Security

Reply
Contributor I
Posts: 65
Registered: ‎12-15-2011

MSCHAPv2 fails Auth when using AD

I have an 802.1X wireless configuration in Clearpass. CPPM is also joined to an AD server. When I do RadiusAuth simulation with PAP it passes. When done with MSCHAP it fails. When I do a AAA test from the controller with PAP, it passes. When done with MSCHAPv2 it fails. The service is defined to allow the following authentication methods: 1. [EAP PEAP], 5. [CHAP], 6. [MSCHAP], 7. [EAP MSCHAPv2], 8. [PAP]. PAP and MSCHAP both work when using Local Identity store in Clearpass.

CPPM is using a copy of the admin account with the same group memberships as the admin account. Bind is enabled.

The following is the output from the failed simulation attempt. It appears that Clearpass or AD is ignoring the attempt when MSCHAP is used and therefore the simulated client retries.

 

MS-CHAP-Challenge = 0x76fa9993c9e70ca0e386617751ae8f4d
MS-CHAP2-Response = 0x0000c377cf1c31962db7de4fe706179cd4f90000000000000000487590fae48582f35f8aa31dbda1225949e2ef6dddcdec89
Re-sending Access-Request of id 157 to 127.0.0.1 port 1812
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
User-Name = "xxx"
Auth-Simulation-Id = "de74147c-0689-4684-a7f9-c05663d62530"
MS-CHAP-Challenge = 0x76fa9993c9e70ca0e386617751ae8f4d
MS-CHAP2-Response = 0x0000c377cf1c31962db7de4fe706179cd4f90000000000000000487590fae48582f35f8aa31dbda1225949e2ef6dddcdec89
Re-sending Access-Request of id 157 to 127.0.0.1 port 1812

 

Any help with why MSCHAPv2 is failing  would be appreciated.
Thanks.

Moderator
Posts: 496
Registered: ‎11-09-2012

Re: MSCHAPv2 fails Auth when using AD

Are you able to browse the AD tree from within the configured AD auth-source?


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Contributor I
Posts: 65
Registered: ‎12-15-2011

Re: MSCHAPv2 fails Auth when using AD

Yes, I am able to browse the AD tree.  I decided to move the Base DN to the root of the tree and now everything works perfectly.  Thank-you for pointing me in the right direction.

Search Airheads
Showing results for 
Search instead for 
Did you mean: