Security

ClearPass's assignment of Error Code 9002 to both certificate/EAP rejections and general authentication failures (like MSCHAP or AD errors) is confusing. Error 9002 commonly points to certificate or EAP problems, whereas Error Code 216 is specifically for authentication failures. Is there a way to isolate MSCHAP/AD errors from the broader 9002 error code? I need to create authorization enforcement rules based on MSCHAP errors, but the fact that 9002 covers multiple possibilities makes accurate enforcement impossible.

Thanks

Don't use MSCHAP in production. Move to EAP-TLS or TEAP.

ClearPass's assignment of Error Code 9002 to both certificate/EAP rejections and general authentication failures (like MSCHAP or AD errors) is confusing. Error 9002 commonly points to certificate or EAP problems, whereas Error Code 216 is specifically for authentication failures. Is there a way to isolate MSCHAP/AD errors from the broader 9002 error code? I need to create authorization enforcement rules based on MSCHAP errors, but the fact that 9002 covers multiple possibilities makes accurate enforcement impossible.

Thanks

Sure. We are doing EAP-TLS, but not for the employees personal devices that we do not manage. 

So, there is no setting or tweak we can do to separate this AD auth errors from 9002 error code?

Don't use MSCHAP in production. Move to EAP-TLS or TEAP.

ClearPass's assignment of Error Code 9002 to both certificate/EAP rejections and general authentication failures (like MSCHAP or AD errors) is confusing. Error 9002 commonly points to certificate or EAP problems, whereas Error Code 216 is specifically for authentication failures. Is there a way to isolate MSCHAP/AD errors from the broader 9002 error code? I need to create authorization enforcement rules based on MSCHAP errors, but the fact that 9002 covers multiple possibilities makes accurate enforcement impossible.

Thanks

Check the Auth method you have for MSChap and see if it has a number of retries set.  This is set at 3 by default.  I ran into an issue where a user was putting in a bad password and based on that setting clearpass would try again.  Many times the client would not respond so it was listed as a timeout.  I set that to 0 and many of the timeouts went to error code 216 after that.

There are still to may timeouts in my opinion.  I am not buying that this is certificate issues as I will get devices that both authenticate and timeout randomly.  Latest one is a managed machine that is not moving and will time out.

Sure. We are doing EAP-TLS, but not for the employees personal devices that we do not manage. 

So, there is no setting or tweak we can do to separate this AD auth errors from 9002 error code?

Don't use MSCHAP in production. Move to EAP-TLS or TEAP.

ClearPass's assignment of Error Code 9002 to both certificate/EAP rejections and general authentication failures (like MSCHAP or AD errors) is confusing. Error 9002 commonly points to certificate or EAP problems, whereas Error Code 216 is specifically for authentication failures. Is there a way to isolate MSCHAP/AD errors from the broader 9002 error code? I need to create authorization enforcement rules based on MSCHAP errors, but the fact that 9002 covers multiple possibilities makes accurate enforcement impossible.

Thanks

Sure. We are doing EAP-TLS, but not for the employees personal devices that we do not manage. 

So, there is no setting or tweak we can do to separate this AD auth errors from 9002 error code?

Don't use MSCHAP in production. Move to EAP-TLS or TEAP.

ClearPass's assignment of Error Code 9002 to both certificate/EAP rejections and general authentication failures (like MSCHAP or AD errors) is confusing. Error 9002 commonly points to certificate or EAP problems, whereas Error Code 216 is specifically for authentication failures. Is there a way to isolate MSCHAP/AD errors from the broader 9002 error code? I need to create authorization enforcement rules based on MSCHAP errors, but the fact that 9002 covers multiple possibilities makes accurate enforcement impossible.

Thanks

Why are you allowing unknown/unmanaged/untrusted devices to connect to the protected network?

Sure. We are doing EAP-TLS, but not for the employees personal devices that we do not manage. 

So, there is no setting or tweak we can do to separate this AD auth errors from 9002 error code?

Don't use MSCHAP in production. Move to EAP-TLS or TEAP.

ClearPass's assignment of Error Code 9002 to both certificate/EAP rejections and general authentication failures (like MSCHAP or AD errors) is confusing. Error 9002 commonly points to certificate or EAP problems, whereas Error Code 216 is specifically for authentication failures. Is there a way to isolate MSCHAP/AD errors from the broader 9002 error code? I need to create authorization enforcement rules based on MSCHAP errors, but the fact that 9002 covers multiple possibilities makes accurate enforcement impossible.

Thanks

I can only assume you don't work in Higher Ed. :-)

What we're really talking about here is network access-regardless of whether the network is protected or open. Due to regulatory requirements and internal policy, we don't want users connecting via open networks; we want access to be authenticated.

If you'd like a more detailed explanation, feel free to DM me.

That said, I appreciate that you asked the question instead of simply stating that these devices shouldn't be allowed on a protected network. Many of us didn't design the networks we inherited, and while we might prefer a more modern or secure architecture, transitioning to that ideal setup is often not feasible in the short term-or it's already underway, but takes time.

So while it's helpful to discuss why certain practices may not be ideal (especially for those who may not know), we still need to address the question as it stands today.

Walt

Why are you allowing unknown/unmanaged/untrusted devices to connect to the protected network?

Sure. We are doing EAP-TLS, but not for the employees personal devices that we do not manage. 

So, there is no setting or tweak we can do to separate this AD auth errors from 9002 error code?

Don't use MSCHAP in production. Move to EAP-TLS or TEAP.

ClearPass's assignment of Error Code 9002 to both certificate/EAP rejections and general authentication failures (like MSCHAP or AD errors) is confusing. Error 9002 commonly points to certificate or EAP problems, whereas Error Code 216 is specifically for authentication failures. Is there a way to isolate MSCHAP/AD errors from the broader 9002 error code? I need to create authorization enforcement rules based on MSCHAP errors, but the fact that 9002 covers multiple possibilities makes accurate enforcement impossible.

Thanks