Security

We are trying integrate ClearPass with Lotus Domino LDAP server  for authentication of windows Client. 802.1x EAP- MS CHAP V2 authentication process, and it’s not working  can anybody help

 

Sir,

 

Please see the diagram here:  http://deployingradius.com/documents/protocols/compatibility.html

 

Unless the passwords in Lotus Domino are encrypted using ClearText or NT_Hash algorithm, you cannot do MsChapV2.  Please find out what the encryption is, to determine an alternative based on the chart.

 

The bad news is if Lotus Domino does not support either ClearText or NT_Hash, you will have to install a supplicant on your windows clients to support a different EAP type if you still want to point at the Domino server using LDAP to do encryption.

 

As an alternative, if your clients login to a domain, you should add your ClearPass Server to that Windows domain and then set it up as an Active Directory Authentication Source http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Add-Clear-Pass-to-Domain/ta-p/187614 install a Windows radius server and have your clients authenticate to that, instead of pointing at the Lotus Domino server for authentication: http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/ta-p/80672  You will be able to support MsChapV2 with the built-in Windows Supplicant in that setup.  It takes more effort on the server side than just pointing to the Domino server via LDAP, but you will not have to install additional software on your Windows clients, so it is preferred.

 

We have an ARUBA TAC Case # 1621000 opened on 18th Dec 2014,



I am sure that is the solution was so simple it would have been closed by
not.

nieshsbhatt,

 

I am responding based on the information that you gave in your post.  There could be more information in your case.  Very few people setup 802.1x using LDAP due to the restrictions in the chart above.

 

You could just add the ClearPass Server to the Windows Domain and then setup an Active Directory Authentication Method to avoid any issues with Domino. http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Add-Clear-Pass-to-Domain/ta-p/187614  You can do that while you are troubleshooting your issue with Domino LDAP.

 

 

 

 

 

 

can you pelasesuggets an alterantve method for this, whihc can be easlily implemented at site,.

 

Sorry I am new to this comunity and product hence asking you some basic questions

can you pelase suggets an alterantve method for this, whihc can be easlily implemented at site,.

 

Sorry I am new to this comunity and product hence asking you some basic questions

If you are still connected to support, you should ask them if they could help you add ClearPass to the domain, instead and issue your ClearPass a server certificate.