Security

Reply

Authentication successful only from one IAP

Hi guys,

 

I am doing some testing about authentication against AD via ClearPass. I have a cluster of two IAPs, I have created the Instant cluster VC IP as NAD in ClearPass, and created the ClearPass as RADIUS server in Instant. The problem is the authentication is successful only from one IAP, and I see the ACCEPT messages in Access Tracker, but from the other IAP I can't connect to the network, and I don't see any message in Access Tracker. I don't know where is the problem because as said, the NAD in ClearPass is the cluster VC IP, and I have also enabled the Dynamic Proxy RADIUS feature in the Instant cluster. Can you help me?

 

Regards,

Julián

Aruba Employee

Re: Authentication successful only from one IAP

On ClearPass, check the Event Viewer (not Access Tracker) to see if CPPM is receiving unauthorized radius requests from the other IAP.


Charlie Clemmer
Aruba Customer Engineering

Re: Authentication successful only from one IAP

Nothing, in Event Viewer I see no messages about RADIUS requests and the other IAP.

 

Regards,

Julián

Aruba Employee

Re: Authentication successful only from one IAP

I would start with the CLI of the IAP that is not authenticating and work out from there. Does the IAP have the correct configuration? Does it see the user association attempted? Any error logs showing the authentication fail?


Charlie Clemmer
Aruba Customer Engineering

Re: Authentication successful only from one IAP

Hi Charlie,

 

This is what I have got from CLI:

instantcli.JPG

I suppose the message "Client 78:0c:b8:f6:70:de authenticate fail because RADIUS server connection failure" refers to the ClearPass server. But you can see I can ping successfully (it has IP 192.168.1.98).  And I don't know is the output of the two last commands is useful. Can you think of anything else?

 

Regards,

Julián

Re: Authentication successful only from one IAP

Hi guys,

 

I think what's going on. My Instant cluster fails to connect to ClearPass because my ClearPass RADIUS certificate has expired, and I think for the same reason the radius server service has stopped, and I can't restart it. I think that's the root cause. What can I do to overcome this issue? Do I need to install a new certificate? Because this is a ClearPass with an eval license for testing purposes, is there any site to get free certificates? Sorry for these questions but I am a begginer in the certificates world.

 

Regards,

Julián

Guru Elite

Re: Authentication successful only from one IAP

A valid EAP server certificate is required for the RADIUS service to start. Use your organization's preferred CA to acquire the appropriate certificate(s).

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Authentication successful only from one IAP

Hi Tim,

Yes, I have read in another thread that the expiration of the RADIUS certificate stops the Radius service.

The problem from the beggining was I was doing tests with authentication from only one IAP when the RADIUS certificate was valid. Then the next day I kept doing tests from the other IAP, but what a coincidence that the RADIUS certificate expired at the end of the previous day.

I will try to acquire new certificates and we'll see.

 

Regards,

Julián

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: