Security

Reply
Occasional Contributor I
Posts: 11
Registered: ‎12-01-2010

Error 206

Screen Shot 2014-09-09 at 10.12.53 AM.png

 

I would like to ask about this error 206. I already check user account everything is fine. Can someone explain to me what is the root cause of the problem and how to solve the problem.

Guru Elite
Posts: 7,991
Registered: ‎09-08-2010

Re: Error 206

What type of service is this? 802.1X? MAC-auth?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor I
Posts: 11
Registered: ‎12-01-2010

Re: Error 206

802.1X auth.

 

We used AD to auth the user.

Guru Elite
Posts: 7,991
Registered: ‎09-08-2010

Re: Error 206

What is the default profile set to? It looks like it's falling through all your service rules.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor I
Posts: 11
Registered: ‎12-01-2010

Re: Error 206

We just set as user profile. It's have other profile? or we can check the profile at AD or in Clearpass itself.

Aruba
Posts: 1,636
Registered: ‎04-13-2009

Re: Error 206

If you are able to export the log entry, it may help us with your solution (button on the bottom right of your Access Tracker event).  As Tim stated, you are getting the reject because policy did not match (and the reject profile is likely the default profile action in that case).   Despite passing authentication, the policy engine is going to evaluate the request through the Role Mapping Policy and the Enforcement Policy.   By reviewing those two policies that are applied to your Service, you should be able to track why the user did not "match" anything in those policies and thus was given the reject profile instead.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba
Posts: 1,534
Registered: ‎06-12-2012

Re: Error 206

To do a quick test change your default policy to accept and see if the client connects. If it does then you know there is an error in your policy. 

 

A common issue is that you have in your rules a role or enforcement condition that is EQUALS and most likely it needs to be contains. Especially if it's an ad group membership. 

 

If its Equals then it needs to be the full ad group name

 

If its contains then it can be the simple name.

 

See example below

 

Screen Shot 2014-09-08 at 10.49.07 PM.png

 

 

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II
Posts: 41
Registered: ‎05-15-2014

Re: Error 206

hi. Can you provide a bit more info about about the service, role and enforcement policy this user is going down? Is this an 802.1x service? And are you backing off the decision making to Active Directory?
Contributor II
Posts: 41
Registered: ‎05-15-2014

Re: Error 206

having now scrolled down I can see you've answered some of those! I agree with CONTAINS for group membership. I would also check the AND/OR logic plus the FIRST APPLICABLE/ALL logic as this sometimes leads to unexpected results
Search Airheads
Showing results for 
Search instead for 
Did you mean: