Security

Hi

 

in our company there are a few old clients which cannot use EAP-TLS because there is no support of certificates.

 

So we did the authentication with peap witch MS-Chapv2 so that the users was prompted for username and password which was checked in MS Active Directory.

We did this with an old MS IAS Server.

Now we changed to  CPPM which is working fine for Guest an EAP-TLS Authentication.

But i cannot get PEAP working. Whlie connecting i see following error in access Tracker:

Alerts:

MSCHAP: AD status:No trusted SAM account (0xc000018b) 
MSCHAP: AD status:No trusted SAM account (0xc000018b) 
MSCHAP: AD status:No trusted SAM account (0xc000018b) 
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure

 

In the radius request I find following error:

 

Radius:Microsoft:MS-CHAP-Error

\rE=691 R=1

 

 

Does anybody have an idea to fix this problem?

 

We are using:

ClearPass Policy Manager 6.3.4.64924 on CP-VA-5K platform

 

Thanks in advance

Are your CPPM servers joined to your AD domain?

Yes, they are. EAP-TLS checks if there exits a computeraccount in AD, too. So there general connection with AD is working.

Can you confirm that CPPM is not using a read only domain controller during this authentication?   Also check your Authentication Source (primary/backup tab) and see if you can browse the AD tree using the account specified.

 

I would also double check that domain join; even remove and readd.  The check for corresponding account with EAP-TLS is an LDAP lookup; as compared to an 802.1X EAP-MSCHAPv2 authentication.

I can browse the AD tree in authentication source setup but how can i do this with the specified user account?

 

Or From search base

Browsing through the authentication source is merely LDAP and proves the bind user information is working (which would give a different error if it was not; but had to make sure).   The authentication process for PEAP-MSCHAPv2 requires that domain membership to be functional to ensure CPPM can read the MSCHAP hash.    Do you have any password servers defined in the domain membership area?  Can you confirm the corresponding object in AD still exists; perhaps try removing and readding it back in.

 

Thanks a lot, i got it.

 

LDAP browsing works fine, but i noticed, that there was no computer objekt of the clearpass machine in AD.

So I leave Domain an rejoin Domain.

Afterwards it worked.

 

But now there is another problem.

I built up a service wich should match on this PEAP connections like following:

 

Radius:IETF NAS-Port-Type EQUALS Wireless-802.11 (19)

AND

Authentication InnerMethod Equals EAP-MSCHAPv2

 

In AccessTracker I can see in the computed attributes

 

Authentication:InnerMethod     EAP-MSCHAPv2

 

But the Service does not match.

In my setup  I need to handle peap supporting clients with a seperated service.

Any idea? Where is my mistake?

 

That should work as a service rule.   Does that authentication attempt match any service at all?   Can you export the Access Tracker details and attach?

 

Do you need a different service for this?  Or can you use a single service and use role mappings to differentiate?   I have seen customers go this route; with a role mapping for one inner method giving one role and another inner method giving a second role.

I found a solution in customizing our "standard" service which uses only eap-tls before.

I added some Conditions in enforcement:

 

Conditions	Enforcement Profiles
1.	(Authorization:lvrintern.lvr.de:UserDN  CONTAINS  OU=Test1)  AND  (Authentication:InnerMethod  NOT_EQUALS  EAP-MSCHAPv2)	[Allow Access Profile]
2.	(Authentication:InnerMethod  EQUALS  EAP-MSCHAPv2)  AND  (Authorization:lvrintern.lvr.de:memberOf  CONTAINS  Test2)	[Allow Access Profile]

 

In the Other Scenario I wantedt to match a Service for innerMethod EAP-MSCHAPv2 but this did not work. For me it looks like that this "inner" information is not present in Radius Request.

Can you explain when the attributes of "Computed Attributes are evaluated?

So instead of looking for everything in both services you can set it to have a more restrictive policy in the 1st one and have the second as a fail through since the enforcement should be first applicable NOT evaluate all.

 

Here is an example wireless with both PEAP and TLS

 

You dont need to have the first item in the enforcement. That is a special qurery that I use to look at the date of the TLS cert and force the user to the onboarding page.

 

As you can see in the last screen shot Im first looking to seeing what group the user is in and then Im looking to see if they authed by TLS.

 

Since I only alowing device that auth by PEAP or TLS I can leave the next rule state that if they match a certian group and is not TLS then assign that role.

 

 

 

Thanks a lot.

I did not know about this possibility. For sure u need to go to a Clearpass Training nex year. :-)

 

For me my solution is working for the moment. I will test you suggestion for future requirements soon.

 

The thing to remember is that if you put a lot of duplicate checks in place then you are using more processing power and creating additional work that CPPM does not need. :)

Sometimes Simple is better...