Security

last person joined: 15 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass reject

This thread has been viewed 17 times

  • 1.  Clearpass reject

    Posted Mar 11, 2017 07:13 AM

    Hi everybody,I find a problem, when I send a radius authentication request packet to CLEARPASS,it rejects the authentication. The log is as follows. And I do the authentication again, it accepts. But I'm sure I use the same username and password. It only rejects the authentication about 1 or 2 percent.  I didn't change our device's configuration. I do not know why.  Is it the CLEARPASS's issue? or actual the user‘s password is wrong, or the shared secret between the device and CLEARPASS somtimes is wrong?

     

    2017-03-05 17:13:15,344 [Th 2953 Req 4154822 SessId R0008192e-01-58bc1cfb] ERROR RadiusServer.Radius - rlm_pap: User xxxx authentication failed
    2017-03-05 17:13:15,344 [Th 2953 Req 4154822 SessId R0008192e-01-58bc1cfb] ERROR RadiusServer.Radius - Unprintable characters in the password. Check the shared secret on the server and the NAS.
    ...

    2017-03-05 17:13:15,349 [AuthReqThreadPool-22-0x7fd5a5bed700 r=R0008192e-01-58bc1cfb h=74] ERROR ExtDB.DBQuery - ResultSet is empty
    2017-03-05 17:13:15,349 [AuthReqThreadPool-22-0x7fd5a5bed700 r=R0008192e-01-58bc1cfb h=74] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =SELECT FLOOR(EXTRACT(EPOCH FROM (NOW() - timestamp)))::integer AS seconds_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/60)::integer AS minutes_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/3600)::integer AS hours_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/86400)::integer AS days_since_auth FROM auth WHERE auth.timestamp < NOW() AND auth.error_code = 0 AND auth.username = '%{Endpoint:Username}' AND auth.mac = '%{Connection:Client-Mac-Address-NoDelim}' AND auth.auth_status != 'MAB' ORDER BY timestamp DESC LIMIT 1, error=No values for param=Endpoint:Username
    2017-03-05 17:13:15,349 [AuthReqThreadPool-22-0x7fd5a5bed700 r=R0008192e-01-58bc1cfb h=74] ERROR ExtDB.DBQuery - execute: Failed to construct filter=SELECT FLOOR(EXTRACT(EPOCH FROM (NOW() - timestamp)))::integer AS seconds_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/60)::integer AS minutes_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/3600)::integer AS hours_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/86400)::integer AS days_since_auth FROM auth WHERE auth.timestamp < NOW() AND auth.error_code = 0 AND auth.username = '%{Endpoint:Username}' AND auth.mac = '%{Connection:Client-Mac-Address-NoDelim}' AND auth.auth_status != 'MAB' ORDER BY timestamp DESC LIMIT 1
    2017-03-05 17:13:15,350 [AuthReqThreadPool-22-0x7fd5a5bed700 r=R0008192e-01-58bc1cfb h=74] ERROR ExtDB.DBQuery - ResultSet is empty
    2017-03-05 17:13:15,351 [AuthReqThreadPool-22-0x7fd5a5bed700 r=R0008192e-01-58bc1cfb h=74] ERROR ExtDB.DBQuery - Failed to get value for attributes=RemainingTime, Seconds-Since-Auth, case]

     

    Error Code: 9001
    Error Category: RADIUS protocol
    Error Message: Wrong shared secret
    Alerts for this Request -
    Policy server: Failed to construct filter=SELECT FLOOR(EXTRACT(EPOCH FROM (NOW() - timestamp)))::integer AS seconds_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/60)::integer AS minutes_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/3600)::integer AS hours_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/86400)::integer AS days_since_auth FROM auth WHERE auth.timestamp < NOW() AND auth.error_code = 0 AND auth.username = '%{Endpoint:Username}' AND auth.mac = '%{Connection:Client-Mac-Address-NoDelim}' AND auth.auth_status != 'MAB' ORDER BY timestamp DESC LIMIT 1.
    Failed to get value for attributes=[RemainingTime, Seconds-Since-Auth, case]
    RADIUS: PAP: CLEAR TEXT password check failed
    Unprintable characters in the password. Check the shared secret on the server and the NAS.

     

     

     



  • 2.  RE: Clearpass reject

    EMPLOYEE
    Posted Mar 12, 2017 04:16 AM

    Does user using any special characters in password to connect to the network?

    Could you try use simple characters and try connect.

     

    Regards,

    Pavan

    If my post address your question, accept solution and give kudos:)



  • 3.  RE: Clearpass reject

    Posted Mar 13, 2017 03:00 AM

    I am sure. I only use some numbers.



  • 4.  RE: Clearpass reject

    EMPLOYEE
    Posted Mar 13, 2017 04:38 AM

    May I know CPPM version and also could you try login using simple characters and check the status?

     

    Are you using any special characters in controller shared secret key? If yes could you try set to simple characters?

     

     



  • 5.  RE: Clearpass reject

    Posted Mar 13, 2017 07:25 AM

    Hi

    The version is 6.5.0.71095.I always use the simple characters, like 1818 generated by the CPPM for the Guest user's password. It only rejects  sometime when I input the user's password.

    I just use some normal characters, like password123 as the shared secret key.



  • 6.  RE: Clearpass reject
    Best Answer

    EMPLOYEE
    Posted Mar 13, 2017 08:15 AM

    Could you please re-check the shared secret key on controller and make sure it is matching with the CPPM one?

     

    Regards,

    Pavan

     

    If my post address your query, accept solution and give kudos:)



  • 7.  RE: Clearpass reject

    Posted Mar 23, 2017 04:00 AM

    Thanks brother,

    The reason is that, the share secret is right, but we send the wrong password of the user sometimes.