Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Generic LDAP to Microsoft AD - authentication fails

Jump to Best Answer
  • 1.  Generic LDAP to Microsoft AD - authentication fails

    Posted Aug 08, 2012 07:28 AM
      |   view attached

    I am trying to set up a Clearpass evaluation where the Clearpass server runs offsite, so I can't use AD integration.

     

    I have setup a Generic LDAP Authentication source, but when I try to to test validation from my controller, it fails:

     

    Error Code:
    216
    Error Category:
    Authentication failure
    Error Message:
    User authentication failed
    Alerts for this Request
    RADIUS SJS-UNV LDAP - 109.110.111.112: User not found.
    MSCHAP: Authentication failed

     

     

    The logs says:

    Request log details for session: R0000000e-01-502247da
    Time Message
    2012-08-08 13:04:58,423 [Th 5 Req 14 SessId R0000000e-01-502247da] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization
    2012-08-08 13:04:58,429 [RequestHandler-1-0x43871940 r=auto-31 h=47 r=R0000000e-01-502247da] INFO Core.ServiceReqHandler - Service classification result = RadTest
    2012-08-08 13:04:58,430 [Th 5 Req 14 SessId R0000000e-01-502247da] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "RadTest"
    2012-08-08 13:04:58,430 [Th 5 Req 14 SessId R0000000e-01-502247da] INFO RadiusServer.Radius - rlm_ldap: searching for user testuser in Ldap:109.110.111.112
    2012-08-08 13:05:00,361 [Th 5 Req 14 SessId R0000000e-01-502247da] ERROR RadiusServer.Radius - rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
    2012-08-08 13:05:00,361 [Th 5 Req 14 SessId R0000000e-01-502247da] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

     I have tried using cleartext, NT Hash and LM hash passwords, but I just can't get it to work.

     

    I have attached a screenshot of the Auth Source Primary tab

     

    Any help is much appreciated!

     

    kind regards

    Mikael

    Denmark



  • 2.  RE: Generic LDAP to Microsoft AD - authentication fails

    Posted Aug 09, 2012 12:06 AM

    You might want to check if the CPPM is joined to the domain(because it looks like you are doing MSCHAP authentication, which requires CPPM to be joined to the domain).

     

    Can try joining the CPPM to domain and try the same again.(Administration-->Server Manager-->Server Configuration-->"Select the server"-->Join Domain). You can set the pasword type to be "cleartext" in LDAP auth source and try after the doamin join.

     

    Get back for any clarifications.

     

    Regards,

    Keerthi



  • 3.  RE: Generic LDAP to Microsoft AD - authentication fails

    Posted Aug 09, 2012 07:40 AM

    Hi Keerthi,

     

    the CPPM is not joined to the domain, so if MSCHAP requires domain join, that explain why it does not work.

     

    I am evaluating CPPM with the purpose of hosting several customers on the same CPPM.  I talked to a few Arubans at Airheads, Nice, who led me to believe that it was possible, but I wonder how to do it? CPPM can only join a single domain as far as I know and what other options do I have to validate users from a Microsoft AD over the Internet. (MPLS, VPN etc. is not an option).

     

    Thanks in advance for any useful input!

     

    kind regards

    Mikael

    Denmark



  • 4.  RE: Generic LDAP to Microsoft AD - authentication fails
    Best Answer

    Posted Aug 09, 2012 08:01 AM
      |   view attached

    Hi Mikael,

     

    I'm not sure which version of CPPM you are using, but from version 5.1 onwards CPPM supports "Multiple Domain Joins"  which means that policy manager can now authenticate users from multiple AD's even if there is no trust relationship between them, these AD's can be also be across WAN.

     

    Regards,

    Keerthi

    Attachment(s)



  • 5.  RE: Generic LDAP to Microsoft AD - authentication fails

    Posted Aug 09, 2012 09:11 AM

    Hi Keerthi,

     

    thanks a lot for your swift reply, and for the good news:-)

     

    I'll try to make it work and post back with success or more questions:-)

     

    kind regards

     

    Mikael

    Denmark



  • 6.  RE: Generic LDAP to Microsoft AD - authentication fails

    Posted Aug 19, 2012 02:00 PM
    Thanks keerthi,

    I was able to join the CPPM to the domain across the WAN and succesfully authenticated users with MSCHAP!

    kind regard
    Mikael, Denmark


  • 7.  RE: Generic LDAP to Microsoft AD - authentication fails

    Posted Mar 15, 2013 09:53 AM

    Did you get MSCHAP to work with using LDAP as the Authentication Source? 

     

     

    Bob 

     



  • 8.  RE: Generic LDAP to Microsoft AD - authentication fails

    Posted Mar 15, 2013 09:56 AM
    No, In order to use MS-CHAP, the CPPM needs to be member of the AD domain. mvh Mikael Schütt ACSP, ACMP, CCNA, CWNA, CWSP, CWAP, CWDP, MCPD, MCSE, MCITP, ACSP, ACTC, ACS-Dep, ACS-SaM, ACS-DS, ACSA, Network+


  • 9.  RE: Generic LDAP to Microsoft AD - authentication fails

    Posted Mar 15, 2013 10:02 AM

    Thanks for the quick response on an old thread. It has joined the Domain but I was having some problems with AD as the Authentication Souce, so I was going to try to use LDAP instead. Even though it has joined the Domain. I was wondering if that was possible. 

     

    Bob