Campus Switching and Routing

Reply
Occasional Contributor II

ARUBA-Cisco switch - Monday morning authentication issue

Calling all ARUBA gurus.

 

Hello.

 

I have had this issue with Clearpass NAC system for last 3 years.

Aruba TAC has confirmed his is not a aruba system issue. 

 

May I request anyone with experience in Aruba-Cisco environment to shed some lights on this please.

 

We have Aruba Clearpass 6.6.8. In 2015 we had 400+ pcs with clearpass onguard agent on. On every monday ( after 2 days of holiday in the UK ) random pcs would not let user logon saying - logon server could not be found - same scenario as you would lose network connection. Only happened on Monday mornings. We had Aruba TAC looked at this issue and they had increased the machine authntication cache time to 72 hours instead of 24. But still we had some issues - like I mentioned it was random on random pcs in random vlans. To get user working we had to then remove .1x config from the cisco switch port. Once authenticated, we could then place the config back and the pcs would be fine until next monday morning.

 

Any one else had this issue ? TAC said - They are not aware of anyone having this issue but us.

 

Now, we had to deactivate NAC due to some issues last year. We have now started deploying onguard agetn again. And like last time we did not have any issue until couple of weeks ago and one pc came up woth exact same error. We have 3500 pcs and having this issue monday morning will not look very good us IT guys. We have 350+ laptops on wireless and they are fine. 

 

Any ideas people ?

 

 

Contributor II

Re: ARUBA-Cisco switch - Monday morning authentication issue

Are you running EAP-TLS or EAP-PEAP?

 


Sven
ACMX #754, ACCX #726, ACSA
Occasional Contributor II

Re: ARUBA-Cisco switch - Monday morning authentication issue

We are using Eap-peap mschap v2.

 

We do machine authentication and User usthentication.

 

Thanks torelo.

Contributor II

Re: ARUBA-Cisco switch - Monday morning authentication issue

So I assume the CPPM is joined to the Domain and has some Backup-Servers in the list?

 

Try unjoin and rejoin the domain.


Sven
ACMX #754, ACCX #726, ACSA
Occasional Contributor II

Re: ARUBA-Cisco switch - Monday morning authentication issue

Yes we have 2 ha pair in 2 sites.

 

We have had the server leave and join doimain when were upgrading to 6.6.8.

 

Any more ideas ?

 

 

Contributor II

Re: ARUBA-Cisco switch - Monday morning authentication issue

Could you share the Access-Tracker Output and the Service Configuration?

 


Sven
ACMX #754, ACCX #726, ACSA
Occasional Contributor II

Re: ARUBA-Cisco switch - Monday morning authentication issue

Hi Sven,

 

Which ones do you want to see - one happening at the time when user had failed login ?

 

Which service config do you want to see - the one wired users use ?

Regards,

Sheikh

Contributor II

Re: ARUBA-Cisco switch - Monday morning authentication issue

The problematic Service and AccessTracker log

Sven


Sven
ACMX #754, ACCX #726, ACSA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: