07-29-2014 10:00 AM
Hello. I am trying to resurrect a once-working CPPM policy/service which responded to a user's login attempt on CPGuest and queries AD and the local guest db. When testing with a client, I am prompted with the WEB UI page from the policy, but fail authentication with 'Invalid Username or Password.' I try to check the attempt in Access Tracker, but no entries appear. Confused as to how I can attempt the authentication without tripping a tracker event. Any guidance is appreciated. Thank you!
Solved! Go to Solution.
04-30-2015 06:53 AM
CPPM Access Tracker No Entry for authentication attempt.
I am troubleshooting a similar problem.
While deploying Mac Caching we unveiled an anomaly in our test bed while changing services and deploying Student and Staff MAC Caching. We have 2 Mac Caching services for students and 2 for staff . Our issue doesn’t cause a problem but we are trying to understand why it’s happening. We make a change to a service named Student Access with MAC Caching.. We authenticate using that service. We see authenticated on device but no entry in CPPM Access Tracker. The next service called Student Mac Caching Service will deny the request and an Access tracker entry appears.
We really want to see an Access tracker entry for the changed service named Student Access with MAC Caching.
We reverse the change and of course we get an entry.
The change is as follows;
In our Student Access with MAC Caching service we change a service rule reading:
Radius:Aruba Aruba-Essid-Name Equals Student
Radius:Aruba Aruba-Essid-Name Equals Staff
I have pulled log files for the service prior to the change and see no entry in log files for anything initiating an entry for CPPM Access tracker. I have also looked at Event Viewer and do not see any instance of this or any other authentication event or entry event for Access Tracker.
05-01-2015 02:31 AM
jkeco, I would check the authentication server-group configuration to make sure the requests are definitely being sent to Clearpass. You can also run 'show aaa authentication-server radius statistics' to check the RADIUS packets are being sent and responded to.
KI, have you tried blacklisting and unblacklisting the user on the Aruba controller after the changes to the service have been made? If the user entry still exists in the user-table then they will not need to re-authenticate.
ACDX #98 | ACMP | ACCP