Security

Hello!

 

Encountered an issue in a 802.1x scenario where I use Aruba Controller, ClearPass and Windows 2008R2 AD.

ClearPass is joined to the domain, I've created the AD auth source and required service elements with default auth methods (EAP-PEAP, EAP-TLS, EAP-TTLS, EAP-FAST).

 

ClearPass is in a DMZ and there is a FortiGate firewall restriciting the traffic that passes between AD and ClearPass.

The AD user I'm using for the authentication source is a normal Domain User.

 

When using the Policy Simulation with Active Directory Authentication I get success.

When actually trying a client I get the following in Access Tracker Alerts:

 

RADIUS

MSCHAP: Authentication failed EAP-MSCHAPv2: User authentication failure

 

This cause a Deny Access.

 

Under Input I see this:

Radius:Microsoft:MS-CHAP2-Response	0x0a6cda9649f3d374d070030ff95fa6327ade000000000000000039fbf3022e1b47c311a27caabf0c45e86d155c24b631d9dc
Radius:Microsoft:MS-CHAP-Challenge	0x5ad8746b9e96db0da6bffa8dda9644fa
Radius:Microsoft:MS-CHAP-Error	E=691 R=1

 

I've also installed the same scenario in my Lab without these error messages.

 

Anyone got any tips of where the error might be?

Have you confirm that all the necessary ports are open in the firewall , I experienced a similar issue a few months ago and it was related to the firewall ports weren't open

 

After I added the proper ports I had to remove/re-add the CP server to the domain.

 

 

CPPM to Active Directory
The following is the list of services and their ports used for Active Directory communication:
· UDP Port 88 for Kerberos authentication
· UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
· TCP Port 139 and UDP 138 for File Replication Service between domain controllers. (Probably not necessary for CPPM)
· UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
· TCP and UDP Port 445 for File Replication Service (Probably not necessary for CPPM)
· TCP and UDP Port 464 for Kerberos Password Change
· TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
· TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.

Thanks Victor.
When joining to the domain we had everything opened, but the customer restricted the access after. I'll go through this list asap with him to verify.

John

 

So we did the following

 

-> Gave the lookup-user Domain Admin

-> Allow-all between clearpass and domain controller

 

No luck

 

-> Left domain

-> Rejoined domain

 

No luck

 

So - now I'm back to the controller to check if I might be missing something in the config there.

 

This is an excerpt from the log on ClearPass:

2014-04-25 09:04:03,619	[Th 2 Req 9 SessId R00000000-01-535a08e1] INFO RadiusServer.Radius - rlm_eap_mschapv2: Received MSCHAPv2 Response from client
2014-04-25 09:04:03,619	[Th 2 Req 9 SessId R00000000-01-535a08e1] ERROR RadiusServer.Radius - rlm_mschap: default domain not present
2014-04-25 09:04:03,619	[Th 2 Req 9 SessId R00000000-01-535a08e1] ERROR RadiusServer.Radius - rlm_mschap: User-Name was not found in the request.
2014-04-25 09:04:03,619	[Th 2 Req 9 SessId R00000000-01-535a08e1] ERROR RadiusServer.Radius - rlm_mschap: default domain not present
2014-04-25 09:04:03,619	[Th 2 Req 9 SessId R00000000-01-535a08e1] ERROR RadiusServer.Radius - rlm_mschap: User-Name was not found in the request.
2014-04-25 09:04:03,619	[Th 2 Req 9 SessId R00000000-01-535a08e1] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
2014-04-25 09:04:03,619	[Th 2 Req 9 SessId R00000000-01-535a08e1] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluatio

 

 

 

Yet some more information..

 

The customer is using a wildcard certificate, which does not have the FQDN of the CP server in the SAN. Might this be causing issues like this?

 

I've requested that they request a duplicate certificate with SAN equal to the CP servername..

 

updates..

 

Replaced the radius certificate with one from the internal CA - which isn't wildcard.

 

Still same error so I'm leaning towards something on the Controller (Aruba 3400 AOS 6.3.0.2).

Config looks right. Requested upgrade to 6.3.1.6 this weekend so we'll see if that changes anything.

 

 

If you have Windows clients, they won?t connect via an EAP exchange with a wild-card certificate. You can use a wild card in the SAN, but not in the CN of the cert.

Other OSs seem to connect fine, even if the CN is a wild card.

I know I have seen a MS article stating this, but I can?t find it right now. I have seen this a couple times and have had to reissue the cert with a valid FQDN as the CN and the wildcard as a SAN.

Testing with iPad, Android smartphone and win8.

On the windows server do they have firewall enabled by any chance ?

Do you see anything in the server security or application events ?

Solved the issue.
For some reason the netbios name in the AD auth source wasn't auto-filled when I created the source. This being empty caused this error message in Access Tracker. I entered the short domain name in this Netbios field and things instantly started working.

As far as I could see there was no error message in AD event viewer which made this a tad hard to troubleshoot.

Thanks for the assistance Victor and Olino.

I didn't get a chance to test this with the wildcard cert tho. If I ever get a chance I'll be sure to post about it ;)