Security

Reply
Occasional Contributor II

Kerberos in ClearPass

Question - I am trying to get PEAP/MSCHAPv2 working in a wired 802.1x deployment. I work in a very locked down enviroment where NTML is NOT allowed. I believe the built in AD template in ClearPass doesn't support Kerberos. I noticed there is a Kerberos service profile but in my reading non-windows devices need a keytab file for Kerberos auth to work. My question is how do I get the keytab file installed inside of clearpass? Or is it required at all?

 

Any info would be great!

Guru Elite

Re: Kerberos in ClearPass

If NTLM is not allowed, you should not be using legacy EAP methods like PEAP. Use EAP-TLS.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Kerberos in ClearPass

That would be great however our machines do not have domain certs. Unfortunately this is not an option for us. 

Guru Elite

Re: Kerberos in ClearPass

That is really your only option. PEAPv0/EAP-MSCHAPv2 uses MSCHAPv2 which uses NTLMv1.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Kerberos in ClearPass

Well since MSCHAPv2 works with Kerberos in Windows NPS I guess I will advise my customers to not spend 30K on ClearPass.

Guru Elite

Re: Kerberos in ClearPass

Your requirement was to not use NTLM. Using Kerberos with EAP-MSCHAPv2 still uses NTLM on the backend.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: Kerberos in ClearPass

There are two parts in this. In NPS, the connection to the domain from the NPS server is Kerberos authenticated, as is the same situation with ClearPass.

 

There is no way to run the actual MS-CHAPv2 authentication with Kerberos, as NTLM is the only defined authentication scheme in MS-CHAPv2.

 

Moving to NPS will not change that in any way as it cannot change the standards. As Tim said, if NTLM cannot be used by policy, you cannot deploy PEAP/MSCHAPv2, and should move to other authentication methods.

 

 

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: