Security

I'm trying to set up simple EAP-PEAP 802.1x authentication against a Novell eDirectory LDAP authentication source.  The connection settings seem to be correct (at least I am able to bind and browse the directory under "search base dn").  I think I'm missing something in the attributes but I can't find any examples specific to eDirectory.

 

Authentication attempts fail, with the following in the Access Tracker logs:

 

ERROR RadiusServer.Radius - rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.

 

ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

 

Has anyone out there successfully set up eDirectory as an authentication source?  

 

 

You would need to use EAP-TTLS or EAP-GTC.

Ok... any pointers beyond that?  Configuration examples?  Documentation?  

 

I've chosen both EAP-TTLS and EAP-GTC as authentication methods in the service and it's still failing:

 

Auth-Type not set or authentication methods have not been configured. Rejecting it.

Are your clients configured for those protocols? Most clients require either a configuration profile or a different supplicant.

I'm using the built-in Microsoft EAP-TTLS settings (see attached)

 

You should be able to do EAP-PEAP with MSCHAPv2 against eDirectory, if you can modify the settings on eDirectory.

 

Having said that, be advised that MSCHAPv2 has been cracked and should be avoided unless you have full control over your clients and can enforce server certificate validation.

 

User authentication using PEAP-MSCHAPv2 against Novell eDirectory has the following requirements:

• Passwords must be stored in cleartext in the directory
• The Universal Password attribute must be turned on in the directory
• Create a Password Policy in eDirectory. This password policy should have the following option enabled. Also this password policy should be assigned to all users who are going to be authenticated.

 "Universal Password --> Configuration --> Allow Admin to retrieve password".
 

 

 

I got this working thanks to TAC.  I'll summarize it here for future reference:

All of the prerequisite settings were done in eDirectory:

• Passwords must be stored in cleartext in the directory
• The Universal Password attribute must be turned on in the directory
• Create a Password Policy in eDirectory. This password policy should have the following option enabled. Also this password policy should be assigned to all users who are going to be authenticated.

•  "Universal Password --> Configuration --> Allow Admin to retrieve password".

I also imported the certificate chain from eDirectory into the Trust List in Clearpass.

And also enabled LDAP over SSL (port 636)

 

Finally, what got it working was:

In the authentication source settings, under the Primary tab, the password attribute should be named as "nspmPassword" instead of “userPassword”.

 

Be sure to review the security ramifications of Universal Password with your
security team. That's the only reason I recommended EAP-TTLS or EAP-GTC.



Glad you're up and running though!