Security

I have two services setup. One is in production using EAP-TLS and working fine. I created another service and cloned the Authentication source used in the production servcice...using EAP-PEAP. In the logs I can see that the EAP-PEAP session establishes. Then there is an eap-mschapv2 challenge issued. I then get the following errors:

 

2017-03-16 09:08:16,784	[Th 21 Req 3234183 SessId R000781e9-01-58cab870] INFO RadiusServer.Radius - rlm_mschap: authenticating user xxx, domain xxxx
2017-03-16 09:08:16,817	[Th 21 Req 3234183 SessId R000781e9-01-58cab870] INFO RadiusServer.Radius - rlm_mschap: user xxx authentication failed
2017-03-16 09:08:16,817	[Th 21 Req 3234183 SessId R000781e9-01-58cab870] ERROR RadiusServer.Radius - rlm_mschap: AD status:No trusted SAM account (0xc000018b)
2017-03-16 09:08:16,818	[Th 21 Req 3234183 SessId R000781e9-01-58cab870] INFO RadiusServer.Radius - MS-Chap User Authentication time = 33 ms
2017-03-16 09:08:16,818	[Th 21 Req 3234183 SessId R000781e9-01-58cab870] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

 

 

- Are your ClearPass servers joined to the domain?
- Is your bind account valid?

Thanks for pointing that out. So, we have 3 CPPM servers. 1 of them is joined and the bind account appears to be working becuase I can browse AD. The other 2 aren't joined;howerver, I don't think they are clustered...or done correctly...so not sure if that matters. 

 

But the original Service utilizing the same autentiation source (although different authentication methods) is working just fine. 

 

 

If you’re using PEAPv0/EAP-MSCHAPv2, all servers servicing authentications must be joined to the domain(s).

Ah, I think I see. 

 

So because the original service is using EAP-TLS, not all servers need to be joined to the domain to work; however, using PEAPv0/EAP-MSCHAPv2, all servers need to be joined for the protocol/authentication to work?

 

(I didn't set this up and got put on WiFi duty with little experience....so thanks for your patience and time)!

Yes. In EAP-TLS, the certificate essentially replaces the password. In PEAPv0/EAP-MSCHAPv2, the actual password is in use and requires domain join in to build a trust domain for NTLMv2/Kerberos.

That’s why EAP-TLS is the recommended authentication method when possible.

Sorry Tim, one more question. The 2 other servers in the cluster I want to add to the domain. I'm dumb with this stuff and wanted to make sure there wouldn't be an outage with the services during this time? I'm assuming not, but wanted to make sure that I put in a change if there was a possibility of CPPM going offline or using a server that isn't fully connected/joined to the domain.

Thanks Tim!

You will not have to reload the server but a few services will restart during the domain join process.

Thanks man! I really appreciate it!

Hey Tim, 

 

So after adding all 3 servers to the domain, I'm still getting the same error. 

I saw some other posts out there suggesting to unjoin and then join the servers back to the domain. Does that make sense? Is that suggested in this case?

Thanks!

Try that, but you should also open a TAC case.

Thanks Tim! I will try that as well as open a TAC case. Thanks for your help again!!!

Thanks again Tim! It worked. Last night we had a change to rejoin the clearpass server to the domain. Once done, authentication via AD worked.

 

It was showing the server as joined to the domain. Looking further in AD we did not see the server. I tried to leave the domain but I kept getting an error (suspecting because it wasn't being seen on the domain within AD). So we just hit join domain and entered in the same domain info and it joined just fine. 

Thanks again for the help!