I am trying to set up a Clearpass evaluation where the Clearpass server runs offsite, so I can't use AD integration.
I have setup a Generic LDAP Authentication source, but when I try to to test validation from my controller, it fails:
Error Code:216Error Category:Authentication failureError Message:User authentication failed Alerts for this RequestRADIUS SJS-UNV LDAP - 184.108.40.206: User not found.MSCHAP: Authentication failed
The logs says:
Request log details for session: R0000000e-01-502247daTime Message2012-08-08 13:04:58,423 [Th 5 Req 14 SessId R0000000e-01-502247da] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization2012-08-08 13:04:58,429 [RequestHandler-1-0x43871940 r=auto-31 h=47 r=R0000000e-01-502247da] INFO Core.ServiceReqHandler - Service classification result = RadTest2012-08-08 13:04:58,430 [Th 5 Req 14 SessId R0000000e-01-502247da] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "RadTest"2012-08-08 13:04:58,430 [Th 5 Req 14 SessId R0000000e-01-502247da] INFO RadiusServer.Radius - rlm_ldap: searching for user testuser in Ldap:220.127.116.112012-08-08 13:05:00,361 [Th 5 Req 14 SessId R0000000e-01-502247da] ERROR RadiusServer.Radius - rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.2012-08-08 13:05:00,361 [Th 5 Req 14 SessId R0000000e-01-502247da] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
I have tried using cleartext, NT Hash and LM hash passwords, but I just can't get it to work.
I have attached a screenshot of the Auth Source Primary tab
Any help is much appreciated!
You might want to check if the CPPM is joined to the domain(because it looks like you are doing MSCHAP authentication, which requires CPPM to be joined to the domain).
Can try joining the CPPM to domain and try the same again.(Administration-->Server Manager-->Server Configuration-->"Select the server"-->Join Domain). You can set the pasword type to be "cleartext" in LDAP auth source and try after the doamin join.
Get back for any clarifications.
the CPPM is not joined to the domain, so if MSCHAP requires domain join, that explain why it does not work.
I am evaluating CPPM with the purpose of hosting several customers on the same CPPM. I talked to a few Arubans at Airheads, Nice, who led me to believe that it was possible, but I wonder how to do it? CPPM can only join a single domain as far as I know and what other options do I have to validate users from a Microsoft AD over the Internet. (MPLS, VPN etc. is not an option).
Thanks in advance for any useful input!
I'm not sure which version of CPPM you are using, but from version 5.1 onwards CPPM supports "Multiple Domain Joins" which means that policy manager can now authenticate users from multiple AD's even if there is no trust relationship between them, these AD's can be also be across WAN.
thanks a lot for your swift reply, and for the good news:-)
I'll try to make it work and post back with success or more questions:-)
Did you get MSCHAP to work with using LDAP as the Authentication Source?
Thanks for the quick response on an old thread. It has joined the Domain but I was having some problems with AD as the Authentication Souce, so I was going to try to use LDAP instead. Even though it has joined the Domain. I was wondering if that was possible.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.