08-08-2012 04:27 AM
I am trying to set up a Clearpass evaluation where the Clearpass server runs offsite, so I can't use AD integration.
I have setup a Generic LDAP Authentication source, but when I try to to test validation from my controller, it fails:
User authentication failed
Alerts for this Request
RADIUS SJS-UNV LDAP - 220.127.116.11: User not found.
MSCHAP: Authentication failed
The logs says:
Request log details for session: R0000000e-01-502247da
2012-08-08 13:04:58,423 [Th 5 Req 14 SessId R0000000e-01-502247da] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization
2012-08-08 13:04:58,429 [RequestHandler-1-0x43871940 r=auto-31 h=47 r=R0000000e-01-502247da] INFO Core.ServiceReqHandler - Service classification result = RadTest
2012-08-08 13:04:58,430 [Th 5 Req 14 SessId R0000000e-01-502247da] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "RadTest"
2012-08-08 13:04:58,430 [Th 5 Req 14 SessId R0000000e-01-502247da] INFO RadiusServer.Radius - rlm_ldap: searching for user testuser in Ldap:18.104.22.168
2012-08-08 13:05:00,361 [Th 5 Req 14 SessId R0000000e-01-502247da] ERROR RadiusServer.Radius - rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
2012-08-08 13:05:00,361 [Th 5 Req 14 SessId R0000000e-01-502247da] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
I have tried using cleartext, NT Hash and LM hash passwords, but I just can't get it to work.
I have attached a screenshot of the Auth Source Primary tab
Any help is much appreciated!
Solved! Go to Solution.
08-08-2012 09:06 PM
You might want to check if the CPPM is joined to the domain(because it looks like you are doing MSCHAP authentication, which requires CPPM to be joined to the domain).
Can try joining the CPPM to domain and try the same again.(Administration-->Server Manager-->Server Configuration-->"Select the server"-->Join Domain). You can set the pasword type to be "cleartext" in LDAP auth source and try after the doamin join.
Get back for any clarifications.
08-09-2012 04:39 AM
the CPPM is not joined to the domain, so if MSCHAP requires domain join, that explain why it does not work.
I am evaluating CPPM with the purpose of hosting several customers on the same CPPM. I talked to a few Arubans at Airheads, Nice, who led me to believe that it was possible, but I wonder how to do it? CPPM can only join a single domain as far as I know and what other options do I have to validate users from a Microsoft AD over the Internet. (MPLS, VPN etc. is not an option).
Thanks in advance for any useful input!
08-09-2012 05:01 AM
I'm not sure which version of CPPM you are using, but from version 5.1 onwards CPPM supports "Multiple Domain Joins" which means that policy manager can now authenticate users from multiple AD's even if there is no trust relationship between them, these AD's can be also be across WAN.
08-09-2012 06:10 AM
thanks a lot for your swift reply, and for the good news:-)
I'll try to make it work and post back with success or more questions:-)
03-15-2013 06:55 AM
03-15-2013 07:01 AM
Thanks for the quick response on an old thread. It has joined the Domain but I was having some problems with AD as the Authentication Souce, so I was going to try to use LDAP instead. Even though it has joined the Domain. I was wondering if that was possible.