Security

Reply
Occasional Contributor I
Posts: 9
Registered: ‎03-11-2017

Clearpass reject

[ Edited ]

Hi everybody,I find a problem, when I send a radius authentication request packet to CLEARPASS,it rejects the authentication. The log is as follows. And I do the authentication again, it accepts. But I'm sure I use the same username and password. It only rejects the authentication about 1 or 2 percent.  I didn't change our device's configuration. I do not know why.  Is it the CLEARPASS's issue? or actual the user‘s password is wrong, or the shared secret between the device and CLEARPASS somtimes is wrong?

 

2017-03-05 17:13:15,344 [Th 2953 Req 4154822 SessId R0008192e-01-58bc1cfb] ERROR RadiusServer.Radius - rlm_pap: User xxxx authentication failed
2017-03-05 17:13:15,344 [Th 2953 Req 4154822 SessId R0008192e-01-58bc1cfb] ERROR RadiusServer.Radius - Unprintable characters in the password. Check the shared secret on the server and the NAS.
...

2017-03-05 17:13:15,349 [AuthReqThreadPool-22-0x7fd5a5bed700 r=R0008192e-01-58bc1cfb h=74] ERROR ExtDB.DBQuery - ResultSet is empty
2017-03-05 17:13:15,349 [AuthReqThreadPool-22-0x7fd5a5bed700 r=R0008192e-01-58bc1cfb h=74] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =SELECT FLOOR(EXTRACT(EPOCH FROM (NOW() - timestamp)))::integer AS seconds_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/60)::integer AS minutes_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/3600)::integer AS hours_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/86400)::integer AS days_since_auth FROM auth WHERE auth.timestamp < NOW() AND auth.error_code = 0 AND auth.username = '%{Endpoint:Username}' AND auth.mac = '%{Connection:Client-Mac-Address-NoDelim}' AND auth.auth_status != 'MAB' ORDER BY timestamp DESC LIMIT 1, error=No values for param=Endpoint:Username
2017-03-05 17:13:15,349 [AuthReqThreadPool-22-0x7fd5a5bed700 r=R0008192e-01-58bc1cfb h=74] ERROR ExtDB.DBQuery - execute: Failed to construct filter=SELECT FLOOR(EXTRACT(EPOCH FROM (NOW() - timestamp)))::integer AS seconds_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/60)::integer AS minutes_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/3600)::integer AS hours_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/86400)::integer AS days_since_auth FROM auth WHERE auth.timestamp < NOW() AND auth.error_code = 0 AND auth.username = '%{Endpoint:Username}' AND auth.mac = '%{Connection:Client-Mac-Address-NoDelim}' AND auth.auth_status != 'MAB' ORDER BY timestamp DESC LIMIT 1
2017-03-05 17:13:15,350 [AuthReqThreadPool-22-0x7fd5a5bed700 r=R0008192e-01-58bc1cfb h=74] ERROR ExtDB.DBQuery - ResultSet is empty
2017-03-05 17:13:15,351 [AuthReqThreadPool-22-0x7fd5a5bed700 r=R0008192e-01-58bc1cfb h=74] ERROR ExtDB.DBQuery - Failed to get value for attributes=RemainingTime, Seconds-Since-Auth, case]

 

Error Code: 9001
Error Category: RADIUS protocol
Error Message: Wrong shared secret
Alerts for this Request -
Policy server: Failed to construct filter=SELECT FLOOR(EXTRACT(EPOCH FROM (NOW() - timestamp)))::integer AS seconds_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/60)::integer AS minutes_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/3600)::integer AS hours_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/86400)::integer AS days_since_auth FROM auth WHERE auth.timestamp < NOW() AND auth.error_code = 0 AND auth.username = '%{Endpoint:Username}' AND auth.mac = '%{Connection:Client-Mac-Address-NoDelim}' AND auth.auth_status != 'MAB' ORDER BY timestamp DESC LIMIT 1.\nFailed to get value for attributes=[RemainingTime, Seconds-Since-Auth, case]
RADIUS: PAP: CLEAR TEXT password check failed\nUnprintable characters in the password. Check the shared secret on the server and the NAS.

 

 

 

Aruba Employee
Posts: 186
Registered: ‎02-19-2015

Re: Clearpass reject

Does user using any special characters in password to connect to the network?

Could you try use simple characters and try connect.

 

Regards,

Pavan

If my post address your question, accept solution and give kudos:)

Occasional Contributor I
Posts: 9
Registered: ‎03-11-2017

Re: Clearpass reject

I am sure. I only use some numbers.

Aruba Employee
Posts: 186
Registered: ‎02-19-2015

Re: Clearpass reject

May I know CPPM version and also could you try login using simple characters and check the status?

 

Are you using any special characters in controller shared secret key? If yes could you try set to simple characters?

 

 

Occasional Contributor I
Posts: 9
Registered: ‎03-11-2017

Re: Clearpass reject

[ Edited ]

Hi

The version is 6.5.0.71095.I always use the simple characters, like 1818 generated by the CPPM for the Guest user's password. It only rejects  sometime when I input the user's password.

I just use some normal characters, like password123 as the shared secret key.

Aruba Employee
Posts: 186
Registered: ‎02-19-2015

Re: Clearpass reject

Could you please re-check the shared secret key on controller and make sure it is matching with the CPPM one?

 

Regards,

Pavan

 

If my post address your query, accept solution and give kudos:)

Occasional Contributor I
Posts: 9
Registered: ‎03-11-2017

Re: Clearpass reject

Thanks brother,

The reason is that, the share secret is right, but we send the wrong password of the user sometimes.

Search Airheads
Showing results for 
Search instead for 
Did you mean: