AAA, NAC, Guest Access & BYOD

 View Only
last person joined: one year ago 

Solutions for legacy and existing products and solutions, including Clearpass, CPPM, OnBoard, OnGuard, Guest, QuickConnect, AirGroup, and Introspect
Back to Library

Unable to join CPPM to the domain. Getting error - KRB5KRB_ERR_RESPONSE_TOO_BIG in the packet capture. 

Aug 06, 2014 04:43 PM

Environment : When trying to join CPPM to the domain, we are getting the following error:

 

Adding host to AD domain...
INFO - Fetched REALM 'AD.DOMAIN.COM' from domain FQDN 'AD.DOMAIN.COM'
INFO - Fetched the NETBIOS name 'AD'
INFO - Creating domain directories for 'AD'
Enter admin's password:
[2014/01/23 11:38:00, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS failure.
Minor code may provide more information : Cannot contact any KDC for realm 'AD.DOMAIN.COM'
Failed to join domain: failed to connect to AD: Unspecified GSS failure. Minor 
code may provide more information : Cannot contact any KDC for realm 'AD.DOMAIN.COM'
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'AD'
ERROR - gtclearpass01 failed to join the domain AD.DOMAIN.COM with
domain controller as AD.DOMAIN.COM
Join domain failed

The AD and the ClearPass servers are on the same L2 network.

 

 

The packet capture between the AD and CPPM shows that AD is returning the error - KRB5KRB_ERR_RESPONSE_TOO_BIG

Customer's L2 infrastructure (switch and other networking gears where CPPM and AD are connected) has a lower MTU setting than that of CPPM.

CPPM has an MTU of 1500 and not exposed to alter this value administratively. When the L2 infrastructure has a lesser MTU than that of CPPM (we suspect this could be 1400 or even less), then some of the packets in the domain join process are not transmitted to CPPM or AD. This is resulting in the failure (which is confirmed in our lab).

Involve network administrator to higher the MTU in the customer's L2 infrastructure to 1500 or above. 
OR
Understand what is the network MTU setting and alter the CPPM's MTU to a value lesser than this (eg: if the L2 MTU is 1400, set CPPM's MTU to 1300).

You need to change the following configuration file in CPPM to alter its MTU.

Modify /etc/sysconfig/network-scripts/ifcfg-eth0 as arubasupport user in CLI, to add the MTU value (less than that of L2 MTU. In this case, 1300 has been defined just to as an example only)

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.