Security

Reply
Occasional Contributor I
Posts: 7
Registered: ‎10-11-2012

clearpass and external auth source (AD)

[ Edited ]

Hi,

 

i'm trying to use clearpass to do 802.1x authentication but it won't work.

 

my clearpass has joined the AD domain with CA server cert installed as trusted. (single AD)

on my auth source -> auth attribute, i can query the AD username so i think my dc configuration is allright.

 

the problem was, i always failed to connect the network with 'access tracker' alert message as:

 

Error Code:
201
Error Category:
Authentication failure
Error Message:
User not found
 Alerts for this Request  
RADIUSwin server - WIN-TMMH8KP4QP1.acslab.local: User not found.
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure

 

and the log details shows 2 error (red font lines): i'm not sure how to solve this error. please help.

 

2013-03-13 15:22:01,504[Th 9 Req 341 SessId R00000031-01-51403729] ERROR RadiusServer.Radius - rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
2013-03-13 15:22:01,504[Th 9 Req 341 SessId R00000031-01-51403729] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

 

and here are the complete log.

 

2013-03-13 15:22:01,433[Th 8 Req 336 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 91:217:A06CEC05D81E
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-99 h=63 r=R00000031-01-51403729] INFO Core.ServiceReqHandler - Service classification result = RAD_CP
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-100 h=65 r=R00000031-01-51403729] INFO Common.EndpointTable - Returning NULL (EndpointPtr) for macAddr a06cec05d81e
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-100 h=65 r=R00000031-01-51403729] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3001 entity id = 29
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-100 h=65 r=R00000031-01-51403729] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=3001
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-100 h=65 r=R00000031-01-51403729] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3001|entityId=29
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-100 h=65 r=R00000031-01-51403729] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3001|entity=Device
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-100 h=65 r=R00000031-01-51403729] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-100 h=65 r=R00000031-01-51403729] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-100 h=65 r=R00000031-01-51403729] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-100 h=65 r=R00000031-01-51403729] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=868 c=R00000031-01-51403729] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=870 c=R00000031-01-51403729] INFO Core.PETaskRoleMapping - Roles: ROLE_TEST
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=873 c=R00000031-01-51403729] INFO Core.PETaskEnforcement - EnfProfiles: Allow Access Profile]
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=874 c=R00000031-01-51403729] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=874 c=R00000031-01-51403729] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Allow Access Profile]
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=874 c=R00000031-01-51403729] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 0
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=878 c=R00000031-01-51403729] INFO Core.PETaskCliEnforcement - startHandler: No commands for CLI enforcement
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=R00000031-01-51403729 h=875 c=R00000031-01-51403729] INFO Core.PETaskRadiusCoAEnfProfileBuilder - getApplicableProfiles: No radius_coa enforcement profiles applicable for this device
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=R00000031-01-51403729 h=877 c=R00000031-01-51403729] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=880 c=R00000031-01-51403729] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=880 c=R00000031-01-51403729] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=879 c=R00000031-01-51403729] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=R00000031-01-51403729 h=868 c=R00000031-01-51403729] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***
2013-03-13 15:22:01,436[Th 8 Req 336 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "RAD_CP"
2013-03-13 15:22:01,436[Th 8 Req 336 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:WIN-TMMH8KP4QP1.acslab.local
2013-03-13 15:22:01,437[Th 8 Req 336 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_eap_peap: Initiate
2013-03-13 15:22:01,437[Th 8 Req 336 SessId R00000031-01-51403729] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 91:76:A06CEC05D81E:0x0027000800f50096500100003d0afb049db5c33b10c0d8aa97d27aab
