Security

Has anyone seen this:
Users connected to employee over EAP-PEAP MS-CHAPV2 with username “EAP-PEAP (MSCHAPv2)”. AirWave and controllers registered the clients but ClearPass have not passed the authentication (obviously because the username is wrong) but clients do pass the authentication

The issue occurs randomly to small numbers of clients. 
AOS 6.5.3.3 CPPM 6.7.6

From AirWave:

(WC02) #show user mac 38:f9:d3:xx:xx:xx
Name: EAP-PEAP (MSCHAPv2), IP: 10.x.y.z, MAC: 38:f9:d3:xx:xx:xx, Age: 00:01:20
Role: EMPLOYEE-ROLE (how: ROLE_DERIVATION_DOT1X_VSA), ACL: 118/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: CP01
Authentication Servers: dot1x authserver: CP01, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X_VSA
VLAN Derivation: Dot1x Aruba VSA
Idle timeout (global): 1800 seconds, Age: 00:00:14
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=0, vpnflags=0, u_stm_ageout=1
Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
IP User termcause: 0
phy_type: a-VHT-40, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 1
Vlan default: 110, Assigned: 1316, Current: 1316 vlan-how: 17 DP assigned vlan:0                                      
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
SlotPort=0x2100, Port=0x1047a (tunnel 1146)
--More-- (q) quit (u) pageup (/) search (n) repeat

It seems like you have an enforcement policy in clearpass that sets the username to "EAP-PEAP (MSCHAPv2)."

Take a look at your enforcement policies.

Colin,
I combed throught all Enforcement Policies and Profiles, I couldn’t find any settings to username “EAP-PEAP (MSCHAPv2)”. I have hundreds of clients authenticated EAP-PEAP MSCHAPv2, and they all use the same Employee WiFi Service in ClearPass. These connected clients mostly are mobile devices, only 17 of them are in this strange situation. In this 17 clients, 16 are Apple Mac, one is Windows 10, none Android or others OSs
In this Timeout ClearPass tracker, the username is “EAP-PEAP (MSCHAPv2)”, does this username send from NAD, the controller?

A 802.1x client can easily change the Anonymous Identity (username) of the client on the supplicant.  I would get one of those devices in your hand and examine them.

I won’t be able to get this device from user because it is personal mobile device. I’ll try to replicate the issue and see if I can enforce client to reveal identity.

Any quick tip how to block user-id “EAP-PEAP (MSCHAPv2)”? or any settings to force non-anonymous indentity?

Alternatively, you can set this parameter below to override any anonymous user that has been set in a client:  https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/index.htm#CPPM_UserGuide/Admin/ServerConfig_serviceparamsradiusserver.htm?Highlight=use%20inner%20identity