Security

last person joined: 13 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass and AD users authentication

Jump to Best Answer
  • 1.  ClearPass and AD users authentication

    Posted Mar 12, 2013 01:18 PM

    Hello all,

    We have an open ssid with a captive portal authenticating ad users against NPS server. As we are deploying ClearPass, we want to use it as radius server instead of NPS server.

    The captive portal login page is on the controller and the clearpass is joined to the domain.

     

    I configured a service on clearpass with active directory as authentication source and PAP as authentication method.

     

    The authentication on captive portal is failing with the following messages. 

    The alert message:
    Error Code: 216
    User authentication failed
    Cannot select appropriate authentication method.

    Request log:
    [Th 41 Req 943 SessId R0000006a-01-513f47d2] INFO RadiusServer.Radius - rlm_pap: No password (or empty password) to check against for for user testaruba. Not setting Auth-Type.
    [Th 41 Req 943 SessId R0000006a-01-513f47d2] INFO RadiusServer.Radius - rlm_auth_check: Auth-Type not set.
    [Th 41 Req 943 SessId R0000006a-01-513f47d2] ERROR RadiusServer.Radius - rlm_auth_check: Auth-Type not set or authentication methods have not been configured. Rejecting it.

    Any thoughts please?  



  • 2.  RE: ClearPass and AD users authentication

    Posted Mar 12, 2013 01:35 PM

    Can you please attach the output you can see in the Access Tracker for the failed request (radius input and computed attributes along with the output). Can you please also attach the configuration of the service?



  • 3.  RE: ClearPass and AD users authentication

    Posted Mar 13, 2013 01:22 PM
      |   view attached

    Hi Zsolt,

     

    Thank you for the help.

    I attached the service configuration and the access tracker error .

     

     

    Attachment(s)

    docx
    CPPM AD test.docx   309 KB 1 version


  • 4.  RE: ClearPass and AD users authentication

    Posted Mar 13, 2013 01:50 PM

    Is the connection to the AD working?

    Are you sure that using CHAP is not selected in the Captive portal profile on the controller?



  • 5.  RE: ClearPass and AD users authentication

    Posted Mar 13, 2013 02:45 PM

    Hi,

     

    Iam using AD with EAP-PEAP and is working correctly. Clearpass is unable to identify PAP in the access request. 

    CHAP is unchecked in the captive portal profile on the controller.

     

    Thanks.

     

     

     



  • 6.  RE: ClearPass and AD users authentication

    Posted Mar 13, 2013 03:02 PM

    So I guess you have another SSID and service where you are using EAP-PEAP.

     

    Well, the request certainly matches the service, it's strange. Have you tried - just for a test - to add all of the auth methods to the service and see what happens?



  • 7.  RE: ClearPass and AD users authentication

    Posted Mar 13, 2013 03:06 PM

    Yes, I have another ssid using EAP-PEAP but on clearpass i used the same service to do the test after i added almost all

    auth methods without success.

     



  • 8.  RE: ClearPass and AD users authentication

    Posted Mar 14, 2013 04:12 AM

    Have you tried to use the AAA test connection from controller GUI (both mschap and pap - don't forget to add these to the service). What output can you see? Can you please send the full output of the "request logs"?



  • 9.  RE: ClearPass and AD users authentication

    Posted Mar 14, 2013 10:51 AM

    Hi,

     

    mschap authenticate successfully but not pap from the controller.

    I attached both request logs.

     

    Thanks.

    Attachment(s)

    zip
    Request_Logs_pap.zip   1 KB 1 version
    zip
    Request_Logs_mschap.zip   2 KB 1 version


  • 10.  RE: ClearPass and AD users authentication

    Posted Mar 14, 2013 11:36 AM

    It's quite strange.

    What I may suggest is to try to configure your AD server as generic LDAP (not Active Directory) on the CPPM and see what happens. You may also try to use CHAP (captive portal profile and CP service should be modified).

    If neither of these helps then I would suggest to open a ticket at Aruba Support.



  • 11.  RE: ClearPass and AD users authentication
    Best Answer

    Posted Mar 18, 2013 04:43 PM

    Hi,

     

    Authentication with Captive Portal against AD or LDAP is working now :smileyvery-happy:.

    My error was on the AD source, I had unchecked Allow bind using user password.

     


    Thank you zshusveti for your help.



  • 12.  RE: ClearPass and AD users authentication

    Posted Mar 19, 2013 08:56 AM

    Glad to hear that it works.

    Btw how was it possible that it was working but with PAP authentication?