-2007

Re: Clearpass 802.1x Auth - Locking out Account

chan.ken,

 

The laptop device wireless supplicant is responsible for resubmitting the username and password multiple times to the radius server.  It is not just mobile devices that act this way.  

 

Please use my suggestion above to keep users from locking themselves out when they have devices with unchanged passwords.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

CmC
Occasional Contributor II
Posts: 11
Registered: ‎08-15-2010

Re: Clearpass 802.1x Auth - Locking out Account

[ Edited ]

To impliment password history check N-2 feature that cjoseph speaks of, there needs to be a password history policy defined (greater than 0). There is no specific knob for N-2.

 

Group Policy Location:

passwordhistory.png

Contributor II
Posts: 52
Registered: ‎12-11-2012

Re: Clearpass 802.1x Auth - Locking out Account

[ Edited ]

Ok...here is an update to this. I have been on the phone with TAC now for 3+ hours on this issue.

 

Currently setup:

1. AD only allow 3 login attempts before an account get loccked out.

 

What we are seeing:

1. Window-7 laptop users account get locked out after failing to input their AD password with one try/attempt.

 

What TAC found/seeing:

 

When an user attempted to login into via 802.1x (radius), cppm will take the request coming from the user and send out 2 login attempts to AD. The first login attempt is the username all lowercase login infor (i.e firstname.lastname in our case here). The second attempted is the usermane with the captive letters (i.e Firstname. Lastname). 

 

What we are seeing is there is 3rd attempted. The 3r attempt is has domain information (i.e domain.com/firstname.lastanme). The reason for the 3rd attempt is becauae under our window EAP MSCHAP setting we enable (checkbox) "automatically use my Windows logon name and passward and domain if any". 

 

We have tried to implement the "badPwdCount" like CJoseph" recomend within Clearpass but that doesn't work either since our AD password settting only allow 3 login attempts before locking out. 

 

To do this the attribute command is as follow within clearpass: (&(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(!(badPwdCount>=3)))

 

 

Solution: There is none. There is only work around.

1. Bump up the 3 lock out counts to 5 within AD. For us it's not possible because that would require many papper work and approval (audits).

2. Wait till TAC get back with a solutions. It's being escalated now to engineering.

 

Chan

 

Contributor II
Posts: 52
Registered: ‎12-11-2012

Re: Clearpass 802.1x Auth - Locking out Account

OK...Here is the solution to this post. TAC has classisfied this as a bug with in CPPM. Below is what they said.

 

 

Update from TAC as of 5/16/2014:

!

Hi Chan,

 

This issue has been identified in ClearPass and we are implementing a service parameter to control this behavior.

 

So by default CPPM will not re-attempt AD login check with different formats, and you can turn on the additional formats upon requirement.

 

However, the patch that is going to address this issue is currently set to 6.3.5. We do not have an official release date on 6.3.5 yet.

 

For now, we can implement the work around of increasing the Account lockout policy, if possible, while we get an official date on the release.

!

 

 

Update from TAC as of June 4th:

 

!

Hi Chan,

 

The ClearPass version 6.3.5 which has a fix for our issue is slated for a release tentatively at the end of July 2014.

!

 

 

 

Many thanks to Aruba TAC engineers. They were also to work with. Also many thanks to all the the Airhead that chimed in on this post. You guys are Arihead rock stars.

 

 

 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: