Security

Hello,

 

After upgrading ClearPass from 6.4.3 to 6.5.5, all EAP-PEAP  authentications are failing, even for domain machines. While EAP-TLS is working. Here are some of the logs:

 

INFO RadiusServer.Radius - rlm_mschap: Domain corpdomain.com from User-Name does not match domain CORP from Object SID
INFO RadiusServer.Radius - rlm_mschap: authenticating user LP14$, domain corpdomain.com
INFO RadiusServer.Radius - rlm_mschap: user LP14$ authentication failed
ERROR RadiusServer.Radius - rlm_mschap: AD status:Access denied (0xc0000022)
ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
-----------------------------------------------------------------------------------------------------------------------
INFO RadiusServer.Radius - rlm_mschap: Using domain CORP from User-Name attribute
INFO RadiusServer.Radius - rlm_mschap: authenticating user username, domain CORP
INFO RadiusServer.Radius - rlm_mschap: user username, authentication failed
ERROR RadiusServer.Radius - rlm_mschap: AD status:Access denied (0xc0000022)
ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

 

Tried to make Netbios name  equal to domain name, enabling user-stripping, enabling always using Netbios name.. No luck

 

Any ideas?

 

Thanks

 

Are you able to LDAP browse ? Under your AD source
Configuration > Authentication > Sources > Primary

Yes.

You should open an Aruba TAC case in parallel so they can take a look.

Have you tried remove/readding CPPM to the Domain ?

No I didn't try re-joining

I just tried in the CLI: ad testjoin and the result:  Preauthentication failed. Join to domain is not valid: Logon failure
I'll re-join and update you at the earliest.

 

Update: re-join the AD domain solved the issue.

 

I'm just curious though, what would be the cause of this?

 

Thanks for your fast response.

I SSH'd into my servers and ran "ad passwd reset -n DOMAIN" which fixed it for me without needing to re-join the domain.