ClearPass, Read-only Domain Controller (RODC) and PEAP-MSCHAPv2

Today we're having a look at how to use a ClearPass Subscriber with a Read-Only Domain Controller.
This setup is typically for branch offices where the Activate Directory and NAC services should be hosted locally to overcome WAN failures. 

 

This post will primarily cover the "AD status:No trusted SAM account (0xc000018b)" error, when using PEAP-MSCHAPv2.

 

 

Topology:

Headquarter

2x ClearPass VMs in Zone/Active Directory Site named 'Lab'
2x Active Directory Domain Controller (writable) in Site 'Lab'

 

Branch

1x ClearPass VM in Zone/Active Directory Site named 'DMZ'
1x Active Directory Read-Only Domain Controller in Site 'DMZ'

 

 

When using MSCHAPv2 you need to join the ClearPass servers to the Active Directory Domain. This needs to be done for every ClearPass instance you are expecting to process MSCHAPv2 authentications. 

To do this you first have to select one of the servers from the menu 'Administration' - 'Server Manager' - 'Server Configuration'

Once you click on one of the servernames you can scroll down on the next page and find a 'Join AD domain' button at the bottom.

 

If you just enter your domain name and not the FQDN of any domain controller, ClearPass will use the first DC returned by the DNS query for your domainname. 

If this is a DC at another Active Directory Site, ClearPass will advise you, to use a DC in the same Site.

Domainjoin with DC from another site

If we try to join the domain with the local RODC, this operation will of cause fail, because it is just a RODC.

So we need to ignore the ClearPass Warning and join the AD with any writable DC.

 

After the domain join was successful, we can add the RODC as 'Password Server' and therefore force ClearPass to use this specific DC.

You can do so as shown in this screenshot:

Edit AD password servers

After the change go to the 'Services Control' tab and restart the domain service for your domain.

As we successfully joined the AD we now should be able to use MSCHAPv2, right?

Well, in the Access Tracker you may see failed authentications due to the error

AD status:No trusted SAM account (0xc000018b)

To fix this, we need to make sure that the Computer Account Object of our ClearPass Instance is synced to the RODC. To verify this and also force the AD to sync this object to the RODC, you have to look at the RODC object in 'Active Directory User and Computers'.

There you find a tab 'Password Replication Policy'. This determines which password the RODC should be able to cache.With 'Advanced...' you can view the current cached passwords.
In our case this list is fairly empty:

RODC synced passwords before the change

To fix the error we need to add the ClearPass AD object as 'Allowed' in the 'Password Replication Policy'. After that we can go to the 'Advanced' view and prepopulate the password to the RODC.
It should look like this:

RODC synced passwords after the change

Now the error during authentication should be gone!

You can verify MSCHAPv2 via the ClearPass CLI as 'appadmin' user with the commands:

ad auth -u <USER> -n NETBIOS-DOMAINNAME
krb auth <USER>@domain

 

Please be aware, that if you use the AD as 'Authentication Source' via LDAP you also need to think about which primary DCs and which backup DCs to use.
With many branches you probably want to create one Authentication Source per branch and use different ClearPass services per branch.

Also you should try to get rid of EAP-PEAP and work towards EAP-TLS :-)