Security

For PEAP-MSCHAPv2 you should join the ClearPass to the domain. There is an old video that demonstrates that step.

Please note that MSCHAPv2 is deprecated as the security behind it is broken, except in the situation where you have full control over your clients and can make sure that clients will never connect to a rogue SSID, you should not use it and use EAP-TLS or TEAP instead.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: 3/13/2024 9:05:00 AM
From: Herman Robers
Subject: RE: Kerberos in Clearpass

For PEAP-MSCHAPv2 you should join the ClearPass to the domain. There is an old video that demonstrates that step.

Please note that MSCHAPv2 is deprecated as the security behind it is broken, except in the situation where you have full control over your clients and can make sure that clients will never connect to a rogue SSID, you should not use it and use EAP-TLS or TEAP instead.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

PEAP-MSCHAPv2 uses MSCHAPv2, I'm not aware of an EAP-Kerberos.

As mentioned, you probably should move away from PEAP and start using EAP-TLS or TEAP with client certificates for 802.1X / WPAx Enterprise.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Mar 13, 2024 09:27 AM
From: ahmetsarikaya
Subject: Kerberos in Clearpass

Our clearpass server has joined an ad domain. At this moment we can connect to mschapv2 with our ad server as source. However, we now want to authenticate using Kerberos, but we cannot really find the correct manual for this. or what we should pay attention to.

 

We have taken the following link as a reference https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Auth/AuthSource_Kerberos.htm.

Unfortunately we receive the message shown above

 

 

Original Message:
Sent: 3/13/2024 9:05:00 AM
From: Herman Robers
Subject: RE: Kerberos in Clearpass

For PEAP-MSCHAPv2 you should join the ClearPass to the domain. There is an old video that demonstrates that step.

Please note that MSCHAPv2 is deprecated as the security behind it is broken, except in the situation where you have full control over your clients and can make sure that clients will never connect to a rogue SSID, you should not use it and use EAP-TLS or TEAP instead.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------