Question : Why does authentication fail with error " Named pip disconnected" and how can i recover from it?
Environment Information : Clearpass policy manager server runnning version 6.1.4 or greater joined to AD server and doing EAP-PEAP-MSCHAPv2 authentication
Symptoms : All the EAP-PEAP-MSCHAPv2 authentication against a particular clearpass server would start failing with the error message as "Named pipe disconnected". The authentication starts working after restarting the Domain service or after rebooting the server
Cause :
When clearpass is joined to the AD domain, the samba module creates a connection with the netlogon service in AD. This connection is used to authenticate users performing EAP-PEAP-MSHCAPv2 against the AD. Now if due to some reason, the netlogon service was restarted or stopped on the domain controller, this communication between samba and netlogon would be broken.
This results in the error message that the named pipe is disconnected.
Resolution :
The solution to recover from this situation is to restart the winbind service to establish a new connection with the netlogon service. This can be done from the GUI of clearpass by restarting the service called cpass-domain-server_<your domain name> from Administration > Server Manager > Server Configuration > Click on the server having issues > Services Control
From Clearpass 6.1.4 there an an option where clearpass would check the number of authentication failures due to the named pipe disconnected error and automatically restart the domain service to re-establish the connection with domain controller and resume authenticating users.
This option would ensure that the number of failures is kept to a minimum and the winbind service heals itself. Hence this functionality is also known as winbind "self-healing".
This configuration can be seen from Administration > Server Manager > Server Configuration > "Click on the server having the issue" > Service Parameters > RADIUS Server > AD Errors > Recovery Action