Wireless Access

Hello everyone!  We are currently using Clearpass (auth via Active Directory), with EAP-PEAP (MSCHAPv2) to connect our devices.  We previously used Microsoft's NPS before we had Clearpass.  We also have a 7210 controller running 8.4 (though this was an issue on all 8.x versions we tried).

 

Long story short: When "Trim FQDN" is enabled, our Domain-Joined Windows devices cannot connect.  According to the Access Tracker, the roles, enforcement, etc. work, but the connection is rejected because the "Authentication Method" changes from PEAP MSCHAPv2 to just "EAP".  I've attached a screenshot.

 

iPads, Chromebooks, Android, etc. are still able to connect.  When we used NPS, Domain-Joined Windows PCs would still Auth fine.

 

I contacted support, talked to a Clearpass engineer, and he thinks the issue is on the Controller side, as all of the settings used in Clearpass seemed fine.

 

Has anyone seen this before or have any ideas?  Thanks in advance!

Hi Ryanfaith,

Please Check your authentication source in the clearpass service if the “stripe off”’ is set correctly. You see only see EAP because the authenticated isnt complete.

And for Mschapv2 your clearpass nodes need to be ad joined.

Beter dont use peap-mschapv2, it has some well known securityrisks those days. Beter use eap-tls.

Hi Marcel,

 

When I talked with the Clearpass TAC Engineer, he indicated that it was set up properly, and we tested it with the rules both on and off.  Both of my nodes are AD Joined as well, and they're authenticating the iOS, Android, and Chromebooks fine via their AD credentials.

 

As for EAP-TLS, I'd love to do that, but I do not have a way to get individual user certificates onto the devices.  We have 2500 chromebooks in the hands of students, and we cannot reasonably expect them to connect via an onboarding network.

 

I appreciate your help!

Hi Ryanfaith,

 

Can you provide some screenshots of your service, authentication source and accesstracker (request, reply and alert)? See my example in the attachment how my LAB config looks like. Iam pretty sure your issue must be in the client 802.1x config, or between clearpasss and the AD, not the controller, the controller just forwaring the EAP traffic into a Radius packet to ClearPass.

 

What error reason do you see in accesstracker? See if we can help you out here.

 

Side note:

My advice is if you still want to use the less secure PEAP-MSCHAP method not to use any AD account but separate locale accounts for just Wi-Fi authentication. Certainly not in a school community where pupils are rather resourceful, before you knows it had the teacher passwords in their hands. I do not say what you have to do, but just be aware of this. Excelent explanation by Herman Robers for reference if you want to deepen more. https://www.youtube.com/watch?v=50fO3j4NgyQ.