Security

Reply
Contributor I
Posts: 32
Registered: ‎06-19-2011

Generic LDAP to Microsoft AD - authentication fails

I am trying to set up a Clearpass evaluation where the Clearpass server runs offsite, so I can't use AD integration.

 

I have setup a Generic LDAP Authentication source, but when I try to to test validation from my controller, it fails:

 

Error Code: 	
216
Error Category:
Authentication failure
Error Message:
User authentication failed
Alerts for this Request
RADIUS SJS-UNV LDAP - 109.110.111.112: User not found.
MSCHAP: Authentication failed

 

 

The logs says:

Request log details for session: R0000000e-01-502247da
Time Message
2012-08-08 13:04:58,423 [Th 5 Req 14 SessId R0000000e-01-502247da] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization
2012-08-08 13:04:58,429 [RequestHandler-1-0x43871940 r=auto-31 h=47 r=R0000000e-01-502247da] INFO Core.ServiceReqHandler - Service classification result = RadTest
2012-08-08 13:04:58,430 [Th 5 Req 14 SessId R0000000e-01-502247da] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "RadTest"
2012-08-08 13:04:58,430 [Th 5 Req 14 SessId R0000000e-01-502247da] INFO RadiusServer.Radius - rlm_ldap: searching for user testuser in Ldap:109.110.111.112
2012-08-08 13:05:00,361 [Th 5 Req 14 SessId R0000000e-01-502247da] ERROR RadiusServer.Radius - rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
2012-08-08 13:05:00,361 [Th 5 Req 14 SessId R0000000e-01-502247da] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

 I have tried using cleartext, NT Hash and LM hash passwords, but I just can't get it to work.

 

I have attached a screenshot of the Auth Source Primary tab

 

Any help is much appreciated!

 

kind regards

Mikael

Denmark

Aruba Employee
Posts: 6
Registered: ‎12-27-2011

Re: Generic LDAP to Microsoft AD - authentication fails

You might want to check if the CPPM is joined to the domain(because it looks like you are doing MSCHAP authentication, which requires CPPM to be joined to the domain).

 

Can try joining the CPPM to domain and try the same again.(Administration-->Server Manager-->Server Configuration-->"Select the server"-->Join Domain). You can set the pasword type to be "cleartext" in LDAP auth source and try after the doamin join.

 

Get back for any clarifications.

 

Regards,

Keerthi

Contributor I
Posts: 32
Registered: ‎06-19-2011

Re: Generic LDAP to Microsoft AD - authentication fails

Hi Keerthi,

 

the CPPM is not joined to the domain, so if MSCHAP requires domain join, that explain why it does not work.

 

I am evaluating CPPM with the purpose of hosting several customers on the same CPPM.  I talked to a few Arubans at Airheads, Nice, who led me to believe that it was possible, but I wonder how to do it? CPPM can only join a single domain as far as I know and what other options do I have to validate users from a Microsoft AD over the Internet. (MPLS, VPN etc. is not an option).

 

Thanks in advance for any useful input!

 

kind regards

Mikael

Denmark

Aruba Employee
Posts: 6
Registered: ‎12-27-2011

Re: Generic LDAP to Microsoft AD - authentication fails

Hi Mikael,

 

I'm not sure which version of CPPM you are using, but from version 5.1 onwards CPPM supports "Multiple Domain Joins"  which means that policy manager can now authenticate users from multiple AD's even if there is no trust relationship between them, these AD's can be also be across WAN.

 

Regards,

Keerthi

Contributor I
Posts: 32
Registered: ‎06-19-2011

Re: Generic LDAP to Microsoft AD - authentication fails

Hi Keerthi,

 

thanks a lot for your swift reply, and for the good news:-)

 

I'll try to make it work and post back with success or more questions:-)

 

kind regards

 

Mikael

Denmark

Contributor I
Posts: 32
Registered: ‎06-19-2011

Re: Generic LDAP to Microsoft AD - authentication fails

Thanks keerthi,

I was able to join the CPPM to the domain across the WAN and succesfully authenticated users with MSCHAP!

kind regard
Mikael, Denmark
Contributor II
Posts: 59
Registered: ‎02-22-2011

Re: Generic LDAP to Microsoft AD - authentication fails

Did you get MSCHAP to work with using LDAP as the Authentication Source? 

 

 

Bob 

 

Contributor I
Posts: 32
Registered: ‎06-19-2011

Re: Generic LDAP to Microsoft AD - authentication fails

No, In order to use MS-CHAP, the CPPM needs to be member of the AD domain. mvh Mikael Schütt ACSP, ACMP, CCNA, CWNA, CWSP, CWAP, CWDP, MCPD, MCSE, MCITP, ACSP, ACTC, ACS-Dep, ACS-SaM, ACS-DS, ACSA, Network+
Contributor II
Posts: 59
Registered: ‎02-22-2011

Re: Generic LDAP to Microsoft AD - authentication fails

Thanks for the quick response on an old thread. It has joined the Domain but I was having some problems with AD as the Authentication Souce, so I was going to try to use LDAP instead. Even though it has joined the Domain. I was wondering if that was possible. 

 

Bob 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: