Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

MSCHAP V2 - Response is incorrect

This thread has been viewed 11 times

  • 1.  MSCHAP V2 - Response is incorrect

    Posted Jan 05, 2015 04:46 PM

    I've contacted TAC but I'm in a world of hurt with 22000+ users...

     

    Problem started around 1 pm today and is growing rapidly:

     

    2015-01-05 15:39:52,326[Th 1193 Req 1631729 SessId R00023f2d-01-54ab04a8] ERROR RadiusServer.Radius - rlm_mschap: AD status:Reading winbind reply failed! (0xc0000001)
    2015-01-05 15:39:52,326

    [Th 1193 Req 1631729 SessId R00023f2d-01-54ab04a8] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

     

    is the primariy message I see inside the log files of the CPPM (version 6.4.3 which we just moved to 12/20/14).  Since it started mid-day, I'm not as inclined to think it is the upgrade.  Users get correct roles, etc.  The error message makes me think it is a bad username/password combo but not everyone in the district simultaneously forgot their password after using it correctly in the morning??!!??

     

    Alerts tab:

    MSCHAP: AD status:Reading winbind reply failed! (0xc0000001)
    MSCHAP: AD status:Reading winbind reply failed! (0xc0000001)
    MSCHAP: AD status:Reading winbind reply failed! (0xc0000001)
    MSCHAP: Authentication failed
    EAP-MSCHAPv2: User authentication failure

     

    We're going to try rebooting AD servers first.

     

    Any ideas? Suggestions?

     

    **Additional**
    Machine authentications are doing it as well



  • 2.  RE: MSCHAP V2 - Response is incorrect

    EMPLOYEE
    Posted Jan 05, 2015 04:48 PM
    Can you tty rejoining the ClearPass servers to the domain? 


  • 3.  RE: MSCHAP V2 - Response is incorrect

    EMPLOYEE
    Posted Jan 05, 2015 04:49 PM

    Did you try removing and then re-adding it to the domain?

     



  • 4.  RE: MSCHAP V2 - Response is incorrect

    Posted Jan 05, 2015 04:50 PM

    the winbind error looks to be a domain join issue.   can you rejoin the CPPM appliances to the domain?  Also, make sure DNS is configured and working correctly on the CPPM side.



  • 5.  RE: MSCHAP V2 - Response is incorrect

    Posted Jan 05, 2015 04:53 PM

    Thanks for the replies/ideas.  Once the AD servers (2) are rebooted, I'll see how it is going.  If it is still down, I'll redo the AD domain connection in the CPPM servers.

     

    Thanks again!!



  • 6.  RE: MSCHAP V2 - Response is incorrect

    Posted Jan 05, 2015 05:46 PM

    I think rejoining to domain fixed the issue.  Seeing some rejects but error messages are not the same as before rejoin.  Quite possibly users with BYOD device trying to access our corporate .1x network (not allowed by configuration).  I'll keep checking.

     

    Thanks for the rescue!!



  • 7.  RE: MSCHAP V2 - Response is incorrect

    Posted Feb 13, 2015 03:10 AM

    I've got the same issue, If ther is any Idea help please



  • 8.  RE: MSCHAP V2 - Response is incorrect

    Posted Feb 13, 2015 03:15 AM

    My Customer is facind this issue almost avery day, I've tried almost everything, Removing from domain and join again, reboot CPPM, reboot AD, but  there is still problem, the issue is happening randomly, and when we face this error messages after 30-40 minutes the CPPM starts accepting the clients and works normally.

     



  • 9.  RE: MSCHAP V2 - Response is incorrect

    EMPLOYEE
    Posted Feb 13, 2015 03:31 AM
    Please open a TAC case. They will need to look at a debug of the radius when the issue happens. I've seen this issue in a few customers and it usually ends up being an AD issue where the AD is either undersized or other programs are being ran in the ad server or shared resource vm.