Security

Hello everyone, we're having a problem with ClearPass, and no matter what we tried, we couldn't find a solution. Here are the methods we tried to resolve the issue. We created a local certificate instead of a wildcard certificate. We updated ClearPass to the latest version. The problem is that after a certain number of hours, AD users can't connect to the SSID with the 802.1x setting. The solution is to remove and re-add our domain from the ClearPass interface under Administrator > Server Manager > Server Configuration > AD Domains. This fixes the problem. However, since ClearPass doesn't always crash, I have to wake up and restart my computer during the night and reconfigure the settings whenever it crashes, even during the weekend. Any suggestions would be appreciated.

To elaborate, we use the mac-auth method for devices that can't be joined to the domain. We haven't experienced any issues with this method.

First of all, you probably should not use MSCHAPv2 as the security of it has been broken for years.

It looks like your Active Directory has been modified/hardened in some way, it may be that the computer account that is created is locked/removed/has a mandatory password change. The message tells that ClearPass has no longer access to the Active Directory and it's a setting in in AD (Access Denied), not a network problem.

If you understand and accept the risks of using MSCHAPv2, including possible leak of AD credentials, you may check with TAC if there are additional logs on the AD Domain connection, or even increase logging to find better what happens. You may also have a look at your AD server, what the status is for the ClearPass server's Computer account when all works fine and when you see these Access Denied messages; and/or check the Event Log on your AD servers related to the ClearPass Computer Account.

Hello everyone, we're having a problem with ClearPass, and no matter what we tried, we couldn't find a solution. Here are the methods we tried to resolve the issue. We created a local certificate instead of a wildcard certificate. We updated ClearPass to the latest version. The problem is that after a certain number of hours, AD users can't connect to the SSID with the 802.1x setting. The solution is to remove and re-add our domain from the ClearPass interface under Administrator > Server Manager > Server Configuration > AD Domains. This fixes the problem. However, since ClearPass doesn't always crash, I have to wake up and restart my computer during the night and reconfigure the settings whenever it crashes, even during the weekend. Any suggestions would be appreciated.

To elaborate, we use the mac-auth method for devices that can't be joined to the domain. We haven't experienced any issues with this method.

When I look at the event logs on AD, I don't see any error messages. I only left the connection types in the photo as the connection types.

Additionally, when ClearPass was running in the old version, it had a connection to the old DC. We set up a DC from scratch with a new network and new IP addresses. Everything was re-installed from scratch.

First of all, you probably should not use MSCHAPv2 as the security of it has been broken for years.

It looks like your Active Directory has been modified/hardened in some way, it may be that the computer account that is created is locked/removed/has a mandatory password change. The message tells that ClearPass has no longer access to the Active Directory and it's a setting in in AD (Access Denied), not a network problem.

If you understand and accept the risks of using MSCHAPv2, including possible leak of AD credentials, you may check with TAC if there are additional logs on the AD Domain connection, or even increase logging to find better what happens. You may also have a look at your AD server, what the status is for the ClearPass server's Computer account when all works fine and when you see these Access Denied messages; and/or check the Event Log on your AD servers related to the ClearPass Computer Account.

Hello everyone, we're having a problem with ClearPass, and no matter what we tried, we couldn't find a solution. Here are the methods we tried to resolve the issue. We created a local certificate instead of a wildcard certificate. We updated ClearPass to the latest version. The problem is that after a certain number of hours, AD users can't connect to the SSID with the 802.1x setting. The solution is to remove and re-add our domain from the ClearPass interface under Administrator > Server Manager > Server Configuration > AD Domains. This fixes the problem. However, since ClearPass doesn't always crash, I have to wake up and restart my computer during the night and reconfigure the settings whenever it crashes, even during the weekend. Any suggestions would be appreciated.

To elaborate, we use the mac-auth method for devices that can't be joined to the domain. We haven't experienced any issues with this method.

You should probably figure out which auth method you are using and only enable that one or two methods rather than everything.  If you aren't running a Cisco supplicant then you probably don't need EAP-FAST.  Chances that you need 7 methods enabled on a wired service are low.

New DC added to existing domain?  Or created new?  What version of Windows?

When I look at the event logs on AD, I don't see any error messages. I only left the connection types in the photo as the connection types.

Additionally, when ClearPass was running in the old version, it had a connection to the old DC. We set up a DC from scratch with a new network and new IP addresses. Everything was re-installed from scratch.

First of all, you probably should not use MSCHAPv2 as the security of it has been broken for years.

It looks like your Active Directory has been modified/hardened in some way, it may be that the computer account that is created is locked/removed/has a mandatory password change. The message tells that ClearPass has no longer access to the Active Directory and it's a setting in in AD (Access Denied), not a network problem.

If you understand and accept the risks of using MSCHAPv2, including possible leak of AD credentials, you may check with TAC if there are additional logs on the AD Domain connection, or even increase logging to find better what happens. You may also have a look at your AD server, what the status is for the ClearPass server's Computer account when all works fine and when you see these Access Denied messages; and/or check the Event Log on your AD servers related to the ClearPass Computer Account.

Hello everyone, we're having a problem with ClearPass, and no matter what we tried, we couldn't find a solution. Here are the methods we tried to resolve the issue. We created a local certificate instead of a wildcard certificate. We updated ClearPass to the latest version. The problem is that after a certain number of hours, AD users can't connect to the SSID with the 802.1x setting. The solution is to remove and re-add our domain from the ClearPass interface under Administrator > Server Manager > Server Configuration > AD Domains. This fixes the problem. However, since ClearPass doesn't always crash, I have to wake up and restart my computer during the night and reconfigure the settings whenever it crashes, even during the weekend. Any suggestions would be appreciated.

To elaborate, we use the mac-auth method for devices that can't be joined to the domain. We haven't experienced any issues with this method.

Which method should I choose, wired or wireless?
A new ADC was added to the existing domain. No new domain was created. We are using Windows Server 2022.

You should probably figure out which auth method you are using and only enable that one or two methods rather than everything.  If you aren't running a Cisco supplicant then you probably don't need EAP-FAST.  Chances that you need 7 methods enabled on a wired service are low.

New DC added to existing domain?  Or created new?  What version of Windows?

When I look at the event logs on AD, I don't see any error messages. I only left the connection types in the photo as the connection types.

Additionally, when ClearPass was running in the old version, it had a connection to the old DC. We set up a DC from scratch with a new network and new IP addresses. Everything was re-installed from scratch.

First of all, you probably should not use MSCHAPv2 as the security of it has been broken for years.

It looks like your Active Directory has been modified/hardened in some way, it may be that the computer account that is created is locked/removed/has a mandatory password change. The message tells that ClearPass has no longer access to the Active Directory and it's a setting in in AD (Access Denied), not a network problem.

If you understand and accept the risks of using MSCHAPv2, including possible leak of AD credentials, you may check with TAC if there are additional logs on the AD Domain connection, or even increase logging to find better what happens. You may also have a look at your AD server, what the status is for the ClearPass server's Computer account when all works fine and when you see these Access Denied messages; and/or check the Event Log on your AD servers related to the ClearPass Computer Account.

Hello everyone, we're having a problem with ClearPass, and no matter what we tried, we couldn't find a solution. Here are the methods we tried to resolve the issue. We created a local certificate instead of a wildcard certificate. We updated ClearPass to the latest version. The problem is that after a certain number of hours, AD users can't connect to the SSID with the 802.1x setting. The solution is to remove and re-add our domain from the ClearPass interface under Administrator > Server Manager > Server Configuration > AD Domains. This fixes the problem. However, since ClearPass doesn't always crash, I have to wake up and restart my computer during the night and reconfigure the settings whenever it crashes, even during the weekend. Any suggestions would be appreciated.

To elaborate, we use the mac-auth method for devices that can't be joined to the domain. We haven't experienced any issues with this method.

Wired vs wireless is how your services appear to be separated, that's not the auth method.  The auth method is as shown in your screenshots.

Did your problem start after you added the new DC?  Was that the only change in the environment before things started not working?  If so, you probably have something configured differently on that one DC vs the others and ClearPass isn't able too communicate with that DC consistently.

Which method should I choose, wired or wireless?
A new ADC was added to the existing domain. No new domain was created. We are using Windows Server 2022.

You should probably figure out which auth method you are using and only enable that one or two methods rather than everything.  If you aren't running a Cisco supplicant then you probably don't need EAP-FAST.  Chances that you need 7 methods enabled on a wired service are low.

New DC added to existing domain?  Or created new?  What version of Windows?

When I look at the event logs on AD, I don't see any error messages. I only left the connection types in the photo as the connection types.

