Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Kerberos in ClearPass

This thread has been viewed 13 times

  • 1.  Kerberos in ClearPass

    Posted May 07, 2018 10:38 AM

    Question - I am trying to get PEAP/MSCHAPv2 working in a wired 802.1x deployment. I work in a very locked down enviroment where NTML is NOT allowed. I believe the built in AD template in ClearPass doesn't support Kerberos. I noticed there is a Kerberos service profile but in my reading non-windows devices need a keytab file for Kerberos auth to work. My question is how do I get the keytab file installed inside of clearpass? Or is it required at all?

     

    Any info would be great!



  • 2.  RE: Kerberos in ClearPass

    EMPLOYEE
    Posted May 07, 2018 10:40 AM
    If NTLM is not allowed, you should not be using legacy EAP methods like PEAP. Use EAP-TLS.


  • 3.  RE: Kerberos in ClearPass

    Posted May 07, 2018 10:47 AM

    That would be great however our machines do not have domain certs. Unfortunately this is not an option for us. 



  • 4.  RE: Kerberos in ClearPass

    EMPLOYEE
    Posted May 07, 2018 10:51 AM
    That is really your only option. PEAPv0/EAP-MSCHAPv2 uses MSCHAPv2 which uses NTLMv1.


  • 5.  RE: Kerberos in ClearPass

    Posted May 07, 2018 03:11 PM

    Well since MSCHAPv2 works with Kerberos in Windows NPS I guess I will advise my customers to not spend 30K on ClearPass.



  • 6.  RE: Kerberos in ClearPass

    EMPLOYEE
    Posted May 07, 2018 03:18 PM
    Your requirement was to not use NTLM. Using Kerberos with EAP-MSCHAPv2 still uses NTLM on the backend.


  • 7.  RE: Kerberos in ClearPass
    Best Answer

    EMPLOYEE
    Posted May 08, 2018 04:27 AM

    There are two parts in this. In NPS, the connection to the domain from the NPS server is Kerberos authenticated, as is the same situation with ClearPass.

     

    There is no way to run the actual MS-CHAPv2 authentication with Kerberos, as NTLM is the only defined authentication scheme in MS-CHAPv2.

     

    Moving to NPS will not change that in any way as it cannot change the standards. As Tim said, if NTLM cannot be used by policy, you cannot deploy PEAP/MSCHAPv2, and should move to other authentication methods.