Security

Reply
Contributor II

Re: Clearness and AD

I'm not sure what to put after NETBIOS, I tried the dns name and that didn't work. I can browse the Base DN with the username and password in the GUI. 

 

I was doing some other testing yesterday and I was able to get MSCHAPv2 to work with the local database, just not with AD or LDAP. If that's helpful information. 

 

Bob 

 

Trusted Contributor I

Re: Clearness and AD

I don't have much AD experience, so I can't answer that question.  In my environment the netbios name is different than the FQDN for the domain.  It's the netbios name that must be used for testing authentication.

 

The reason why I mention testing AD via CLI, is that I had a similar issue a month ago.  I could search the base DN, but I couldn't test authentication via CLI.  The fix was to remove the CPPM servers from the domain and rejoin them.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba

Re: Clearness and AD

after unchecking the bind as user box, do the failures in Access Tracker give the same message on the Alerts tab?

 

the rlm_ldap entries within the log is "normal"; it appears in succesful logons as well.  

 

Can you post a copy of the exported log file for the failed attempt?  

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Contributor II

Re: Clearness and AD

I wasn't sure what to enter for the NETBIOS name. I tried the host name and it failed resolving, not the authentication.  

 

 

Aruba

Re: Clearness and AD

Within the Authentication source, the NETBIOS name should be the NETBIOS name of your Active Directory domain.   If you don't know what it is, you can ask an administrator of the domain, or just log into a machine in the domain and check what the domain name is.

 

One method:

type echo %userdomain% from a command prompt on a machine that logged into the domain.

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Contributor II

Re: Clearness and AD

I don't have AD Admin rights to our domain, but I can remove the applicance from the domain and have the Admin rejoin it, that should only take a couple minutes. 

 

I attched the access logs, but receive the same error. 

 

 

Bob 

Highlighted
Contributor II

Re: Clearness and AD

I was trying different syntaxes and this worked:

ad auth -u <username> -n <domain name> 

and received the correct response. 

 

INFO - NT_STATUS_OK: Success (0x0)

 

Bob 

Aruba

Re: Clearness and AD

Looks like you may have cross posted, so this initial post didn't get the last updates.  For anyone looking for an update on this post, see the last few posts over here:

http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Clearpass-AD-Authentication-Failing/td-p/58226

 

 

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: