Security

Hello,

In my work environment, I created a test subnet for client authentication using ClearPass.

I placed the clearpass machine in domain and connected clearpass regularly to the domain in Source by pointing to the root DN
I am able to browse the tree without any problems and even via policy simulation I get the message back:
- Sumamry: Active Directory Authentication successful.
- Status Message: NT_STATUS_OK: The operation completed successfully. (0x0)

So clearpass manages to connect to the AD and explore the tree epr searching for users.

In services I created two test services, one with PEAP-MSCHAMPv2 authentication services and the other with TTLS authentication services.

Then I added in network->devices my AP (304) configured with static IP
while on the AP I created a wifi network with WPA-enterprise authentication using clearpass as authentication method.

Let's get to the point 

When from my device (Android) I select the created network and set as authentication method TTLS (having precedentemnte activated in services on clearpass the test service that uses this method) authentication phase 2 PAP and I do not select any certificate.

Authentication on clearpass occurs without any problems.

while when I select the second service that uses PEAP-MSCHAMPv2 as the authentication method I get the error:

Error Code:
9002
Error Category:
RADIUS protocol
Error Message:
Request timed out
 Alerts for this Request
RADIUS Last EAP Packet Processing Time = 8 ms
RADIUS MSCHAP: Authentication failed. will re-try based on config
RADIUS Client did not complete EAP transaction.

From windows pc it is more complex for me to change the authentication method to be able to use ttls and select not to use any certificate.
What could be the cause of this problem on this type of authentication? I have already searched online but have not found satisfactory answers to the never issue.

I attach access tracker exports both when authentication works and when it returns error.

Hello,

In my work environment, I created a test subnet for client authentication using ClearPass.

I placed the clearpass machine in domain and connected clearpass regularly to the domain in Source by pointing to the root DN
I am able to browse the tree without any problems and even via policy simulation I get the message back:
- Sumamry: Active Directory Authentication successful.
- Status Message: NT_STATUS_OK: The operation completed successfully. (0x0)

So clearpass manages to connect to the AD and explore the tree epr searching for users.

In services I created two test services, one with PEAP-MSCHAMPv2 authentication services and the other with TTLS authentication services.

Then I added in network->devices my AP (304) configured with static IP
while on the AP I created a wifi network with WPA-enterprise authentication using clearpass as authentication method.

Let's get to the point 

When from my device (Android) I select the created network and set as authentication method TTLS (having precedentemnte activated in services on clearpass the test service that uses this method) authentication phase 2 PAP and I do not select any certificate.

Authentication on clearpass occurs without any problems.

while when I select the second service that uses PEAP-MSCHAMPv2 as the authentication method I get the error:

Error Code:
9002
Error Category:
RADIUS protocol
Error Message:
Request timed out
 Alerts for this Request
RADIUS Last EAP Packet Processing Time = 8 ms
RADIUS MSCHAP: Authentication failed. will re-try based on config
RADIUS Client did not complete EAP transaction.

From windows pc it is more complex for me to change the authentication method to be able to use ttls and select not to use any certificate.
What could be the cause of this problem on this type of authentication? I have already searched online but have not found satisfactory answers to the never issue.

I attach access tracker exports both when authentication works and when it returns error.

Hi, that error sometimes relates to the client not trusting the Clearpass Radius certificate. If you're using android select: not validate certificate (to test).

Have you tested that the user m.sotomayor.adm can authenticate in AD with the policy simulation or from the controller itself?

I hope this helps

Hello,

In my work environment, I created a test subnet for client authentication using ClearPass.

I placed the clearpass machine in domain and connected clearpass regularly to the domain in Source by pointing to the root DN
I am able to browse the tree without any problems and even via policy simulation I get the message back:
- Sumamry: Active Directory Authentication successful.
- Status Message: NT_STATUS_OK: The operation completed successfully. (0x0)

So clearpass manages to connect to the AD and explore the tree epr searching for users.

In services I created two test services, one with PEAP-MSCHAMPv2 authentication services and the other with TTLS authentication services.

Then I added in network->devices my AP (304) configured with static IP
while on the AP I created a wifi network with WPA-enterprise authentication using clearpass as authentication method.

Let's get to the point 

When from my device (Android) I select the created network and set as authentication method TTLS (having precedentemnte activated in services on clearpass the test service that uses this method) authentication phase 2 PAP and I do not select any certificate.

Authentication on clearpass occurs without any problems.

while when I select the second service that uses PEAP-MSCHAMPv2 as the authentication method I get the error:

Error Code:
9002
Error Category:
RADIUS protocol
Error Message:
Request timed out
 Alerts for this Request
RADIUS Last EAP Packet Processing Time = 8 ms
RADIUS MSCHAP: Authentication failed. will re-try based on config
RADIUS Client did not complete EAP transaction.

From windows pc it is more complex for me to change the authentication method to be able to use ttls and select not to use any certificate.
What could be the cause of this problem on this type of authentication? I have already searched online but have not found satisfactory answers to the never issue.

I attach access tracker exports both when authentication works and when it returns error.

Hi, yes I can connect with the account m.sotomayor.adm

When I select the service that uses TTLS and from the client select not to use certificate and to trust the connection anyway (both android and windows pc) I establish a stable connection with the AP and from acces tracker clearpass I see that the authentication was successful.

When from clearpass I activate the other test service with PEAP-MSCHAMPv2 authentication the authentication fails, with error 9002, login status, TIMEOUT as shown by the attached exports.

So the issue occurs only when PEAP-MSCHAMPv2 type authentication is attempted and not with other methods (TTLS or GTC)

Original Message:
Sent: Mar 22, 2023 08:41 AM
From: ulises.cazares
Subject: Problem Authentication ClearPass with PEAP and mschampv2

Hi, that error sometimes relates to the client not trusting the Clearpass Radius certificate. If you're using android select: not validate certificate (to test).

Have you tested that the user m.sotomayor.adm can authenticate in AD with the policy simulation or from the controller itself?

I hope this helps

Original Message:
Sent: Mar 21, 2023 11:24 AM
From: miguel.sotomayor
Subject: Problem Authentication ClearPass with PEAP and mschampv2

Hello,

In my work environment, I created a test subnet for client authentication using ClearPass.

I placed the clearpass machine in domain and connected clearpass regularly to the domain in Source by pointing to the root DN
I am able to browse the tree without any problems and even via policy simulation I get the message back:
- Sumamry: Active Directory Authentication successful.
- Status Message: NT_STATUS_OK: The operation completed successfully. (0x0)

So clearpass manages to connect to the AD and explore the tree epr searching for users.

In services I created two test services, one with PEAP-MSCHAMPv2 authentication services and the other with TTLS authentication services.

Then I added in network->devices my AP (304) configured with static IP
while on the AP I created a wifi network with WPA-enterprise authentication using clearpass as authentication method.

Let's get to the point 

When from my device (Android) I select the created network and set as authentication method TTLS (having precedentemnte activated in services on clearpass the test service that uses this method) authentication phase 2 PAP and I do not select any certificate.

Authentication on clearpass occurs without any problems.

while when I select the second service that uses PEAP-MSCHAMPv2 as the authentication method I get the error:

Error Code:
9002
Error Category:
RADIUS protocol
Error Message:
Request timed out
 Alerts for this Request
RADIUS Last EAP Packet Processing Time = 8 ms
RADIUS MSCHAP: Authentication failed. will re-try based on config
RADIUS Client did not complete EAP transaction.

From windows pc it is more complex for me to change the authentication method to be able to use ttls and select not to use any certificate.
What could be the cause of this problem on this type of authentication? I have already searched online but have not found satisfactory answers to the never issue.

I attach access tracker exports both when authentication works and when it returns error.

Hi,

Have you tried what mentioned here ?

Try to move somewhere else from the root / base DN ? Or change the account type / privilege ?

Bcoz ur error messages were clearly showing:

2023-03-21 15:24:01,084    [Th 31 Req 90 SessId R00000012-01-6419be00] INFO RadiusServer.Radius - rlm_mschap: user m.sotomayor.adm authentication failed

then

2023-03-21 15:24:01,084    [Th 31 Req 90 SessId R00000012-01-6419be00] ERROR RadiusServer.Radius - rlm_mschap: AD status:The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)

and

2023-03-21 15:24:01,084    [Th 31 Req 90 SessId R00000012-01-6419be00] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

Also, when googled the error code: 0xc000006d here and here

Another article: here EAP-PEAP vs EAP-TTLS `The difference is: PEAP is a SSL wrapper around EAP carrying EAP. TTLS is a SSL wrapper around diameter TLVs (Type Length Values) carrying RADIUS authentication attributes.`

Original Message:
Sent: Mar 22, 2023 09:41 AM
From: miguel.sotomayor
Subject: Problem Authentication ClearPass with PEAP and mschampv2

Hi, yes I can connect with the account m.sotomayor.adm

When I select the service that uses TTLS and from the client select not to use certificate and to trust the connection anyway (both android and windows pc) I establish a stable connection with the AP and from acces tracker clearpass I see that the authentication was successful.

When from clearpass I activate the other test service with PEAP-MSCHAMPv2 authentication the authentication fails, with error 9002, login status, TIMEOUT as shown by the attached exports.

So the issue occurs only when PEAP-MSCHAMPv2 type authentication is attempted and not with other methods (TTLS or GTC)

Original Message:
Sent: Mar 22, 2023 08:41 AM
From: ulises.cazares
Subject: Problem Authentication ClearPass with PEAP and mschampv2

Hi, that error sometimes relates to the client not trusting the Clearpass Radius certificate. If you're using android select: not validate certificate (to test).

Have you tested that the user m.sotomayor.adm can authenticate in AD with the policy simulation or from the controller itself?

I hope this helps

Original Message:
Sent: Mar 21, 2023 11:24 AM
From: miguel.sotomayor
Subject: Problem Authentication ClearPass with PEAP and mschampv2

Hello,

In my work environment, I created a test subnet for client authentication using ClearPass.

I placed the clearpass machine in domain and connected clearpass regularly to the domain in Source by pointing to the root DN
I am able to browse the tree without any problems and even via policy simulation I get the message back:
- Sumamry: Active Directory Authentication successful.
- Status Message: NT_STATUS_OK: The operation completed successfully. (0x0)

So clearpass manages to connect to the AD and explore the tree epr searching for users.

In services I created two test services, one with PEAP-MSCHAMPv2 authentication services and the other with TTLS authentication services.

Then I added in network->devices my AP (304) configured with static IP
while on the AP I created a wifi network with WPA-enterprise authentication using clearpass as authentication method.

Let's get to the point 

When from my device (Android) I select the created network and set as authentication method TTLS (having precedentemnte activated in services on clearpass the test service that uses this method) authentication phase 2 PAP and I do not select any certificate.

Authentication on clearpass occurs without any problems.

while when I select the second service that uses PEAP-MSCHAMPv2 as the authentication method I get the error:

Error Code:
9002
Error Category:
RADIUS protocol
Error Message:
Request timed out
 Alerts for this Request
RADIUS Last EAP Packet Processing Time = 8 ms
RADIUS MSCHAP: Authentication failed. will re-try based on config
RADIUS Client did not complete EAP transaction.

From windows pc it is more complex for me to change the authentication method to be able to use ttls and select not to use any certificate.
What could be the cause of this problem on this type of authentication? I have already searched online but have not found satisfactory answers to the never issue.

I attach access tracker exports both when authentication works and when it returns error.

Yes, I am able to browse the AD tree
they are already in the DN base of my domain
On clearPass I set in source->my AD->in the primary->Base DN tab: dc=xxxx,dc=xxxx
my domain is xxxx.xxxx

I put in the x's for privacy and not disclosing data about the client I work for.

Hi,

Have you tried what mentioned here ?

Try to move somewhere else from the root / base DN ? Or change the account type / privilege ?

Bcoz ur error messages were clearly showing:

2023-03-21 15:24:01,084    [Th 31 Req 90 SessId R00000012-01-6419be00] INFO RadiusServer.Radius - rlm_mschap: user m.sotomayor.adm authentication failed

then

2023-03-21 15:24:01,084    [Th 31 Req 90 SessId R00000012-01-6419be00] ERROR RadiusServer.Radius - rlm_mschap: AD status:The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)

and

2023-03-21 15:24:01,084    [Th 31 Req 90 SessId R00000012-01-6419be00] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

Also, when googled the error code: 0xc000006d here and here

Another article: here EAP-PEAP vs EAP-TTLS `The difference is: PEAP is a SSL wrapper around EAP carrying EAP. TTLS is a SSL wrapper around diameter TLVs (Type Length Values) carrying RADIUS authentication attributes.`

Original Message:
Sent: Mar 22, 2023 09:41 AM
From: miguel.sotomayor
Subject: Problem Authentication ClearPass with PEAP and mschampv2

Hi, yes I can connect with the account m.sotomayor.adm

When I select the service that uses TTLS and from the client select not to use certificate and to trust the connection anyway (both android and windows pc) I establish a stable connection with the AP and from acces tracker clearpass I see that the authentication was successful.

When from clearpass I activate the other test service with PEAP-MSCHAMPv2 authentication the authentication fails, with error 9002, login status, TIMEOUT as shown by the attached exports.

So the issue occurs only when PEAP-MSCHAMPv2 type authentication is attempted and not with other methods (TTLS or GTC)

Original Message:
Sent: Mar 22, 2023 08:41 AM
From: ulises.cazares
Subject: Problem Authentication ClearPass with PEAP and mschampv2

Hi, that error sometimes relates to the client not trusting the Clearpass Radius certificate. If you're using android select: not validate certificate (to test).

Have you tested that the user m.sotomayor.adm can authenticate in AD with the policy simulation or from the controller itself?

I hope this helps

Original Message:
Sent: Mar 21, 2023 11:24 AM
From: miguel.sotomayor
Subject: Problem Authentication ClearPass with PEAP and mschampv2

Hello,

In my work environment, I created a test subnet for client authentication using ClearPass.

I placed the clearpass machine in domain and connected clearpass regularly to the domain in Source by pointing to the root DN
I am able to browse the tree without any problems and even via policy simulation I get the message back:
- Sumamry: Active Directory Authentication successful.
- Status Message: NT_STATUS_OK: The operation completed successfully. (0x0)

So clearpass manages to connect to the AD and explore the tree epr searching for users.

In services I created two test services, one with PEAP-MSCHAMPv2 authentication services and the other with TTLS authentication services.

Then I added in network->devices my AP (304) configured with static IP
while on the AP I created a wifi network with WPA-enterprise authentication using clearpass as authentication method.

Let's get to the point 

When from my device (Android) I select the created network and set as authentication method TTLS (having precedentemnte activated in services on clearpass the test service that uses this method) authentication phase 2 PAP and I do not select any certificate.

Authentication on clearpass occurs without any problems.

while when I select the second service that uses PEAP-MSCHAMPv2 as the authentication method I get the error:

Error Code:
9002
Error Category:
RADIUS protocol
Error Message:
Request timed out
 Alerts for this Request
RADIUS Last EAP Packet Processing Time = 8 ms
RADIUS MSCHAP: Authentication failed. will re-try based on config
RADIUS Client did not complete EAP transaction.

From windows pc it is more complex for me to change the authentication method to be able to use ttls and select not to use any certificate.
What could be the cause of this problem on this type of authentication? I have already searched online but have not found satisfactory answers to the never issue.

I attach access tracker exports both when authentication works and when it returns error.

I think this is a problem that people keep pushing off to the client but I think there is something in clearpass creating an issue.  We there seems to be a consistent 10-25% of authentication requests being timeouts.  I have users who will timeout randomly who normally authenticate without a problem.

And if this is bad username or authentication information, as the log shows, this should not be listed as a timeout.

I keep bringing this up with Aruba but since I am on a campus where I will get a lot of timeouts from transient traffic of people walking outside picking up weak signals it is hard to get good information they chalk it up to that and client issues.

Yes, I am able to browse the AD tree
they are already in the DN base of my domain
On clearPass I set in source->my AD->in the primary->Base DN tab: dc=xxxx,dc=xxxx
my domain is xxxx.xxxx

I put in the x's for privacy and not disclosing data about the client I work for.

Hi,

Have you tried what mentioned here ?

Try to move somewhere else from the root / base DN ? Or change the account type / privilege ?

Bcoz ur error messages were clearly showing:

2023-03-21 15:24:01,084    [Th 31 Req 90 SessId R00000012-01-6419be00] INFO RadiusServer.Radius - rlm_mschap: user m.sotomayor.adm authentication failed

then

2023-03-21 15:24:01,084    [Th 31 Req 90 SessId R00000012-01-6419be00] ERROR RadiusServer.Radius - rlm_mschap: AD status:The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)

and

2023-03-21 15:24:01,084    [Th 31 Req 90 SessId R00000012-01-6419be00] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

Also, when googled the error code: 0xc000006d here and here

Another article: here EAP-PEAP vs EAP-TTLS `The difference is: PEAP is a SSL wrapper around EAP carrying EAP. TTLS is a SSL wrapper around diameter TLVs (Type Length Values) carrying RADIUS authentication attributes.`

Original Message:
Sent: Mar 22, 2023 09:41 AM
From: miguel.sotomayor
Subject: Problem Authentication ClearPass with PEAP and mschampv2

Hi, yes I can connect with the account m.sotomayor.adm

When I select the service that uses TTLS and from the client select not to use certificate and to trust the connection anyway (both android and windows pc) I establish a stable connection with the AP and from acces tracker clearpass I see that the authentication was successful.

When from clearpass I activate the other test service with PEAP-MSCHAMPv2 authentication the authentication fails, with error 9002, login status, TIMEOUT as shown by the attached exports.

So the issue occurs only when PEAP-MSCHAMPv2 type authentication is attempted and not with other methods (TTLS or GTC)

Original Message:
Sent: Mar 22, 2023 08:41 AM
From: ulises.cazares
Subject: Problem Authentication ClearPass with PEAP and mschampv2

Hi, that error sometimes relates to the client not trusting the Clearpass Radius certificate. If you're using android select: not validate certificate (to test).

Have you tested that the user m.sotomayor.adm can authenticate in AD with the policy simulation or from the controller itself?

I hope this helps

Original Message:
Sent: Mar 21, 2023 11:24 AM
From: miguel.sotomayor
Subject: Problem Authentication ClearPass with PEAP and mschampv2

Hello,

In my work environment, I created a test subnet for client authentication using ClearPass.

I placed the clearpass machine in domain and connected clearpass regularly to the domain in Source by pointing to the root DN
I am able to browse the tree without any problems and even via policy simulation I get the message back:
- Sumamry: Active Directory Authentication successful.
- Status Message: NT_STATUS_OK: The operation completed successfully. (0x0)

So clearpass manages to connect to the AD and explore the tree epr searching for users.

In services I created two test services, one with PEAP-MSCHAMPv2 authentication services and the other with TTLS authentication services.

Then I added in network->devices my AP (304) configured with static IP
while on the AP I created a wifi network with WPA-enterprise authentication using clearpass as authentication method.

Let's get to the point 

When from my device (Android) I select the created network and set as authentication method TTLS (having precedentemnte activated in services on clearpass the test service that uses this method) authentication phase 2 PAP and I do not select any certificate.

Authentication on clearpass occurs without any problems.

while when I select the second service that uses PEAP-MSCHAMPv2 as the authentication method I get the error:

Error Code:
9002
Error Category:
RADIUS protocol
Error Message:
Request timed out
 Alerts for this Request
RADIUS Last EAP Packet Processing Time = 8 ms
RADIUS MSCHAP: Authentication failed. will re-try based on config
RADIUS Client did not complete EAP transaction.

From windows pc it is more complex for me to change the authentication method to be able to use ttls and select not to use any certificate.
What could be the cause of this problem on this type of authentication? I have already searched online but have not found satisfactory answers to the never issue.

I attach access tracker exports both when authentication works and when it returns error.

the strange thing is that I am currently working in the test environment, with the AP next to me, on which I connect to it with cell phone or PC without moving from the room.

I think this is a problem that people keep pushing off to the client but I think there is something in clearpass creating an issue.  We there seems to be a consistent 10-25% of authentication requests being timeouts.  I have users who will timeout randomly who normally authenticate without a problem.

And if this is bad username or authentication information, as the log shows, this should not be listed as a timeout.

I keep bringing this up with Aruba but since I am on a campus where I will get a lot of timeouts from transient traffic of people walking outside picking up weak signals it is hard to get good information they chalk it up to that and client issues.

Yes, I am able to browse the AD tree
they are already in the DN base of my domain
On clearPass I set in source->my AD->in the primary->Base DN tab: dc=xxxx,dc=xxxx
my domain is xxxx.xxxx

I put in the x's for privacy and not disclosing data about the client I work for.

Hi,

Have you tried what mentioned here ?

