Security

last person joined: 7 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Palo Alto Admin authentication through ClearPass to AD - CHAP Failing

This thread has been viewed 5 times

  • 1.  Palo Alto Admin authentication through ClearPass to AD - CHAP Failing

    Posted Mar 30, 2017 11:05 PM

    HI all,

     

    looking for some guidance. I'm lab testing Palo Alto admin authentication via RADIUS to ClearPass.

     

    I can get authentication to work fine when using PAP but not CHAP. 

     

    The authentication source is Windows 2012 R2 AD. The example user account has been set to use reversible encryption and the default domain security policy is the same. 

     

    When i point the Palo Alto to the Windows Box and setup NPS, i can do CHAP authentciation, however it shows up as MD5-CHAP in the NPS logs. 

     

    When ClearPass tries, i get these logs:

     

    2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_pap: Attribute "Password" missing. Cannot use "CHAP-Password". Not setting Auth-Type.
    2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - modcallauthorize]: module "svc_3002_authmthd_1" returns noop for request 21
    2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_chap: Setting 'Auth-Type := svc_3002_authmthd_6'
    2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - modcallauthorize]: module "svc_3002_authmthd_6" returns ok for request 21
    2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_eap: No EAP-Message, not doing EAP
    2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - modcallauthorize]: module "svc_3002_eap" returns noop for request 21
    2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_auth_check: Allowed authentication methods: svc_3002_authmthd_1, svc_3002_authmthd_6, svc_3002_eap
    2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - radius: No MS Identity VP
    2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_auth_check: allowed Authentication method svc_3002_authmthd_6 set.
    2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - modcallauthorize]: module "svc_3002_auth_check" returns ok for request 21
    2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - modcall: leaving group svc_PAN Admin Radius_3002 (returns ok) for request 21
    2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rad_check_password: Found Auth-Type svc_3002_authmthd_6
    2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - auth: type "svc_3002_authmthd_6"
    2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - Processing the authenticate section of radiusd.conf
    2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - modcall: entering group svc_3002_authmthd_6 for request 21
    2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_chap: login attempt by "homer" with CHAP password
    2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_chap: Could not find clear text password for user homer


  • 2.  RE: Palo Alto Admin authentication through ClearPass to AD - CHAP Failing

    Posted Mar 30, 2017 11:06 PM

    Further info - PANOS 7.1.8 and CPPM 6.6.4

     

    Server is joined to domain

     



  • 3.  RE: Palo Alto Admin authentication through ClearPass to AD - CHAP Failing

    Posted Apr 04, 2017 08:57 AM

    BUMP!

    for some weird reason my post disappeared over the weekend. Hoping this gets someone's attention!

     

     



  • 4.  RE: Palo Alto Admin authentication through ClearPass to AD - CHAP Failing

    Posted Apr 06, 2017 03:13 PM

    My org doesn't store passwords with reversible encryption, so CHAP was out of the question for me (made a great case for upgrading PAN to a newer version with TACACS support). You mentioned that NPS logs show MD5-CHAP instead of just CHAP,  so have you tried adding EAP-MD5 to the authentication methods list in your auth service?



  • 5.  RE: Palo Alto Admin authentication through ClearPass to AD - CHAP Failing

    Posted Apr 17, 2017 07:17 AM

    Yeah i did try using md5 but still failed . Hadnt considered using tacacs. Radius was my default choice out of habit! 



  • 6.  RE: Palo Alto Admin authentication through ClearPass to AD - CHAP Failing

    Posted May 02, 2017 06:40 AM

    did you resolve this? I have the same issue with Palo Alto and CHAP.

     

    Also have a similar issue with an "other" RADIUS server. Im wondering if its a Windows 2012 R2 thing. Users have reversible passwords enabled.



  • 7.  RE: Palo Alto Admin authentication through ClearPass to AD - CHAP Failing

    Posted Jun 27, 2017 06:50 AM

    unfortunately not, had to engineer around it to meet customer timeline