Additionally, when ClearPass was running in the old version, it had a connection to the old DC. We set up a DC from scratch with a new network and new IP addresses. Everything was re-installed from scratch.

First of all, you probably should not use MSCHAPv2 as the security of it has been broken for years.

It looks like your Active Directory has been modified/hardened in some way, it may be that the computer account that is created is locked/removed/has a mandatory password change. The message tells that ClearPass has no longer access to the Active Directory and it's a setting in in AD (Access Denied), not a network problem.

If you understand and accept the risks of using MSCHAPv2, including possible leak of AD credentials, you may check with TAC if there are additional logs on the AD Domain connection, or even increase logging to find better what happens. You may also have a look at your AD server, what the status is for the ClearPass server's Computer account when all works fine and when you see these Access Denied messages; and/or check the Event Log on your AD servers related to the ClearPass Computer Account.

Hello everyone, we're having a problem with ClearPass, and no matter what we tried, we couldn't find a solution. Here are the methods we tried to resolve the issue. We created a local certificate instead of a wildcard certificate. We updated ClearPass to the latest version. The problem is that after a certain number of hours, AD users can't connect to the SSID with the 802.1x setting. The solution is to remove and re-add our domain from the ClearPass interface under Administrator > Server Manager > Server Configuration > AD Domains. This fixes the problem. However, since ClearPass doesn't always crash, I have to wake up and restart my computer during the night and reconfigure the settings whenever it crashes, even during the weekend. Any suggestions would be appreciated.

To elaborate, we use the mac-auth method for devices that can't be joined to the domain. We haven't experienced any issues with this method.

Hello everyone, we're having a problem with ClearPass, and no matter what we tried, we couldn't find a solution. Here are the methods we tried to resolve the issue. We created a local certificate instead of a wildcard certificate. We updated ClearPass to the latest version. The problem is that after a certain number of hours, AD users can't connect to the SSID with the 802.1x setting. The solution is to remove and re-add our domain from the ClearPass interface under Administrator > Server Manager > Server Configuration > AD Domains. This fixes the problem. However, since ClearPass doesn't always crash, I have to wake up and restart my computer during the night and reconfigure the settings whenever it crashes, even during the weekend. Any suggestions would be appreciated.

To elaborate, we use the mac-auth method for devices that can't be joined to the domain. We haven't experienced any issues with this method.

Have you modified the Logon Workstations settings on the service account for ClearPass and not added the new domain controller to the account.

This is the default setting on a domain user and it's found on the Accounts tab on the user account in Active Directory.

If specific computers are specified all domain controllers must be listed otherwise ClearPass will not be able to log on.

Also check if there are specified any Logon servers under the domain join section found under Server Configuration, under each server.

If there are multiple servers in the Active Directory ClearPass may need guidance to what domain controllers each ClearPass server should prefer during the NTLM phase. This is not controlled by the LDAP settings.
This is very important if some domain controllers are not accessible due to firewalls, or long distance

Hello everyone, we're having a problem with ClearPass, and no matter what we tried, we couldn't find a solution. Here are the methods we tried to resolve the issue. We created a local certificate instead of a wildcard certificate. We updated ClearPass to the latest version. The problem is that after a certain number of hours, AD users can't connect to the SSID with the 802.1x setting. The solution is to remove and re-add our domain from the ClearPass interface under Administrator > Server Manager > Server Configuration > AD Domains. This fixes the problem. However, since ClearPass doesn't always crash, I have to wake up and restart my computer during the night and reconfigure the settings whenever it crashes, even during the weekend. Any suggestions would be appreciated.

To elaborate, we use the mac-auth method for devices that can't be joined to the domain. We haven't experienced any issues with this method.

Hello everyone, we're having a problem with ClearPass, and no matter what we tried, we couldn't find a solution. Here are the methods we tried to resolve the issue. We created a local certificate instead of a wildcard certificate. We updated ClearPass to the latest version. The problem is that after a certain number of hours, AD users can't connect to the SSID with the 802.1x setting. The solution is to remove and re-add our domain from the ClearPass interface under Administrator > Server Manager > Server Configuration > AD Domains. This fixes the problem. However, since ClearPass doesn't always crash, I have to wake up and restart my computer during the night and reconfigure the settings whenever it crashes, even during the weekend. Any suggestions would be appreciated.

To elaborate, we use the mac-auth method for devices that can't be joined to the domain. We haven't experienced any issues with this method.