Security

Reply
Frequent Contributor II

MSCHAP V2 - Response is incorrect

I've contacted TAC but I'm in a world of hurt with 22000+ users...

 

Problem started around 1 pm today and is growing rapidly:

 

2015-01-05 15:39:52,326[Th 1193 Req 1631729 SessId R00023f2d-01-54ab04a8] ERROR RadiusServer.Radius - rlm_mschap: AD status:Reading winbind reply failed! (0xc0000001)
2015-01-05 15:39:52,326

[Th 1193 Req 1631729 SessId R00023f2d-01-54ab04a8] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

 

is the primariy message I see inside the log files of the CPPM (version 6.4.3 which we just moved to 12/20/14).  Since it started mid-day, I'm not as inclined to think it is the upgrade.  Users get correct roles, etc.  The error message makes me think it is a bad username/password combo but not everyone in the district simultaneously forgot their password after using it correctly in the morning??!!??

 

Alerts tab:

MSCHAP: AD status:Reading winbind reply failed! (0xc0000001)
MSCHAP: AD status:Reading winbind reply failed! (0xc0000001)
MSCHAP: AD status:Reading winbind reply failed! (0xc0000001)
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure

 

We're going to try rebooting AD servers first.

 

Any ideas? Suggestions?

 

**Additional**
Machine authentications are doing it as well

Guru Elite

Re: MSCHAP V2 - Response is incorrect

Can you tty rejoining the ClearPass servers to the domain? 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: MSCHAP V2 - Response is incorrect

Did you try removing and then re-adding it to the domain?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba

Re: MSCHAP V2 - Response is incorrect

the winbind error looks to be a domain join issue.   can you rejoin the CPPM appliances to the domain?  Also, make sure DNS is configured and working correctly on the CPPM side.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor II

Re: MSCHAP V2 - Response is incorrect

Thanks for the replies/ideas.  Once the AD servers (2) are rebooted, I'll see how it is going.  If it is still down, I'll redo the AD domain connection in the CPPM servers.

 

Thanks again!!

Frequent Contributor II

Re: MSCHAP V2 - Response is incorrect

I think rejoining to domain fixed the issue.  Seeing some rejects but error messages are not the same as before rejoin.  Quite possibly users with BYOD device trying to access our corporate .1x network (not allowed by configuration).  I'll keep checking.

 

Thanks for the rescue!!

Re: MSCHAP V2 - Response is incorrect

I've got the same issue, If ther is any Idea help please

Re: MSCHAP V2 - Response is incorrect

My Customer is facind this issue almost avery day, I've tried almost everything, Removing from domain and join again, reboot CPPM, reboot AD, but  there is still problem, the issue is happening randomly, and when we face this error messages after 30-40 minutes the CPPM starts accepting the clients and works normally.

 

Aruba

Re: MSCHAP V2 - Response is incorrect

Please open a TAC case. They will need to look at a debug of the radius when the issue happens. I've seen this issue in a few customers and it usually ends up being an AD issue where the AD is either undersized or other programs are being ran in the ad server or shared resource vm.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: