Security

Hi...

I am having an authentication error like the following:

ERROR RadiusServer.Radius - rlm_mschap: AD status:Access denied (0xc0000022)

I think the error is between the clearpass and the Active Directory because:
When I authenticate the user directly against the AD, the authentication is effective, but when I authenticate the user against the clearpass I get an authentication error.
The clearpass I already have it linked to the AD, and it is attached well to the domain.

Also authentication works well when I create a local user in the clearpass ...
In summary:
  - user against clearpass with local authentication ... ok
  - user against AD with domain authentication ... ok
  - when the clearpass is linked to the AD, and the user tries to authenticate against the clearpass ... authentication fails

any help please

Did you check the strip username rules in your service authentication tab?

The error 0xc0000022 very likely is caused by the ClearPass not joined to the Active Directory for MSCHAPv2 authentication. Or the domain join is broken/deleted from the AD.

Have you joined your ClearPass to the domain?

Also, whenever possible avoid the use of MSCHAPv2 and go for EAP-TLS instead. Only use MSCHAPv2 if you have full control over all of your clients as the MSCHAPv2 protocol security is broken.

@Herman Robers, @mkk:
Thanks for your advice, I tried the tips that you gave me to make trobleshooting, but without positive results ...
Even when I did this, the Access Tracker did not even acknowledge that the user was trying to connect to the ClearPass ...
Domain problem I do not think it's because when the user connects directly to the AD, the authentication is correct ...
I have also verified that the ClearPass does consult the databases, because when I connect with credentials that do not exist in the database, the Access Tracker informs it as well ...
for example...
this user is in the AD database:

and this other user is not in the AD database:

the ClearPass does consult the AD database, but for some reason does not perform the authentication...

you have some other idea of some other test that I could do...

Have you joined Clearpass to AD domain in Administration » Server Manager » Server Configuration - <server name> page?

When we are using EAP-PEAP and MsCHAPv2 as inner method we need to make sure clearpass is added to AD domain.

From CLI try manually to test if connection is OK with AD

#ad testjoin <netbois> -- to check connection

#ad auth-u <username> <netbois> - to test user auth with AD

If CPPM joined to AD but still auth fails from CLI then try drop and rejoin CPPM to AD.

I agree with Herman and Pavan. When use mschap the clearpass server needs to be joined to the AD. When its not working correct, try to re-join.

Is your clearpass server joined to the AD domain?

Also take Hermans tip seriously, eap-peap mschap is not recommended this days, because it could be vulnerable. Beter use EAP-TLS with certificate authentication. For EAP-TLS clearpass also dont need to be joined to the AD. 

Please let us known if it works, or if we can help you. 

First of all thank you for your help @Pavan Arshewar ...

I did the tests that you recommended me and the result was the following:

I do not understand why when I connect directly to the Active Directory the authentication does work, and then from the ClearPass authentication fails ...

Offff.
What could I do? ...

Your account for the bind should not be an administrator admin account and must have password never expired. Can you check that?

Maybe this topic helps you out, please let us known.

https://community.arubanetworks.com/t5/Security/EAP-Client-doesn-t-support-configured-EAP-methods-EAP-MSCHAP/td-p/396011/page/2

Do you have the clocks synchronized on both ClearPass and Active Directory?

Is the DNS server for ClearPass configured to use the AD?

Are you on a recent version (preferred the latest) version of ClearPass?

What Windows Server AD version are you running?

To get a quick solution, it's probably best to open an Aruba support case as that allows interactive troubleshooting for faster resolution.