Security

I have an 802.1X wireless configuration in Clearpass. CPPM is also joined to an AD server. When I do RadiusAuth simulation with PAP it passes. When done with MSCHAP it fails. When I do a AAA test from the controller with PAP, it passes. When done with MSCHAPv2 it fails. The service is defined to allow the following authentication methods: 1. [EAP PEAP], 5. [CHAP], 6. [MSCHAP], 7. [EAP MSCHAPv2], 8. [PAP]. PAP and MSCHAP both work when using Local Identity store in Clearpass.

CPPM is using a copy of the admin account with the same group memberships as the admin account. Bind is enabled.

The following is the output from the failed simulation attempt. It appears that Clearpass or AD is ignoring the attempt when MSCHAP is used and therefore the simulated client retries.

MS-CHAP-Challenge = 0x76fa9993c9e70ca0e386617751ae8f4d
MS-CHAP2-Response = 0x0000c377cf1c31962db7de4fe706179cd4f90000000000000000487590fae48582f35f8aa31dbda1225949e2ef6dddcdec89
Re-sending Access-Request of id 157 to 127.0.0.1 port 1812
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
User-Name = "xxx"
Auth-Simulation-Id = "de74147c-0689-4684-a7f9-c05663d62530"
MS-CHAP-Challenge = 0x76fa9993c9e70ca0e386617751ae8f4d
MS-CHAP2-Response = 0x0000c377cf1c31962db7de4fe706179cd4f90000000000000000487590fae48582f35f8aa31dbda1225949e2ef6dddcdec89
Re-sending Access-Request of id 157 to 127.0.0.1 port 1812

Any help with why MSCHAPv2 is failing  would be appreciated.
Thanks.

Are you able to browse the AD tree from within the configured AD auth-source?

Yes, I am able to browse the AD tree.  I decided to move the Base DN to the root of the tree and now everything works perfectly.  Thank-you for pointing me in the right direction.