Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

How to authenticate users in MSCHAP2 via 2 differents AD domains with only one CPPM ?

This thread has been viewed 3 times

  • 1.  How to authenticate users in MSCHAP2 via 2 differents AD domains with only one CPPM ?

    Posted Dec 30, 2014 02:41 AM

    Hi,

     

    We have two controlers Wifi and two differents domain AD (with no approbation), and one Clearpass, the EAP termination is not on the controler.

     

     

    With MSCHAPv2, is it possible to authenticate* users via 2 differents AD domains with only one CPPM ?

     

     

    * Not only for used for user lookup and attribute fetching.

     

    Regards

     

    Yann

     

     

     

     



  • 2.  RE: How to authenticate users in MSCHAP2 via 2 differents AD domains with only one CPPM ?

    EMPLOYEE
    Posted Dec 30, 2014 04:00 AM
    Yes. You can join multiple domains and add multiple AD auth sources in the service.


  • 3.  RE: How to authenticate users in MSCHAP2 via 2 differents AD domains with only one CPPM ?

    Posted Dec 30, 2014 04:06 AM

    Hi Tarnold,

     

    I have all ready add my two AD in auth sources.

    I tried to do this, but it's doesn't work, i have this error message when i want to authenticate one AD user on my wifi 802.1x.

     

    RADIUS

    MSCHAP: AD status:Reading winbind reply failed! (0xc0000001)
    MSCHAP: AD status:Reading winbind reply failed! (0xc0000001)
    MSCHAP: Authentication failed
    EAP-MSCHAPv2: User authentication failure

     

    Regards

     

    Yann



  • 4.  RE: How to authenticate users in MSCHAP2 via 2 differents AD domains with only one CPPM ?

    EMPLOYEE
    Posted Dec 30, 2014 04:11 AM
    Make sure you joined CPPM to the domain and the read account in the auth sources has sufficient privileges.


  • 5.  RE: How to authenticate users in MSCHAP2 via 2 differents AD domains with only one CPPM ?

    EMPLOYEE


  • 6.  RE: How to authenticate users in MSCHAP2 via 2 differents AD domains with only one CPPM ?

    Posted Dec 30, 2014 04:31 AM

    Hi Tarnold,

     

    Thanks you for your answer, but it's no possible to join two differents domain with only one Clearpass.

    Have you another way ?

     

    Regards 

     

    Yann

     



  • 7.  RE: How to authenticate users in MSCHAP2 via 2 differents AD domains with only one CPPM ?
    Best Answer

    EMPLOYEE
    Posted Dec 30, 2014 04:48 AM

    Yes you can.

     

    Here you can see that Im joined to 3 domains that do not have any trust between them.

     

    Screen Shot 2014-12-30 at 3.47.00 AM.png



  • 8.  RE: How to authenticate users in MSCHAP2 via 2 differents AD domains with only one CPPM ?

    Posted Dec 30, 2014 05:07 AM

    it's true, I had not seen !!

     

    Thanks Tarnold !