Try to move somewhere else from the root / base DN ? Or change the account type / privilege ?

Bcoz ur error messages were clearly showing:

2023-03-21 15:24:01,084    [Th 31 Req 90 SessId R00000012-01-6419be00] INFO RadiusServer.Radius - rlm_mschap: user m.sotomayor.adm authentication failed

then

2023-03-21 15:24:01,084    [Th 31 Req 90 SessId R00000012-01-6419be00] ERROR RadiusServer.Radius - rlm_mschap: AD status:The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)

and

2023-03-21 15:24:01,084    [Th 31 Req 90 SessId R00000012-01-6419be00] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

Also, when googled the error code: 0xc000006d here and here

Another article: here EAP-PEAP vs EAP-TTLS `The difference is: PEAP is a SSL wrapper around EAP carrying EAP. TTLS is a SSL wrapper around diameter TLVs (Type Length Values) carrying RADIUS authentication attributes.`

Original Message:
Sent: Mar 22, 2023 09:41 AM
From: miguel.sotomayor
Subject: Problem Authentication ClearPass with PEAP and mschampv2

Hi, yes I can connect with the account m.sotomayor.adm

When I select the service that uses TTLS and from the client select not to use certificate and to trust the connection anyway (both android and windows pc) I establish a stable connection with the AP and from acces tracker clearpass I see that the authentication was successful.

When from clearpass I activate the other test service with PEAP-MSCHAMPv2 authentication the authentication fails, with error 9002, login status, TIMEOUT as shown by the attached exports.

So the issue occurs only when PEAP-MSCHAMPv2 type authentication is attempted and not with other methods (TTLS or GTC)

Original Message:
Sent: Mar 22, 2023 08:41 AM
From: ulises.cazares
Subject: Problem Authentication ClearPass with PEAP and mschampv2

Hi, that error sometimes relates to the client not trusting the Clearpass Radius certificate. If you're using android select: not validate certificate (to test).

Have you tested that the user m.sotomayor.adm can authenticate in AD with the policy simulation or from the controller itself?

I hope this helps

Original Message:
Sent: Mar 21, 2023 11:24 AM
From: miguel.sotomayor
Subject: Problem Authentication ClearPass with PEAP and mschampv2

Hello,

In my work environment, I created a test subnet for client authentication using ClearPass.

I placed the clearpass machine in domain and connected clearpass regularly to the domain in Source by pointing to the root DN
I am able to browse the tree without any problems and even via policy simulation I get the message back:
- Sumamry: Active Directory Authentication successful.
- Status Message: NT_STATUS_OK: The operation completed successfully. (0x0)

So clearpass manages to connect to the AD and explore the tree epr searching for users.

In services I created two test services, one with PEAP-MSCHAMPv2 authentication services and the other with TTLS authentication services.

Then I added in network->devices my AP (304) configured with static IP
while on the AP I created a wifi network with WPA-enterprise authentication using clearpass as authentication method.

Let's get to the point 

When from my device (Android) I select the created network and set as authentication method TTLS (having precedentemnte activated in services on clearpass the test service that uses this method) authentication phase 2 PAP and I do not select any certificate.

Authentication on clearpass occurs without any problems.

while when I select the second service that uses PEAP-MSCHAMPv2 as the authentication method I get the error:

Error Code:
9002
Error Category:
RADIUS protocol
Error Message:
Request timed out
 Alerts for this Request
RADIUS Last EAP Packet Processing Time = 8 ms
RADIUS MSCHAP: Authentication failed. will re-try based on config
RADIUS Client did not complete EAP transaction.

From windows pc it is more complex for me to change the authentication method to be able to use ttls and select not to use any certificate.
What could be the cause of this problem on this type of authentication? I have already searched online but have not found satisfactory answers to the never issue.

I attach access tracker exports both when authentication works and when it returns error.

the strange thing is that I am currently working in the test environment, with the AP next to me, on which I connect to it with cell phone or PC without moving from the room.

I think this is a problem that people keep pushing off to the client but I think there is something in clearpass creating an issue.  We there seems to be a consistent 10-25% of authentication requests being timeouts.  I have users who will timeout randomly who normally authenticate without a problem.

And if this is bad username or authentication information, as the log shows, this should not be listed as a timeout.