2013-03-13 15:22:01,447[Th 10 Req 337 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "RAD_CP" - 92:336:A06CEC05D81E
2013-03-13 15:22:01,447[Th 10 Req 337 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:WIN-TMMH8KP4QP1.acslab.local
2013-03-13 15:22:01,448[Th 10 Req 337 SessId R00000031-01-51403729] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client certificate A
2013-03-13 15:22:01,448[Th 10 Req 337 SessId R00000031-01-51403729] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 92:719:A06CEC05D81E:0x00d9006600c1003d510100003b4657c584721b7318bab79788302501
2013-03-13 15:22:01,470[Th 4 Req 338 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "RAD_CP" - 93:434:A06CEC05D81E
2013-03-13 15:22:01,470[Th 4 Req 338 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:WIN-TMMH8KP4QP1.acslab.local
2013-03-13 15:22:01,471[Th 4 Req 338 SessId R00000031-01-51403729] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 93:131:A06CEC05D81E:0x0028003800b5000a520100004260fff9dd380469e25e85ca8ed1a8ed
2013-03-13 15:22:01,481[Th 2 Req 339 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "RAD_CP" - 94:244:A06CEC05D81E
2013-03-13 15:22:01,481[Th 2 Req 339 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:WIN-TMMH8KP4QP1.acslab.local
2013-03-13 15:22:01,481[Th 2 Req 339 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_eap_peap: Session established.
2013-03-13 15:22:01,481[Th 2 Req 339 SessId R00000031-01-51403729] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 94:113:A06CEC05D81E:0x00ce00a6003800a353010000f9738a9a9aea00bb2399ae98baded83f
2013-03-13 15:22:01,491[Th 7 Req 340 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "RAD_CP" - 95:310:A06CEC05D81E
2013-03-13 15:22:01,491[Th 7 Req 340 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:WIN-TMMH8KP4QP1.acslab.local
2013-03-13 15:22:01,492[Th 7 Req 340 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:WIN-TMMH8KP4QP1.acslab.local
2013-03-13 15:22:01,492[Th 7 Req 340 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_eap_mschapv2: Issuing Challenge
2013-03-13 15:22:01,492[Th 7 Req 340 SessId R00000031-01-51403729] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 95:137:A06CEC05D81E:0x009100f000b8003754010000a7a9a4c2e60099fbc8b75e69181cbb62
2013-03-13 15:22:01,503[Th 9 Req 341 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "RAD_CP" - 96:366:A06CEC05D81E
2013-03-13 15:22:01,503[Th 9 Req 341 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:WIN-TMMH8KP4QP1.acslab.local
2013-03-13 15:22:01,504[Th 9 Req 341 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "RAD_CP" - 85:0:A06CEC05D81E
2013-03-13 15:22:01,504[Th 9 Req 341 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:WIN-TMMH8KP4QP1.acslab.local
2013-03-13 15:22:01,504[Th 9 Req 341 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_eap_mschapv2: Received MSCHAPv2 Response from client
2013-03-13 15:22:01,504[Th 9 Req 341 SessId R00000031-01-51403729] ERROR RadiusServer.Radius - rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
2013-03-13 15:22:01,504[Th 9 Req 341 SessId R00000031-01-51403729] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
2013-03-13 15:22:01,504[Th 9 Req 341 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
2013-03-13 15:22:01,515[Th 9 Req 341 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_policy: Received Accept Enforcement Profile
2013-03-13 15:22:01,515[Th 9 Req 341 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response
2013-03-13 15:22:01,516[Th 9 Req 341 SessId R00000031-01-51403729] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 96:113:A06CEC05D81E:0x0002009f009c00a955010000966ca45c4edb8dd4d5e4ac233bda026a
2013-03-13 15:22:01,528[Th 5 Req 342 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "RAD_CP" - 97:310:A06CEC05D81E
2013-03-13 15:22:01,528[Th 5 Req 342 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:WIN-TMMH8KP4QP1.acslab.local
2013-03-13 15:22:01,528[Th 5 Req 342 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_policy: Bypassing Policy Evaluation.

 

Occasional Contributor I
Posts: 7
Registered: ‎10-11-2012

Re: clearpass and external auth source (AD)

nevermind. i solved it. the problem was in my service configuration.

New Contributor
Posts: 1
Registered: ‎03-21-2014

Re: clearpass and external auth source (AD)

i have the same problem, can you tell me how it works?

Frequent Contributor I
Posts: 87
Registered: ‎03-18-2013

Re: clearpass and external auth source (AD)

i dont really recall what i did to solve this. it's 3 years ago.

 

try to check your config under services > authentication > strip username rules.

if your users use user@domain in the username format, make sure you put in "user:@" there

 

 

R.L.

Ricky E. Lee
CWNA | ACMP | ACCP
Search Airheads
Showing results for 
Search instead for 
Did you mean: