Security

For PEAP-MSCHAPv2 you should join the ClearPass to the domain. There is an old video that demonstrates that step.

Please note that MSCHAPv2 is deprecated as the security behind it is broken, except in the situation where you have full control over your clients and can make sure that clients will never connect to a rogue SSID, you should not use it and use EAP-TLS or TEAP instead.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Mar 12, 2024 09:29 AM
From: ahmetsarikaya
Subject: Kerberos in Clearpass

For our BYOD network we currently log in with eap peap based on an active directory ldap source. We now want to authenticate via Kerberos, which does not work and we receive following message:

 

MSCHAP: Authentication failed

EAP-MSCHAPv2: User authentication or password change failed

 

We have currently created a Kerberos source with our current LDAP server as authorization source. Are we missing any configuration here ? Or does kerberos not work in combination with eap peap?

Original Message:
Sent: 3/13/2024 9:05:00 AM
From: Herman Robers
Subject: RE: Kerberos in Clearpass

For PEAP-MSCHAPv2 you should join the ClearPass to the domain. There is an old video that demonstrates that step.

Please note that MSCHAPv2 is deprecated as the security behind it is broken, except in the situation where you have full control over your clients and can make sure that clients will never connect to a rogue SSID, you should not use it and use EAP-TLS or TEAP instead.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Mar 12, 2024 09:29 AM
From: ahmetsarikaya
Subject: Kerberos in Clearpass

For our BYOD network we currently log in with eap peap based on an active directory ldap source. We now want to authenticate via Kerberos, which does not work and we receive following message:

 

MSCHAP: Authentication failed

EAP-MSCHAPv2: User authentication or password change failed

 

We have currently created a Kerberos source with our current LDAP server as authorization source. Are we missing any configuration here ? Or does kerberos not work in combination with eap peap?

PEAP-MSCHAPv2 uses MSCHAPv2, I'm not aware of an EAP-Kerberos.

As mentioned, you probably should move away from PEAP and start using EAP-TLS or TEAP with client certificates for 802.1X / WPAx Enterprise.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Mar 13, 2024 09:27 AM
From: ahmetsarikaya
Subject: Kerberos in Clearpass

Our clearpass server has joined an ad domain. At this moment we can connect to mschapv2 with our ad server as source. However, we now want to authenticate using Kerberos, but we cannot really find the correct manual for this. or what we should pay attention to.

 

We have taken the following link as a reference https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Auth/AuthSource_Kerberos.htm.

Unfortunately we receive the message shown above

 

 

Original Message:
Sent: 3/13/2024 9:05:00 AM
From: Herman Robers
Subject: RE: Kerberos in Clearpass

For PEAP-MSCHAPv2 you should join the ClearPass to the domain. There is an old video that demonstrates that step.

Please note that MSCHAPv2 is deprecated as the security behind it is broken, except in the situation where you have full control over your clients and can make sure that clients will never connect to a rogue SSID, you should not use it and use EAP-TLS or TEAP instead.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Mar 12, 2024 09:29 AM
From: ahmetsarikaya
Subject: Kerberos in Clearpass

For our BYOD network we currently log in with eap peap based on an active directory ldap source. We now want to authenticate via Kerberos, which does not work and we receive following message:

 

MSCHAP: Authentication failed

EAP-MSCHAPv2: User authentication or password change failed

 

We have currently created a Kerberos source with our current LDAP server as authorization source. Are we missing any configuration here ? Or does kerberos not work in combination with eap peap?