Security

Reply
Frequent Contributor I

EAP: Client doesn't support configured EAP methods - [EAP-MSCHAP]

Hello,

 

Customer has 802.1X service where corporate users will authenticate via EAP-TLS, and contractors via EAP-MSCHAP. CPPM runs on 6.6.8. 

 

While corporate users have no issues while authenticating, contractors are not able to so. Alert tab in Access Tracker is displaying error message "EAP: Client doesn't support configured EAP methods". Any thoughts what could be the reason behind this? For both methods, authentication source is customer's AD. Thanks.

 

 

Regards,

NesaM

Regards,
NesaM --ACMP, ACCP--
Guru Elite

Re: EAP: Client doesn't support configured EAP methods - [EAP-MSCHAP]

Clients using EAP-PEAP actually use an Inner Method of EAP-MsCHAPv2 and an Outer Method of EAP-PEAP.  Make sure both methods are included as authentication methods in your service along with your EAP-TLS.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Frequent Contributor I

Re: EAP: Client doesn't support configured EAP methods - [EAP-MSCHAP]

Hi Colin,

 

This resolved our initial issue, thank you. We are now getting error messages "No trusted SAM account" and are working on it following instructions we saw in few threads on Airheads.

 

 

Regards,

NesaM

 

 

Regards,
NesaM --ACMP, ACCP--
Guru Elite

Re: EAP: Client doesn't support configured EAP methods - [EAP-MSCHAP]

Did you already add ClearPass to the domain?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Frequent Contributor I

Re: EAP: Client doesn't support configured EAP methods - [EAP-MSCHAP]

That's already done. I am suspecting that account used to bind CPPM appliances to AD might have expired, or has limited access rights, but will need to wait until morning for customer to confirm.

 

 

Regards,

NesaM

Regards,
NesaM --ACMP, ACCP--
Frequent Contributor I

Re: EAP: Client doesn't support configured EAP methods - [EAP-MSCHAP]

Hi Colin,

 

After running a command "ad auth -u <user> -n <NETBIOS domain name>" I am seeing the "NT_STATUS_ACCESS_DENIED: Access denied (0xc0000022)" error.

 

User account we used to bind CPPM and AD is apparently still active, and with full access rights. 

 

Would leaving AD Domain, and joining again, be the way to go? Thanks in advance.

 

 

Regards,

NesaM

Regards,
NesaM --ACMP, ACCP--
Frequent Contributor I

Re: EAP: Client doesn't support configured EAP methods - [EAP-MSCHAP]

Hi,

 

After all we discovered that an account used to bind with CPPM with AD was in effect able to read AD only, and not domain admin account (!!). That was now changed, and authentication requests are coming through. Thank you on your help Colin.

 

 

Regards,

NesaM

Regards,
NesaM --ACMP, ACCP--
Guru Elite

Re: EAP: Client doesn't support configured EAP methods - [EAP-MSCHAP]

The bind account should NEVER be a domain admin account. It should be a standard user account.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: EAP: Client doesn't support configured EAP methods - [EAP-MSCHAP]

OK, but what kind of access rights should user account have? One used before could've read AD, but was throwing back that error message "NT_STATUS_ACCESS_DENIED". New one we tried gave us "NT_STATUS_OK". Thanks.

 

 

Regards,

NesaM

Regards,
NesaM --ACMP, ACCP--
Guru Elite

Re: EAP: Client doesn't support configured EAP methods - [EAP-MSCHAP]

Bind is a simple LDAP lookup and does not use NT lookup

I think you may be confusing LDAP lookup and NTLM password checks.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: