Security

last person joined: 19 minutes ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass with Generic LDAP Failed

This thread has been viewed 45 times
  • 1.  Clearpass with Generic LDAP Failed

    Posted Sep 22, 2021 06:18 AM
    Hello, 

    We are doing a POC at a customer with LDAP. We first configured it to use local user and it worked, when we changed it to LDAP, it failed, here is the error message:




    What should i check for this?
    Thank you.

    ------------------------------
    Aria Adhiguna
    ------------------------------


  • 2.  RE: Clearpass with Generic LDAP Failed

    Posted Sep 22, 2021 08:47 AM
    Is your ClearPass server joined to the domain your trying to authenticate against?

    ------------------------------
    Dustin Burns
    Lead Mobility Engineer @WEI

    ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
    If my post was useful accept solution and/or give kudos
    ------------------------------



  • 3.  RE: Clearpass with Generic LDAP Failed

    Posted Sep 22, 2021 11:29 AM
    MS-CHAP2 is only possible with AD. If you are using something else as LDAP IdP then you should use EAP-GTC to authenticate users.

    What LDAP directory are you using?


  • 4.  RE: Clearpass with Generic LDAP Failed

    Posted Sep 23, 2021 10:33 PM
    1. When your using AD LDAP , AD over SSL 636 port Is preferred but as you mentioned it's an ubuntu system behaving as a ldap source we need to check form ubuntu system end.
    2. As per the first snap which you shared it says no NTLM found means configuration missing , it's like sso.
    3. Also when your see the next attempt for the mschap and mschapv2 , you can see for the error user not found, incorrect response. 

    Need to check logs in detailed directions. 
    Please confirm the following, 1. User exists on the LDAP.
    2. LDAP COMMUNICATIONS Is happening 3. Trust certificates are exchanged.
    4. Authentication flow diagram. Like system > controller > clearpass >...

    ------------------------------
    Siddesh Pawar
    ------------------------------



  • 5.  RE: Clearpass with Generic LDAP Failed

    Posted Sep 22, 2021 11:52 AM
    No, if its using generic LDAP, do we still need to join domain?

    ------------------------------
    Aria Adhiguna
    ------------------------------



  • 6.  RE: Clearpass with Generic LDAP Failed

    Posted Sep 22, 2021 11:53 AM
    Im not sure what the LDAP directory is, but the customer said its ubuntu based

    ------------------------------
    Aria Adhiguna
    ------------------------------



  • 7.  RE: Clearpass with Generic LDAP Failed

    Posted Sep 22, 2021 03:47 PM
    I have tested OpenLDAP on Ubuntu 20.04.1 LTS while using Generic LDAP Authentication Source for EAP-PEAP and it should work as long as the password is stored in ClearText
    Below is the snippet of the source config:


    Account Password on OpenLDAP has to cleartext





    ------------------------------
    SANDEEP YADAV
    Global Escalation Center, ACCP
    ------------------------------



  • 8.  RE: Clearpass with Generic LDAP Failed

    Posted Sep 24, 2021 05:53 AM
    1. Yes, the user exists on LDAP.
    2. How do we check that?
    3. Not sure about this.
    4. It goes from LDAP server > Ruckus Controller > Clearpass

    ------------------------------
    Aria Adhiguna
    ------------------------------



  • 9.  RE: Clearpass with Generic LDAP Failed

    Posted Sep 22, 2021 05:21 PM
    We've had a 389 based setup (and old Netscape directory server before) for many years.

    We used NT Hash as the Password type, but I believe this would only work with PAP as the authentication method.






  • 10.  RE: Clearpass with Generic LDAP Failed

    Posted Sep 23, 2021 06:14 AM
    Hi, i have used the same configuration in clearpass, also with ClearText. I have also added eap-peap to the authentication method and removed eap-mschapv2, but for unknown reason it still doesn't work

    ------------------------------
    Aria Adhiguna
    ------------------------------



  • 11.  RE: Clearpass with Generic LDAP Failed

    Posted Sep 23, 2021 08:10 AM
    MSCHAPv2 should work with either ClearText and NT Hash. The field that you refer to in the LDAP, does it actually return the ClearText password with the BindDN that you configured? LDAP servers are typically configured to make it hard to get to the plaintext password, and by default not even store the password in plaintext as you really don't want your LDAP to be compromised and get all your plaintext password leaked.

    You can use an LDAP Browser tool to connect with the same credentials and see if the password is indeed returned. If you use port 389 with plain LDAP, you can also run a packet capture and see if the password is in there, and if you see... that is the reason why you should not do this.

    Also, while it works, try to get rid of EAP-PEAP MSCHAPv2 as MSCHAPv2 has been compromised as a security protocol and should not be used anymore. If you don't have 100% control over your endpoints (clients), and/or can't enforce the configuration for the SSID to validate the server certificate, like with Active Directory or an MDM tool, you put your users' credentials at risk. Move to EAP-TLS to be more secure.

    If you still want to proceed with this... it may be good to work with Aruba Support to troubleshoot what is happening.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 12.  RE: Clearpass with Generic LDAP Failed

    Posted Sep 25, 2021 04:03 AM
    Password on LDAP has to be stored in either "ClearText" or "NT Hash" based on this Password Type will be defined.

    ------------------------------
    SANDEEP YADAV
    Global Escalation Center, ACCP
    ------------------------------