Security

Reply
Occasional Contributor II

EAP-PEAP authentication fails after upgrading ClearPass

Hello,

 

After upgrading ClearPass from 6.4.3 to 6.5.5, all EAP-PEAP  authentications are failing, even for domain machines. While EAP-TLS is working. Here are some of the logs:

 

INFO RadiusServer.Radius - rlm_mschap: Domain corpdomain.com from User-Name does not match domain CORP from Object SID
INFO RadiusServer.Radius - rlm_mschap: authenticating user LP14$, domain corpdomain.com
INFO RadiusServer.Radius - rlm_mschap: user LP14$ authentication failed
ERROR RadiusServer.Radius - rlm_mschap: AD status:Access denied (0xc0000022)
ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
-----------------------------------------------------------------------------------------------------------------------
INFO RadiusServer.Radius - rlm_mschap: Using domain CORP from User-Name attribute
INFO RadiusServer.Radius - rlm_mschap: authenticating user username, domain CORP
INFO RadiusServer.Radius - rlm_mschap: user username, authentication failed
ERROR RadiusServer.Radius - rlm_mschap: AD status:Access denied (0xc0000022)
ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

 

Tried to make Netbios name  equal to domain name, enabling user-stripping, enabling always using Netbios name.. No luck

 

Any ideas?

 

Thanks

 

Re: EAP-PEAP authentication fails after upgrading ClearPass

Are you able to LDAP browse ? Under your AD source
Configuration > Authentication > Sources > Primary
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: EAP-PEAP authentication fails after upgrading ClearPass

Yes.

Re: EAP-PEAP authentication fails after upgrading ClearPass

You should open an Aruba TAC case in parallel so they can take a look.

Have you tried remove/readding CPPM to the Domain ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: EAP-PEAP authentication fails after upgrading ClearPass

No I didn't try re-joining

I just tried in the CLI: ad testjoin and the result:  Preauthentication failed. Join to domain is not valid: Logon failure
I'll re-join and update you at the earliest.

 

Update: re-join the AD domain solved the issue.

 

I'm just curious though, what would be the cause of this?

 

Thanks for your fast response.

New Contributor

Re: EAP-PEAP authentication fails after upgrading ClearPass

I SSH'd into my servers and ran "ad passwd reset -n DOMAIN" which fixed it for me without needing to re-join the domain.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: