Wireless Access

Hi all,

I have a service on clearpass that is working with a number of instant AP sites and a controller-based site in another continent. I am in the process of moving the UK controller to use the same service. The PEAP user authentications are throwing up the error - " rlm_auth_check: Auth-Type not set or authentication methods have not been configured". The devices across the company should all be using the same settings, so I believe the client base should be the same. When I add [mschap] to the list of authentication methods in clearpass the authentications in the UK are successful. Its a new test profile on the controller that I am using - any ideas why the required EAP-PEAP is not working?

Matt

---

@matt Finnie wrote:

Hi all,

I have a service on clearpass that is working with a number of instant AP sites and a controller-based site in another continent. I am in the process of moving the UK controller to use the same service. The PEAP user authentications are throwing up the error - " rlm_auth_check: Auth-Type not set or authentication methods have not been configured". The devices across the company should all be using the same settings, so I believe the client base should be the same. When I add [mschap] to the list of authentication methods in clearpass the authentications in the UK are successful. Its a new test profile on the controller that I am using - any ideas why the required EAP-PEAP is not working?

 

Matt

---

Not enough information to make a determination.  Has the incoming authentication been classified by a service?

Yes the request correctly matched the required service - as I said it works if I add in [MSCHAP] into the authentication methods.

If it works with PEAP, you should look at the successful authentication and see the radius attributes, and determine from there.  That is where the answer is.

The failure scenario shows this -

Policies Used -
 Service: XXXX PEAP UK user 802.1X Service
 Authentication Method:
 Authentication Source: AD:cor-str-XXXX.corp.XXXX.com
 Authorization Source:
 Roles: Unauthorized Device
 Enforcement Profiles: [Deny Access Profile]
 Service Monitor Mode: Disabled

Input RADIUS Attributes -
 Radius:Aruba:Aruba-AP-Group = test-cppm-switch
 Radius:Aruba:Aruba-Essid-Name = XXXX
 Radius:Aruba:Aruba-Location-Id = 0-test-6c:f3:7f:ce:3d:b2
 Radius:IETF:Called-Station-Id = 000B860F6780
 Radius:IETF:Calling-Station-Id = 100BA9BEB268
 Radius:IETF:NAS-IP-Address = 10.XXXX.XXXX.XXXX
 Radius:IETF:NAS-Port = 0
 Radius:IETF:NAS-Port-Type = 19
 Radius:IETF:Service-Type = 1
 Radius:IETF:User-Name = CORP\\XXXX
 Radius:Microsoft:MS-CHAP2-Response = 0x08000a2766406e4c4c8ac4cd435414f0a5d8000000000000000065090d46f72472d8456d50d963ac8b8549ac1b2e9bfc0e36
 Radius:Microsoft:MS-CHAP-Challenge = 0x3b1e5c2483878520f1631ff6af2b1fa4

When I add [MSCHAP] as an authentication method -

Policies Used -
 Service: XXXX PEAP UK user 802.1X Service
 Authentication Method: MSCHAP
 Authentication Source: AD:cor-str-XXXX.corp.XXXX.com
 Authorization Source: [Endpoints Repository], XXXX CORP Active Directory
 Roles: [User Authenticated], peap-user
 Enforcement Profiles: [Allow Access Profile]
 Service Monitor Mode: Disabled

Input RADIUS Attributes -
 Radius:Aruba:Aruba-AP-Group = test-cppm-switch
 Radius:Aruba:Aruba-Essid-Name = XXXX
 Radius:Aruba:Aruba-Location-Id = 0-test-6c:f3:7f:ce:3d:b2
 Radius:IETF:Called-Station-Id = 000B860F6780
 Radius:IETF:Calling-Station-Id = 100BA9BEB268
 Radius:IETF:NAS-IP-Address = 10.XXXX.XXXX.XXXX
 Radius:IETF:NAS-Port = 0
 Radius:IETF:NAS-Port-Type = 19
 Radius:IETF:Service-Type = 1
 Radius:IETF:User-Name = CORP\\XXXX
 Radius:Microsoft:MS-CHAP2-Response = 0x0800f85b569fe9eba7ec78c72e4f7f7f927700000000000000001f8008bc2fb94407a048623a04404c4a9a64fb8ed8a81553
 Radius:Microsoft:MS-CHAP2-Success = 0x08533d31383144393033423041433937444646343737344634434534423341343539414537414146314634
 Radius:Microsoft:MS-CHAP-Challenge = 0x6bbe39c0e77210d1ec59de9e77e80a6d
 Radius:Microsoft:MS-MPPE-Encryption-Policy = 0x00000001
 Radius:Microsoft:MS-MPPE-Encryption-Types = 0x00000006
 Radius:Microsoft:MS-MPPE-Recv-Key = 0xff6e517a08df8344fbba4c907071d2fa
 Radius:Microsoft:MS-MPPE-Send-Key = 0xca7459743b6c39b2389e04d9d7b1ea70

Is that controller by chance terminating the EAP session and only sending over the inner MSCHAP authentication portion; rather than the entire EAP session?  Check the dot1x profile for that configuration to see if EAP termination is on.

I did not believe that it was, but in fact it is. I have created a new dot1x profile without termination enabled and customer tells me that it is working. Thanks for that. Can someone explain why the authentications were hitting Clearpass - does the controller only terminate certain EAP types and backoff the rest?

If you have termination enabled, it will use work with the eap types that are selected in the same dot1x profile.    All the controller does is terminate the tunnel, the authentications are still passed onto the server defined in the AAA profile server group.  If you had termination enabled and CPPM as the server group, the controller would terminate the connection from the client and then pass auths to CPPM.  They probably matched all the conditions of the service.....however they were no longer PEAP authentications, so they would fail (unless you enabled MSCHAP as an authentication type on the service.

Thanks for the help and the explanation.