Security

last person joined: 6 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

clearpass and external auth source (AD)

Jump to Best Answer
  • 1.  clearpass and external auth source (AD)

    Posted Mar 13, 2013 04:49 AM

    Hi,

     

    i'm trying to use clearpass to do 802.1x authentication but it won't work.

     

    my clearpass has joined the AD domain with CA server cert installed as trusted. (single AD)

    on my auth source -> auth attribute, i can query the AD username so i think my dc configuration is allright.

     

    the problem was, i always failed to connect the network with 'access tracker' alert message as:

     

    Error Code:
    201
    Error Category:
    Authentication failure
    Error Message:
    User not found
     Alerts for this Request  
    RADIUSwin server - WIN-TMMH8KP4QP1.acslab.local: User not found.
    MSCHAP: Authentication failed
    EAP-MSCHAPv2: User authentication failure

     

    and the log details shows 2 error (red font lines): i'm not sure how to solve this error. please help.

     

    2013-03-13 15:22:01,504[Th 9 Req 341 SessId R00000031-01-51403729] ERROR RadiusServer.Radius - rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
    2013-03-13 15:22:01,504[Th 9 Req 341 SessId R00000031-01-51403729] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

     

    and here are the complete log.

     

    2013-03-13 15:22:01,433[Th 8 Req 336 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 91:217:A06CEC05D81E
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-99 h=63 r=R00000031-01-51403729] INFO Core.ServiceReqHandler - Service classification result = RAD_CP
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-100 h=65 r=R00000031-01-51403729] INFO Common.EndpointTable - Returning NULL (EndpointPtr) for macAddr a06cec05d81e
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-100 h=65 r=R00000031-01-51403729] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3001 entity id = 29
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-100 h=65 r=R00000031-01-51403729] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=3001
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-100 h=65 r=R00000031-01-51403729] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3001|entityId=29
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-100 h=65 r=R00000031-01-51403729] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3001|entity=Device
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-100 h=65 r=R00000031-01-51403729] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-100 h=65 r=R00000031-01-51403729] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-100 h=65 r=R00000031-01-51403729] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=auto-100 h=65 r=R00000031-01-51403729] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=868 c=R00000031-01-51403729] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=870 c=R00000031-01-51403729] INFO Core.PETaskRoleMapping - Roles: ROLE_TEST
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=873 c=R00000031-01-51403729] INFO Core.PETaskEnforcement - EnfProfiles: Allow Access Profile]
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=874 c=R00000031-01-51403729] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=874 c=R00000031-01-51403729] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Allow Access Profile]
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=874 c=R00000031-01-51403729] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 0
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=878 c=R00000031-01-51403729] INFO Core.PETaskCliEnforcement - startHandler: No commands for CLI enforcement
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=R00000031-01-51403729 h=875 c=R00000031-01-51403729] INFO Core.PETaskRadiusCoAEnfProfileBuilder - getApplicableProfiles: No radius_coa enforcement profiles applicable for this device
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=R00000031-01-51403729 h=877 c=R00000031-01-51403729] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=880 c=R00000031-01-51403729] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=880 c=R00000031-01-51403729] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 h=879 c=R00000031-01-51403729] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
    2013-03-13 15:22:01,434[RequestHandler-1-0x7f4eee1f0700 r=R00000031-01-51403729 h=868 c=R00000031-01-51403729] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***
    2013-03-13 15:22:01,436[Th 8 Req 336 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "RAD_CP"
    2013-03-13 15:22:01,436[Th 8 Req 336 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:WIN-TMMH8KP4QP1.acslab.local
    2013-03-13 15:22:01,437[Th 8 Req 336 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_eap_peap: Initiate
    2013-03-13 15:22:01,437[Th 8 Req 336 SessId R00000031-01-51403729] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 91:76:A06CEC05D81E:0x0027000800f50096500100003d0afb049db5c33b10c0d8aa97d27aab
