Security

Reply
New Contributor

ClearPass acting as a Radius server - Controllers unable to authenicate with EAP-MSCHAPv2

I just deployed a ClearPass VM wtih LDAP connectivity to a domain controller, TACACS server for network equipment to authenticate and Radius for everything else.  For TACACS and Radius, I have policies setup to use the authentication source going back to my domain or against the LDAP source.  I have been able to confirm that TACACS and radius will work with network and other types of devices.  However, when I attempt to connect the controller up to ClearPass using the radius under Secuirty -> Authentication -> Servers -> Radius & RFC 3576 server, I am able to authenticate only if I allow mschap (not v2).  The moment I remove mschap from the authentication methods, the controller is no loner able to authenticate.  

 

 

Any suggestions of what I should look at to get EAP MSCHAPv2 to work?

Guru Elite

Re: ClearPass acting as a Radius server - Controllers unable to authenicate with EAP-MSCHAPv2

You should be using [EAP PEAP] in your 802.1X service as the authentication method, not [EAP-MSCHAPv2] or [MSCHAP]. Also, make sure your ClearPass servers are joined to the domain. It’s a requirement when using legacy EAP methods like PEAPv0/EAP-MSCHAPv2.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Guru Elite

Re: ClearPass acting as a Radius server - Controllers unable to authenicate with EAP-MSCHAPv2

You should be using [EAP PEAP] in your 802.1X service as the authentication method, not [EAP-MSCHAPv2] or [MSCHAP]. Also, make sure your ClearPass servers are joined to the domain. It’s a requirement when using legacy EAP methods like PEAPv0/EAP-MSCHAPv2.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: ClearPass acting as a Radius server - Controllers unable to authenicate with EAP-MSCHAPv2

Thank you for the quick response.   While i agree with you that [EAP PEAP] should be used, i am unable to find a way to choose a different option within the Controller (See screen shot).    I want all of our "admins" to authenticate into the controllers using ClearPass. 

Guru Elite

Re: ClearPass acting as a Radius server - Controllers unable to authenicate with EAP-MSCHAPv2

So this is only admin access. You mentioned you want network equipment to use TACACS+. So why are you trying to set up RADIUS? I'm confused.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: