Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

WPA-2 Enterprise Configure

This thread has been viewed 41 times
  • 1.  WPA-2 Enterprise Configure

    Posted Oct 09, 2023 11:30 AM

    Hi Everyone!
    I am trying to configure WPA-2 Enterprise WLAN, but I facing an issue with connecting by my username, the error in Access Tracker shows:
    "ndp.local - ATDC01.ndp.local: User not found.
    MSCHAP: Authentication failed
    EAP-MSCHAPv2: User authentication or password change failed"
    My configurations are attached.



  • 2.  RE: WPA-2 Enterprise Configure

     
    Posted Oct 09, 2023 12:40 PM

    Did you already add that clearpass box to the domain?



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: WPA-2 Enterprise Configure

    Posted Oct 10, 2023 05:09 AM

    Yes, also provided a cert of my AD into CPPM




  • 4.  RE: WPA-2 Enterprise Configure

    Posted Oct 10, 2023 06:02 AM

    What authentication method do you attempt to configure? EAP-PEAP or EAP-TLS?

    And user, computer or user/computer authentication? If using PEAP, did you 'Use Windows Logon Credentials'? Or typed in the username/password yourself?

    It looks from the logs that your client is configured for EAP-PEAP and fails the (MSCHAPv2) authentication.

    Can you show all tabs from Access Tracker?? Most important, what is the format of the username? If that is DOMAIN\user, then you would need in the Strip Username field change user:@ to user:\ as shown in the text near that field.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: WPA-2 Enterprise Configure

    Posted Oct 10, 2023 06:41 AM

    So I used both of ways to connect "credentials windows logon" and typed in the username/password. Actually I configured EAP-PEAP and EAP-TLS. I don't know where it takes MSCHAPv2


    Attachment(s)

    zip
    DashboardDetails.zip   6 KB 1 version


  • 6.  RE: WPA-2 Enterprise Configure

    Posted Oct 10, 2023 07:57 AM

    The MSCHAPv2 comes into play as the inner method for PEAP. Please note that PEAP with MSCHAPv2 is deprecated as it uses broken cryptography that puts your client credentials at risk.

    From the DashboardDetails.zip, you can see that you configured computer authentication (host/ATR-NDP-IT14.ndp.local) but also "rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication." so it looks like your client refuses to reveal it's password, which may be because of 'Credential Guard' in Windows. You may need to disable credential guard, or better abandon PEAP/MSCHAPv2 as it is near to impossible to deploy that in a secure way, move to TEAP with client certificates, or EAP-TLS instead. Also for some reason the account host/ATR-NDP-IT14.ndp.local cannot be looked up in your AD.

    Interactively working on this topic would probably make things much easier, but it seems that Credential Guard is creating the problem you see, and Credential Guard is probably just the beginning of (Microsoft) making it impossible to use PEAP with insecure credentials in Windows.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------