Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

(EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

This thread has been viewed 17 times

  • 1.  (EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

    Posted Apr 26, 2018 02:02 PM

    I am running into MS-CHAP Error E=691 R=1 trying to get EAP-PEAP working. I get an authentication failed because user is not found. I have already verified that our DC's are allowing the required ports, my LDAP browser can see anything in the AD forrest. I have tried multiple laptops that are on the domain with the same result and 691 error. I have removed CPPM from the domain and re-added but still the same error. Any ideas?



  • 2.  RE: (EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

    EMPLOYEE
    Posted Apr 26, 2018 02:04 PM
    Did you join your ClearPass nodes to the domain(s)?


  • 3.  RE: (EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

    Posted Apr 26, 2018 02:07 PM

    If you are asking if ClearPass is on the domain then yes. This is for a wired EAP-PEAP setup. My Wireless EAP-TLS setup is working fine.



  • 4.  RE: (EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

    EMPLOYEE
    Posted Apr 26, 2018 02:09 PM
    I'm asking if they're joined to the domain which is separate from the authentication source.


  • 5.  RE: (EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

    Posted Apr 26, 2018 02:14 PM

    If you are talking about the supplicants, then yes they are also a part of the domain. Essentially I am just trying to get the basic EAP-PEAP working for our laptops and desktops that are all on the same domain as CPPM.

     

    When the request comes in it picks up the correct service but fails the authentication because "user not found" when I can easily use LDAP browser to find the computer.



  • 6.  RE: (EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

    EMPLOYEE
    Posted Apr 26, 2018 02:20 PM
    Please post the access tracker request.


  • 7.  RE: (EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

    Posted Apr 26, 2018 02:33 PM

    I didn't post the whole log since I would have to sanitize but I think this gets the point across, error included. (machine name and domain have been changed to sanitize)

     

    2018-04-26 07:57:28,981[Th 41 Req 1191 SessId R00000078-01-5ae1ccb8] INFO RadiusServer.Radius - rlm_ldap: searching for user host/MachineName.domain.blah-u.com in AD:DomainName.domain.blah-u.com
    2018-04-26 07:57:28,981[Th 41 Req 1191 SessId R00000078-01-5ae1ccb8] INFO RadiusServer.Radius - rlm_eap_mschapv2: Received MSCHAPv2 Response from client
    2018-04-26 07:57:28,981[Th 41 Req 1191 SessId R00000078-01-5ae1ccb8] INFO RadiusServer.Radius - rlm_mschap: MSCHAPv2 username used for challenge computation host/MachineName.domain.blah-u.com
    2018-04-26 07:57:28,981[Th 41 Req 1191 SessId R00000078-01-5ae1ccb8] ERROR RadiusServer.Radius - rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
    2018-04-26 07:57:28,982[Th 41 Req 1191 SessId R00000078-01-5ae1ccb8] INFO RadiusServer.Radius - MS-Chap User Authentication time = 0 ms
    2018-04-26 07:57:28,982[Th 41 Req 1191 SessId R00000078-01-5ae1ccb8] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect


  • 8.  RE: (EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

    Posted Apr 27, 2018 09:28 AM

    I think I made a bit of progress. In my authentication source I changed my Filter Query to (&(servicePrincipalName=%{Host:Name})(objectClass=computer))

     

    After changing that I can execute a query for my machine in the host/machine.domain.com format and LDAP finds it fine. However I am still getting the same user not found error.



  • 9.  RE: (EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

    Posted Nov 05, 2018 05:50 PM

    I'm curious if you ever found the cause of your errors? Thank You!



  • 10.  RE: (EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

    Posted Feb 18, 2019 02:11 PM

    In case anyone else comes across this post. I've seen this type of error generated if an end-user happens to mistakenly add a "leading space" to their user-name on personal devices. It's usually more of a "happened the first time, and then from then on forward the phone does "Auto-Complete". Saw it four years ago when I watched how a student enter their credentials and caught the problem immediately. Access-Tracker didn't show the leading space (although that could be related to how our admin has ClearPass configured for truncating - beyond my expertise). Been meaning to follow-up about that type of behavior. 



  • 11.  RE: (EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

    EMPLOYEE
    Posted Feb 18, 2019 02:32 PM
    Another great reason to sunset legacy EAP methods 😊