Security

Reply
Occasional Contributor I

Clearpass reject with Error Code: 9001 Error Message: Wrong shared secret

Hi everybody,I find a problem, when I send a radius authentication request packet to CLEARPASS,it rejects the authenticationThe log is as follows. And I do the authentication again, it accepts. But I'm sure I use the same username and password. It only rejects the authentication about 1 or 2 percent.  I didn't change our device's configuration. I do not know why.  Is it the CLEARPASS's issue? or actual the user‘s password is wrong, or the shared secret between the device and CLEARPASS somtimes is wrong?

 

2017-03-05 17:13:15,344 [Th 2953 Req 4154822 SessId R0008192e-01-58bc1cfb] ERROR RadiusServer.Radius - rlm_pap: User xxxx authentication failed
2017-03-05 17:13:15,344 [Th 2953 Req 4154822 SessId R0008192e-01-58bc1cfb] ERROR RadiusServer.Radius - Unprintable characters in the password. Check the shared secret on the server and the NAS.
...

2017-03-05 17:13:15,349 [AuthReqThreadPool-22-0x7fd5a5bed700 r=R0008192e-01-58bc1cfb h=74] ERROR ExtDB.DBQuery - ResultSet is empty
2017-03-05 17:13:15,349 [AuthReqThreadPool-22-0x7fd5a5bed700 r=R0008192e-01-58bc1cfb h=74] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =SELECT FLOOR(EXTRACT(EPOCH FROM (NOW() - timestamp)))::integer AS seconds_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/60)::integer AS minutes_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/3600)::integer AS hours_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/86400)::integer AS days_since_auth FROM auth WHERE auth.timestamp < NOW() AND auth.error_code = 0 AND auth.username = '%{Endpoint:Username}' AND auth.mac = '%{Connection:Client-Mac-Address-NoDelim}' AND auth.auth_status != 'MAB' ORDER BY timestamp DESC LIMIT 1, error=No values for param=Endpoint:Username
2017-03-05 17:13:15,349 [AuthReqThreadPool-22-0x7fd5a5bed700 r=R0008192e-01-58bc1cfb h=74] ERROR ExtDB.DBQuery - execute: Failed to construct filter=SELECT FLOOR(EXTRACT(EPOCH FROM (NOW() - timestamp)))::integer AS seconds_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/60)::integer AS minutes_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/3600)::integer AS hours_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/86400)::integer AS days_since_auth FROM auth WHERE auth.timestamp < NOW() AND auth.error_code = 0 AND auth.username = '%{Endpoint:Username}' AND auth.mac = '%{Connection:Client-Mac-Address-NoDelim}' AND auth.auth_status != 'MAB' ORDER BY timestamp DESC LIMIT 1
2017-03-05 17:13:15,350 [AuthReqThreadPool-22-0x7fd5a5bed700 r=R0008192e-01-58bc1cfb h=74] ERROR ExtDB.DBQuery - ResultSet is empty
2017-03-05 17:13:15,351 [AuthReqThreadPool-22-0x7fd5a5bed700 r=R0008192e-01-58bc1cfb h=74] ERROR ExtDB.DBQuery - Failed to get value for attributes=RemainingTime, Seconds-Since-Auth, case]

 

Error Code: 9001
Error Category: RADIUS protocol
Error Message: Wrong shared secret
Alerts for this Request -
Policy server: Failed to construct filter=SELECT FLOOR(EXTRACT(EPOCH FROM (NOW() - timestamp)))::integer AS seconds_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/60)::integer AS minutes_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/3600)::integer AS hours_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/86400)::integer AS days_since_auth FROM auth WHERE auth.timestamp < NOW() AND auth.error_code = 0 AND auth.username = '%{Endpoint:Username}' AND auth.mac = '%{Connection:Client-Mac-Address-NoDelim}' AND auth.auth_status != 'MAB' ORDER BY timestamp DESC LIMIT 1.\nFailed to get value for attributes=[RemainingTime, Seconds-Since-Auth, case]
RADIUS: PAP: CLEAR TEXT password check failed\nUnprintable characters in the password. Check the shared secret on the server and the NAS.

Re: Clearpass reject with Error Code: 9001 Error Message: Wrong shared secret

Any unusual characters in the RADIUS secret?

 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Occasional Contributor I

Re: Clearpass reject with Error Code: 9001 Error Message: Wrong shared secret

No, only some numbers.

It almost works fine. But only reject in very low probability.

Contributor I

Re: Clearpass reject with Error Code: 9001 Error Message: Wrong shared secret

Sometimes the radius packet can get corrupted in transit if the connection between the NAD and CPPM is unstable, wireshark trace will show you the corrupt packets.

 

Occasional Contributor I

Re: Clearpass reject with Error Code: 9001 Error Message: Wrong shared secret

Thanks brother,

The reason is that, the share secret is right, but we send the wrong password of the user sometimes.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: