Security

Reply
New Contributor

Re: ClearPass PM fails to join AD Domain

Hi Tim,

 

And in cases that we need the MSCHAPv2 because of the iPhones?

Is anyaway of force the clearpass in use GTC or remove the MSCHAP from clearpass?

Thank you.

MVP Guru

Re: ClearPass PM fails to join AD Domain

Hi ,

 

Most of the client device vendors does not support EAP-GTC protocol, example window devices.I think Andriod supports GTC.

 

if you have devices which supports GTC then you dont need to join CPPM to AD domain but if you have windows which support EAP-PEAP/MSCHAPv2 then need to join.

 

below link provides deails, why we need to join CPPM to AD domain.

https://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/29092/1/Airheads%20Webinar_Clearpass_Domainjoin.pdf

 

Regards,

Pavan

if my post addresses your query give kudos:)

Regards,
Pavan
If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
New Contributor

Re: ClearPass PM fails to join AD Domain

Hi Pavan,

 

I will try to be more explicite and sorry my lack of knowlodge,

This happened because was removed the SMBv1 protocol from the server to avoid the recent malware contagious. Since the ClearPass was configured to use the MS-CHAP and MS-CHAPv2 authentication methods that use the SMBv1 protocol, it could not authenticate users through Active Directory.

 

The solution/workaround was changed the authentication settings in ClearPass to TLS, and on the wireless network we changed the authentication order for TLS and TTLS to take precedence over CHAP, MS-CHAP and MS-CHAPv2.

 

Everything works fine in micrsoft, android but in iOS since you can't choose the protocol it always goes looking the MSCHAPv2 insted of GTC.

It's possible to force, do something in clearpass?

It was tell me that a new release will be provided to support SMBv2/v3 in next 30 days but now, it is a workaround we can do?

Thank you

Guru Elite

Re: ClearPass PM fails to join AD Domain

You don't need GTC if you're using EAP-TLS. Apple devices require a configuration profile to use EAP-TTLS.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Guru Elite

Re: ClearPass PM fails to join AD Domain

Update: SMBv2 and SMBv3 support is available via a hotfix for ClearPass 6.6.7

 

http://community.arubanetworks.com/t5/Security/ClearPass-Release-Announcements/m-p/303234#M32873


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: