PEAP-MSCHAPv2 uses MSCHAPv2, I'm not aware of an EAP-Kerberos.
As mentioned, you probably should move away from PEAP and start using EAP-TLS or TEAP with client certificates for 802.1X / WPAx Enterprise.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Mar 13, 2024 09:27 AM
From: ahmetsarikaya
Subject: Kerberos in Clearpass
Original Message:
Sent: 3/13/2024 9:05:00 AM
From: Herman Robers
Subject: RE: Kerberos in Clearpass
For PEAP-MSCHAPv2 you should join the ClearPass to the domain. There is an old video that demonstrates that step.
Please note that MSCHAPv2 is deprecated as the security behind it is broken, except in the situation where you have full control over your clients and can make sure that clients will never connect to a rogue SSID, you should not use it and use EAP-TLS or TEAP instead.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Mar 12, 2024 09:29 AM
From: ahmetsarikaya
Subject: Kerberos in Clearpass
For our BYOD network we currently log in with eap peap based on an active directory ldap source. We now want to authenticate via Kerberos, which does not work and we receive following message:
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication or password change failed
We have currently created a Kerberos source with our current LDAP server as authorization source. Are we missing any configuration here ? Or does kerberos not work in combination with eap peap?