Hi all,
i still have some questions on this topic:
In order to validate the user's password (EAP-PEAP-MSCHAPv2), clearpass servers must be AD joined. Several sources describe what to do, see i.e. https://www.arubanetworks.com/techdocs/ClearPass/Aruba_DeployGd_HTML/Content/Active%20Directory/Joining_AD_domain.htm
Pls note this remark :
During the NT LAN Manager authentication process, ClearPass queries Active Directory for a suitable domain controller to use to handle the authentication.
Please note that when used with 802.1x EAP-PEAP-MSCHAPv2 services, the authentication process is separate from the Active Directory authentication source in ClearPass, which in this context only handles authorization.
My question is : how can any modification in the authentication/authorisation filter (as described above) impact the actual password check (hashes) ? According to the note, these 2 process are separate.
Is it even necessary to specify AD as authentication source (in the service) if we check no other attribute in AD (for authorization)?
(Oke, i haven't actually tried this solution, had to disassociate clearpass server from AD due to huge amount of problems...)
Thx a lot !!