    2013-03-13 15:22:01,447[Th 10 Req 337 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "RAD_CP" - 92:336:A06CEC05D81E
    2013-03-13 15:22:01,447[Th 10 Req 337 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:WIN-TMMH8KP4QP1.acslab.local
    2013-03-13 15:22:01,448[Th 10 Req 337 SessId R00000031-01-51403729] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client certificate A
    2013-03-13 15:22:01,448[Th 10 Req 337 SessId R00000031-01-51403729] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 92:719:A06CEC05D81E:0x00d9006600c1003d510100003b4657c584721b7318bab79788302501
    2013-03-13 15:22:01,470[Th 4 Req 338 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "RAD_CP" - 93:434:A06CEC05D81E
    2013-03-13 15:22:01,470[Th 4 Req 338 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:WIN-TMMH8KP4QP1.acslab.local
    2013-03-13 15:22:01,471[Th 4 Req 338 SessId R00000031-01-51403729] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 93:131:A06CEC05D81E:0x0028003800b5000a520100004260fff9dd380469e25e85ca8ed1a8ed
    2013-03-13 15:22:01,481[Th 2 Req 339 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "RAD_CP" - 94:244:A06CEC05D81E
    2013-03-13 15:22:01,481[Th 2 Req 339 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:WIN-TMMH8KP4QP1.acslab.local
    2013-03-13 15:22:01,481[Th 2 Req 339 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_eap_peap: Session established.
    2013-03-13 15:22:01,481[Th 2 Req 339 SessId R00000031-01-51403729] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 94:113:A06CEC05D81E:0x00ce00a6003800a353010000f9738a9a9aea00bb2399ae98baded83f
    2013-03-13 15:22:01,491[Th 7 Req 340 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "RAD_CP" - 95:310:A06CEC05D81E
    2013-03-13 15:22:01,491[Th 7 Req 340 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:WIN-TMMH8KP4QP1.acslab.local
    2013-03-13 15:22:01,492[Th 7 Req 340 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:WIN-TMMH8KP4QP1.acslab.local
    2013-03-13 15:22:01,492[Th 7 Req 340 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_eap_mschapv2: Issuing Challenge
    2013-03-13 15:22:01,492[Th 7 Req 340 SessId R00000031-01-51403729] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 95:137:A06CEC05D81E:0x009100f000b8003754010000a7a9a4c2e60099fbc8b75e69181cbb62
    2013-03-13 15:22:01,503[Th 9 Req 341 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "RAD_CP" - 96:366:A06CEC05D81E
    2013-03-13 15:22:01,503[Th 9 Req 341 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:WIN-TMMH8KP4QP1.acslab.local
    2013-03-13 15:22:01,504[Th 9 Req 341 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "RAD_CP" - 85:0:A06CEC05D81E
    2013-03-13 15:22:01,504[Th 9 Req 341 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:WIN-TMMH8KP4QP1.acslab.local
    2013-03-13 15:22:01,504[Th 9 Req 341 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_eap_mschapv2: Received MSCHAPv2 Response from client
    2013-03-13 15:22:01,504[Th 9 Req 341 SessId R00000031-01-51403729] ERROR RadiusServer.Radius - rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
    2013-03-13 15:22:01,504[Th 9 Req 341 SessId R00000031-01-51403729] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
    2013-03-13 15:22:01,504[Th 9 Req 341 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
    2013-03-13 15:22:01,515[Th 9 Req 341 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_policy: Received Accept Enforcement Profile
    2013-03-13 15:22:01,515[Th 9 Req 341 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response
    2013-03-13 15:22:01,516[Th 9 Req 341 SessId R00000031-01-51403729] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 96:113:A06CEC05D81E:0x0002009f009c00a955010000966ca45c4edb8dd4d5e4ac233bda026a
    2013-03-13 15:22:01,528[Th 5 Req 342 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "RAD_CP" - 97:310:A06CEC05D81E
    2013-03-13 15:22:01,528[Th 5 Req 342 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:WIN-TMMH8KP4QP1.acslab.local
    2013-03-13 15:22:01,528[Th 5 Req 342 SessId R00000031-01-51403729] INFO RadiusServer.Radius - rlm_policy: Bypassing Policy Evaluation.

     



  • 2.  RE: clearpass and external auth source (AD)
    Best Answer

    Posted Mar 13, 2013 10:58 PM

    nevermind. i solved it. the problem was in my service configuration.



  • 3.  RE: clearpass and external auth source (AD)

    Posted Mar 21, 2014 03:35 PM

    i have the same problem, can you tell me how it works?



  • 4.  RE: clearpass and external auth source (AD)

    Posted Jul 31, 2015 03:51 AM

    i dont really recall what i did to solve this. it's 3 years ago.

     

    try to check your config under services > authentication > strip username rules.

    if your users use user@domain in the username format, make sure you put in "user:@" there

     

     

    R.L.