I keep bringing this up with Aruba but since I am on a campus where I will get a lot of timeouts from transient traffic of people walking outside picking up weak signals it is hard to get good information they chalk it up to that and client issues.

Yes, I am able to browse the AD tree
they are already in the DN base of my domain
On clearPass I set in source->my AD->in the primary->Base DN tab: dc=xxxx,dc=xxxx
my domain is xxxx.xxxx

I put in the x's for privacy and not disclosing data about the client I work for.

Hi,

Have you tried what mentioned here ?

Try to move somewhere else from the root / base DN ? Or change the account type / privilege ?

Bcoz ur error messages were clearly showing:

2023-03-21 15:24:01,084    [Th 31 Req 90 SessId R00000012-01-6419be00] INFO RadiusServer.Radius - rlm_mschap: user m.sotomayor.adm authentication failed

then

2023-03-21 15:24:01,084    [Th 31 Req 90 SessId R00000012-01-6419be00] ERROR RadiusServer.Radius - rlm_mschap: AD status:The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)

and

2023-03-21 15:24:01,084    [Th 31 Req 90 SessId R00000012-01-6419be00] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

Also, when googled the error code: 0xc000006d here and here

Another article: here EAP-PEAP vs EAP-TTLS `The difference is: PEAP is a SSL wrapper around EAP carrying EAP. TTLS is a SSL wrapper around diameter TLVs (Type Length Values) carrying RADIUS authentication attributes.`

Original Message:
Sent: Mar 22, 2023 09:41 AM
From: miguel.sotomayor
Subject: Problem Authentication ClearPass with PEAP and mschampv2

Hi, yes I can connect with the account m.sotomayor.adm

When I select the service that uses TTLS and from the client select not to use certificate and to trust the connection anyway (both android and windows pc) I establish a stable connection with the AP and from acces tracker clearpass I see that the authentication was successful.

When from clearpass I activate the other test service with PEAP-MSCHAMPv2 authentication the authentication fails, with error 9002, login status, TIMEOUT as shown by the attached exports.

So the issue occurs only when PEAP-MSCHAMPv2 type authentication is attempted and not with other methods (TTLS or GTC)

Original Message:
Sent: Mar 22, 2023 08:41 AM
From: ulises.cazares
Subject: Problem Authentication ClearPass with PEAP and mschampv2

Hi, that error sometimes relates to the client not trusting the Clearpass Radius certificate. If you're using android select: not validate certificate (to test).

Have you tested that the user m.sotomayor.adm can authenticate in AD with the policy simulation or from the controller itself?

I hope this helps

Original Message:
Sent: Mar 21, 2023 11:24 AM
From: miguel.sotomayor
Subject: Problem Authentication ClearPass with PEAP and mschampv2

Hello,

In my work environment, I created a test subnet for client authentication using ClearPass.

I placed the clearpass machine in domain and connected clearpass regularly to the domain in Source by pointing to the root DN
I am able to browse the tree without any problems and even via policy simulation I get the message back:
- Sumamry: Active Directory Authentication successful.
- Status Message: NT_STATUS_OK: The operation completed successfully. (0x0)

So clearpass manages to connect to the AD and explore the tree epr searching for users.

In services I created two test services, one with PEAP-MSCHAMPv2 authentication services and the other with TTLS authentication services.

Then I added in network->devices my AP (304) configured with static IP
while on the AP I created a wifi network with WPA-enterprise authentication using clearpass as authentication method.

Let's get to the point 

When from my device (Android) I select the created network and set as authentication method TTLS (having precedentemnte activated in services on clearpass the test service that uses this method) authentication phase 2 PAP and I do not select any certificate.

Authentication on clearpass occurs without any problems.

while when I select the second service that uses PEAP-MSCHAMPv2 as the authentication method I get the error:

Error Code:
9002
Error Category:
RADIUS protocol
Error Message:
Request timed out
 Alerts for this Request
RADIUS Last EAP Packet Processing Time = 8 ms
RADIUS MSCHAP: Authentication failed. will re-try based on config
RADIUS Client did not complete EAP transaction.

From windows pc it is more complex for me to change the authentication method to be able to use ttls and select not to use any certificate.
What could be the cause of this problem on this type of authentication? I have already searched online but have not found satisfactory answers to the never issue.

I attach access tracker exports both when authentication works and when it returns error.