Security

Reply
Occasional Contributor II
Posts: 30
Registered: ‎12-09-2016

FAILED: MS-CHAP2-Response is Incorrect

I have two services setup. One is in production using EAP-TLS and working fine. I created another service and cloned the Authentication source used in the production servcice...using EAP-PEAP. In the logs I can see that the EAP-PEAP session establishes. Then there is an eap-mschapv2 challenge issued. I then get the following errors:

 

2017-03-16 09:08:16,784[Th 21 Req 3234183 SessId R000781e9-01-58cab870] INFO RadiusServer.Radius - rlm_mschap: authenticating user xxx, domain xxxx
2017-03-16 09:08:16,817[Th 21 Req 3234183 SessId R000781e9-01-58cab870] INFO RadiusServer.Radius - rlm_mschap: user xxx authentication failed
2017-03-16 09:08:16,817[Th 21 Req 3234183 SessId R000781e9-01-58cab870] ERROR RadiusServer.Radius - rlm_mschap: AD status:No trusted SAM account (0xc000018b)
2017-03-16 09:08:16,818[Th 21 Req 3234183 SessId R000781e9-01-58cab870] INFO RadiusServer.Radius - MS-Chap User Authentication time = 33 ms
2017-03-16 09:08:16,818[Th 21 Req 3234183 SessId R000781e9-01-58cab870] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

 

 

Guru Elite
Posts: 8,194
Registered: ‎09-08-2010

Re: FAILED: MS-CHAP2-Response is Incorrect

- Are your ClearPass servers joined to the domain?
- Is your bind account valid?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 30
Registered: ‎12-09-2016

Re: FAILED: MS-CHAP2-Response is Incorrect

Thanks for pointing that out. So, we have 3 CPPM servers. 1 of them is joined and the bind account appears to be working becuase I can browse AD. The other 2 aren't joined;howerver, I don't think they are clustered...or done correctly...so not sure if that matters. 

 

But the original Service utilizing the same autentiation source (although different authentication methods) is working just fine. 

 

 

Guru Elite
Posts: 8,194
Registered: ‎09-08-2010

Re: FAILED: MS-CHAP2-Response is Incorrect

If you’re using PEAPv0/EAP-MSCHAPv2, all servers servicing authentications must be joined to the domain(s).

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 30
Registered: ‎12-09-2016

Re: FAILED: MS-CHAP2-Response is Incorrect

Ah, I think I see. 

 

So because the original service is using EAP-TLS, not all servers need to be joined to the domain to work; however, using PEAPv0/EAP-MSCHAPv2, all servers need to be joined for the protocol/authentication to work?

 

(I didn't set this up and got put on WiFi duty with little experience....so thanks for your patience and time)!

Guru Elite
Posts: 8,194
Registered: ‎09-08-2010

Re: FAILED: MS-CHAP2-Response is Incorrect

Yes. In EAP-TLS, the certificate essentially replaces the password. In PEAPv0/EAP-MSCHAPv2, the actual password is in use and requires domain join in to build a trust domain for NTLMv2/Kerberos.

That’s why EAP-TLS is the recommended authentication method when possible.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 30
Registered: ‎12-09-2016

Re: FAILED: MS-CHAP2-Response is Incorrect

Sorry Tim, one more question. The 2 other servers in the cluster I want to add to the domain. I'm dumb with this stuff and wanted to make sure there wouldn't be an outage with the services during this time? I'm assuming not, but wanted to make sure that I put in a change if there was a possibility of CPPM going offline or using a server that isn't fully connected/joined to the domain.


Thanks Tim!

Guru Elite
Posts: 8,194
Registered: ‎09-08-2010

Re: FAILED: MS-CHAP2-Response is Incorrect

You will not have to reload the server but a few services will restart during the domain join process.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 30
Registered: ‎12-09-2016

Re: FAILED: MS-CHAP2-Response is Incorrect

Thanks man! I really appreciate it!

Occasional Contributor II
Posts: 30
Registered: ‎12-09-2016

Re: FAILED: MS-CHAP2-Response is Incorrect

Hey Tim, 

 

So after adding all 3 servers to the domain, I'm still getting the same error. 


I saw some other posts out there suggesting to unjoin and then join the servers back to the domain. Does that make sense? Is that suggested in this case?


Thanks!

Search Airheads
Showing results for 
Search instead for 
Did you mean: