Security

We are currently runing clearpass 6.2.6.62196 and we are getting calls all day long from clients fustrated with their AD account getting locked out. What we are noticing in Asset-Tracker "show logs" when a user enter their password incorrectly, Clearpass is passing the raduis MSCHAP 3 times. Well, our security setting in AD only allows 3 login failures before yours account will be locked out. 

Why is Clearpass passing the bad login credetntial 3 time per login attempt? HELP!!!!

ClearPass is not blocking anything. If AD is set to 3 bad attempts, and the device has the bad credentials stored, the account will be disabled and the device will be denied access.

You either need to increase or disable your lockout setting.

I am not saying Clearpass is locking out account. What we are seeing is Clearpass is passing 3 attempt to AD with the bad login password and AD locks them out. Why is Cleapass passing the attempt 3 times and not only one time? Because of this, our user only have one shot to put their passwork correctly instead of 3 times. 

---

@chan.khen wrote:

We are currently runing clearpass 6.2.6.62196 and we are getting calls all day long from clients fustrated with their AD account getting locked out. What we are noticing in Asset-Tracker "show logs" when a user enter their password incorrectly, Clearpass is passing the raduis MSCHAP 3 times. Well, our security setting in AD is after 3 login failusre, you account will be locked out. 

 

Why is Clearpass passing the bad login credetntial 3 time per login attempt? HELP!!!!

 

 

---

What you should do is implement Password history check (N-2):  "Before a Windows Server 2003 operating system increments badPwdCount, it checks the invalid password against the password history. If the password is the same as one of the last two entries that are in the password history,badPwdCount is not incremented for both NTLM and the Kerberos protocol. This change to domain controllers should reduce the number of lockouts that occur because of user error." - http://technet.microsoft.com/en-us/library/cc780271(v=ws.10).aspx

i can understand if this is coming from mobile device users...this is all laptop users. NO mobile devices.

chan.ken,

The laptop device wireless supplicant is responsible for resubmitting the username and password multiple times to the radius server.  It is not just mobile devices that act this way.  

Please use my suggestion above to keep users from locking themselves out when they have devices with unchanged passwords.

To impliment password history check N-2 feature that cjoseph speaks of, there needs to be a password history policy defined (greater than 0). There is no specific knob for N-2.

Group Policy Location:

Ok...here is an update to this. I have been on the phone with TAC now for 3+ hours on this issue.

Currently setup:

1. AD only allow 3 login attempts before an account get loccked out.

What we are seeing:

1. Window-7 laptop users account get locked out after failing to input their AD password with one try/attempt.

What TAC found/seeing:

When an user attempted to login into via 802.1x (radius), cppm will take the request coming from the user and send out 2 login attempts to AD. The first login attempt is the username all lowercase login infor (i.e firstname.lastname in our case here). The second attempted is the usermane with the captive letters (i.e Firstname. Lastname). 

What we are seeing is there is 3rd attempted. The 3r attempt is has domain information (i.e domain.com/firstname.lastanme). The reason for the 3rd attempt is becauae under our window EAP MSCHAP setting we enable (checkbox) "automatically use my Windows logon name and passward and domain if any". 

We have tried to implement the "badPwdCount" like CJoseph" recomend within Clearpass but that doesn't work either since our AD password settting only allow 3 login attempts before locking out. 

To do this the attribute command is as follow within clearpass: (&(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(!(badPwdCount>=3)))

Solution: There is none. There is only work around.

1. Bump up the 3 lock out counts to 5 within AD. For us it's not possible because that would require many papper work and approval (audits).

2. Wait till TAC get back with a solutions. It's being escalated now to engineering.

Chan

OK...Here is the solution to this post. TAC has classisfied this as a bug with in CPPM. Below is what they said.

Update from TAC as of 5/16/2014:

!

Hi Chan,

This issue has been identified in ClearPass and we are implementing a service parameter to control this behavior.

So by default CPPM will not re-attempt AD login check with different formats, and you can turn on the additional formats upon requirement.

However, the patch that is going to address this issue is currently set to 6.3.5. We do not have an official release date on 6.3.5 yet.

For now, we can implement the work around of increasing the Account lockout policy, if possible, while we get an official date on the release.

!

Update from TAC as of June 4th:

!

Hi Chan,

The ClearPass version 6.3.5 which has a fix for our issue is slated for a release tentatively at the end of July 2014.

!

Many thanks to Aruba TAC engineers. They were also to work with. Also many thanks to all the the Airhead that chimed in on this post. You guys are Arihead rock stars.

We are experiencing what looks to be the same issue when running 6.5.1.72346.  Can anyone point me to the setting to adjust it so it doesn't send the auth request 3 times?

We have this issue with version 6.5.2.73779