Security

Question - I am trying to get PEAP/MSCHAPv2 working in a wired 802.1x deployment. I work in a very locked down enviroment where NTML is NOT allowed. I believe the built in AD template in ClearPass doesn't support Kerberos. I noticed there is a Kerberos service profile but in my reading non-windows devices need a keytab file for Kerberos auth to work. My question is how do I get the keytab file installed inside of clearpass? Or is it required at all?

Any info would be great!

That would be great however our machines do not have domain certs. Unfortunately this is not an option for us. 

Well since MSCHAPv2 works with Kerberos in Windows NPS I guess I will advise my customers to not spend 30K on ClearPass.

There are two parts in this. In NPS, the connection to the domain from the NPS server is Kerberos authenticated, as is the same situation with ClearPass.

There is no way to run the actual MS-CHAPv2 authentication with Kerberos, as NTLM is the only defined authentication scheme in MS-CHAPv2.

Moving to NPS will not change that in any way as it cannot change the standards. As Tim said, if NTLM cannot be used by policy, you cannot deploy PEAP/MSCHAPv2, and should move to other authentication methods.

MS also introduced a registry key, to use NTLMv2 on MS-CHAPv2 on the server side.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/rras-vpn-connections-fail-ms-chapv2-authentication