Hi
I've got a 3 node cluster, 1 publisher and 2 subscribers. I have 1 switch and 1 PC which is doing an 802.1x service off to 1 AD server. This is all in a single room. We have a test scenario which gets into a state that is unexplainable so I'm looking for a greater understanding of how ClearPass works.
We have a Cisco switch which is configured to point to a primary subscriber and if that is unreachable, it will auto redirect requests to the secondary subscriber. All works well when we shutodwn the primary subscribers network port. All devices now authenticate against secondary subscriber.
However! When we bring the primary subscriber back online by re-enabling the port, the switch reverts to using trying the primary. All good so far! But all the authentication requests are rejected in access tracker. All have the error code 'MSCHAP: AD status:Pipe broken (0xc000014b)'.
It can be cleared by doing one or more of the following : clearing the cache on the source, shut/no shut on the device port, just waiting! However, it is never the same and feels quite random! We have a repeatable scenario to get into the broken state but the fix appears to be completely accidental! I can't explain it.
We've got a bit circular with our TAC case so that hasn't helped. We have had an AD expert review the comms on the AD end and all looks fine. Although he has thrown the observation that all comms into the AD is being seen as coming from the publisher, nothing from either of the subscribers. If there isn't a pipe between a subscriber and AD, how can it be broken?!
Any comments and observations helpful.