We're running MSCHAP authentication for users to an AD domain.
A few weeks ago we put a read only domain controller online at another site (online 24/7 via VPN tunnel).
All was fine until today when Clearpass decided to start using the RODC to authenticate users. All user authentication failed.
When I typed 'show domain' from the console, it listed the RODC as the 'Domain Server Ip Address'.
Once I shut down the tunnel to the RODC, clearpass went back to using local servers.
How to I force Clearpass to use local servers for user auth?
Configuration » Authentication » Sources lists only the local servers for primary and backups.
Administration » Server Manager » Server Configuration lists only the local severs under the AD Domains section.
What else do I need to do to force local server auth?
I don't know if there is a problem with read-only domain controllers or not. To restrict the domain controllers to only the ones you want to contact, you can do this:
Go to Administration > Server Manager > Server Configuration > Click on Server > and click on a little tiny icon called "Password Servers" at the bottom. You can then add the ip addresses tht you want mschapv2 restricted to for authentication.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.