Security

Hello,

 

Customer has 802.1X service where corporate users will authenticate via EAP-TLS, and contractors via EAP-MSCHAP. CPPM runs on 6.6.8. 

 

While corporate users have no issues while authenticating, contractors are not able to so. Alert tab in Access Tracker is displaying error message "EAP: Client doesn't support configured EAP methods". Any thoughts what could be the reason behind this? For both methods, authentication source is customer's AD. Thanks.

 

 

Regards,

NesaM

Clients using EAP-PEAP actually use an Inner Method of EAP-MsCHAPv2 and an Outer Method of EAP-PEAP.  Make sure both methods are included as authentication methods in your service along with your EAP-TLS.

Hi Colin,

 

This resolved our initial issue, thank you. We are now getting error messages "No trusted SAM account" and are working on it following instructions we saw in few threads on Airheads.

 

 

Regards,

NesaM

 

 

Did you already add ClearPass to the domain?

That's already done. I am suspecting that account used to bind CPPM appliances to AD might have expired, or has limited access rights, but will need to wait until morning for customer to confirm.

 

 

Regards,

NesaM

Hi Colin,

 

After running a command "ad auth -u <user> -n <NETBIOS domain name>" I am seeing the "NT_STATUS_ACCESS_DENIED: Access denied (0xc0000022)" error.

 

User account we used to bind CPPM and AD is apparently still active, and with full access rights. 

 

Would leaving AD Domain, and joining again, be the way to go? Thanks in advance.

 

 

Regards,

NesaM

Hi,

 

After all we discovered that an account used to bind with CPPM with AD was in effect able to read AD only, and not domain admin account (!!). That was now changed, and authentication requests are coming through. Thank you on your help Colin.

 

 

Regards,

NesaM

The bind account should NEVER be a domain admin account. It should be a standard user account.

OK, but what kind of access rights should user account have? One used before could've read AD, but was throwing back that error message "NT_STATUS_ACCESS_DENIED". New one we tried gave us "NT_STATUS_OK". Thanks.

 

 

Regards,

NesaM

Bind is a simple LDAP lookup and does not use NT lookup

I think you may be confusing LDAP lookup and NTLM password checks.

Thanks Tim.

 

I suppose that what confused me is that "# ad auth -u USER -n DOMAIN" command is the only troubleshooting command I was able to find that should confirm if bind account is correctly setup (and it seems I was wrong in using it :-)).

 

Am I correct in thinking that only these three conditions are enough to make bind account: 

 

1. Service account
2. Password never expires
3. Not restricted at which machine it can log on

 

Regarding issues from the beginning of the thread, before we tested joining CPPM to Domain with domain admin account we were seeing this in Access Tracker when user tried to authenticate: 

After leaving domain and re-joining (that might have been all that was required to fix issue!) authentication requests started coming through. Thanks.

 

 

Regards,

NesaM