Security

Reply
Frequent Contributor II

CPPM Fails some user auths due to not finding socket for the domain

One of my CPPM boxes, the subscriber in a two server cluster is failing a large number of authentications. The error in th log will look like the following.

 

2015-02-04 07:14:05,247[Th 311825 Req 127435050 SessId R0110286c-06-54d20d0c] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "OCDSB Wireless Access Service" - 42:0:D022BEDBFE8A
2015-02-04 07:14:05,247[Th 311825 Req 127435050 SessId R0110286c-06-54d20d0c] INFO RadiusServer.Radius - rlm_eap_mschapv2: Received MSCHAPv2 Response from client
2015-02-04 07:14:05,247[Th 311825 Req 127435050 SessId R0110286c-06-54d20d0c] ERROR RadiusServer.Radius - Did not find socket directory for domain STAFF. Returning /var/avenda/tips/samba/samba_AD/winbindd_privileged
2015-02-04 07:14:05,247[Th 311825 Req 127435050 SessId R0110286c-06-54d20d0c] INFO RadiusServer.Radius - rlm_mschap: authenticating user C20120, domain STAFF
2015-02-04 07:14:05,250[Th 311825 Req 127435050 SessId R0110286c-06-54d20d0c] INFO RadiusServer.Radius - rlm_mschap: user C20120 authentication failed
2015-02-04 07:14:05,250[Th 311825 Req 127435050 SessId R0110286c-06-54d20d0c] ERROR RadiusServer.Radius - rlm_mschap: AD status:Logon failure (0xc000006d)
2015-02-04 07:14:05,250[Th 311825 Req 127435050 SessId R0110286c-06-54d20d0c] ERROR RadiusServer.Radius - Did not find socket directory for domain STAFF. Returning /var/avenda/tips/samba/samba_AD/winbindd_privileged
2015-02-04 07:14:05,250[Th 311825 Req 127435050 SessId R0110286c-06-54d20d0c] INFO RadiusServer.Radius - rlm_mschap: authenticating user C20120, domain STAFF
2015-02-04 07:14:05,254[Th 311825 Req 127435050 SessId R0110286c-06-54d20d0c] INFO RadiusServer.Radius - rlm_mschap: user C20120 authentication failed
2015-02-04 07:14:05,254[Th 311825 Req 127435050 SessId R0110286c-06-54d20d0c] ERROR RadiusServer.Radius - rlm_mschap: AD status:Logon failure (0xc000006d)
2015-02-04 07:14:05,254[Th 311825 Req 127435050 SessId R0110286c-06-54d20d0c] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

 

The odd thing is that not all auths fail and those that do will eventually manage a successful authentication. The CPPMs have been joined to our active directory and are set to use any domain controller that replies to the request.

 

Anyone else had a problem like this?

Re: CPPM Fails some user auths due to not finding socket for the domain

For the Domain server you added CPPM can you query the rest of the servers through DNS ?

 

Is there a trust relationship between domains ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba

Re: CPPM Fails some user auths due to not finding socket for the domain

What version of CPPM are you using. There was a bug in an older version that might cause that issue.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor II

Re: CPPM Fails some user auths due to not finding socket for the domain

Thanks for your response Victor,

I am able to query all of our domain controllers through DNS and there is a trust between the domains.

 

The weird thing is the problem is intermittant and only seems to happen on my subscriber.

 

Cheers

Frequent Contributor II

Re: CPPM Fails some user auths due to not finding socket for the domain

Thanks tarnold,

 

My CPPM appliances are both running on 6.4.3.6 code. 

 

Cheers

New Contributor

Re: CPPM Fails some user auths due to not finding socket for the domain

Hello,

 

We're using Clearpass 6.4.5.71640 and have the same issue.

The Clearpass appliances are joined to the root of Active Directory domains with approbation relationships between them.

The LDAP search is working very well into each domain after binding with a single service account, using the approbation relationships, but then authentication of the computer object fails with a "not finding socket for the domain" error.

If we do a packet capture we can see that the Clearpass appliances never tried to connect to anything.

Do you have any idea about what causes this issue ?

 

Kind regards,

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: