Security

Reply
Occasional Contributor II

(EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

I am running into MS-CHAP Error E=691 R=1 trying to get EAP-PEAP working. I get an authentication failed because user is not found. I have already verified that our DC's are allowing the required ports, my LDAP browser can see anything in the AD forrest. I have tried multiple laptops that are on the domain with the same result and 691 error. I have removed CPPM from the domain and re-added but still the same error. Any ideas?

Guru Elite

Re: (EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

Did you join your ClearPass nodes to the domain(s)?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: (EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

If you are asking if ClearPass is on the domain then yes. This is for a wired EAP-PEAP setup. My Wireless EAP-TLS setup is working fine.

Guru Elite

Re: (EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

I'm asking if they're joined to the domain which is separate from the authentication source.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: (EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

If you are talking about the supplicants, then yes they are also a part of the domain. Essentially I am just trying to get the basic EAP-PEAP working for our laptops and desktops that are all on the same domain as CPPM.

 

When the request comes in it picks up the correct service but fails the authentication because "user not found" when I can easily use LDAP browser to find the computer.

Guru Elite

Re: (EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

Please post the access tracker request.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: (EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

I didn't post the whole log since I would have to sanitize but I think this gets the point across, error included. (machine name and domain have been changed to sanitize)

 

2018-04-26 07:57:28,981[Th 41 Req 1191 SessId R00000078-01-5ae1ccb8] INFO RadiusServer.Radius - rlm_ldap: searching for user host/MachineName.domain.blah-u.com in AD:DomainName.domain.blah-u.com
2018-04-26 07:57:28,981[Th 41 Req 1191 SessId R00000078-01-5ae1ccb8] INFO RadiusServer.Radius - rlm_eap_mschapv2: Received MSCHAPv2 Response from client
2018-04-26 07:57:28,981[Th 41 Req 1191 SessId R00000078-01-5ae1ccb8] INFO RadiusServer.Radius - rlm_mschap: MSCHAPv2 username used for challenge computation host/MachineName.domain.blah-u.com
2018-04-26 07:57:28,981[Th 41 Req 1191 SessId R00000078-01-5ae1ccb8] ERROR RadiusServer.Radius - rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
2018-04-26 07:57:28,982[Th 41 Req 1191 SessId R00000078-01-5ae1ccb8] INFO RadiusServer.Radius - MS-Chap User Authentication time = 0 ms
2018-04-26 07:57:28,982[Th 41 Req 1191 SessId R00000078-01-5ae1ccb8] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Occasional Contributor II

Re: (EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

I think I made a bit of progress. In my authentication source I changed my Filter Query to (&(servicePrincipalName=%{Host:Name})(objectClass=computer))

 

After changing that I can execute a query for my machine in the host/machine.domain.com format and LDAP finds it fine. However I am still getting the same user not found error.

New Contributor

Re: (EAP PEAP) and MS-CHAP Error E=691 R=1 User Not Found

I'm curious if you ever found the cause of your errors? Thank You!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: