10-07-2015 10:16 AM
We're running MSCHAP authentication for users to an AD domain.
A few weeks ago we put a read only domain controller online at another site (online 24/7 via VPN tunnel).
All was fine until today when Clearpass decided to start using the RODC to authenticate users. All user authentication failed.
When I typed 'show domain' from the console, it listed the RODC as the 'Domain Server Ip Address'.
Once I shut down the tunnel to the RODC, clearpass went back to using local servers.
How to I force Clearpass to use local servers for user auth?
Configuration » Authentication » Sources lists only the local servers for primary and backups.
Administration » Server Manager » Server Configuration lists only the local severs under the AD Domains section.
What else do I need to do to force local server auth?
10-07-2015 02:00 PM
I don't know if there is a problem with read-only domain controllers or not. To restrict the domain controllers to only the ones you want to contact, you can do this:
Go to Administration > Server Manager > Server Configuration > Click on Server > and click on a little tiny icon called "Password Servers" at the bottom. You can then add the ip addresses tht you want mschapv2 restricted to for authentication.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base