Security

Reply
Super Contributor I

Issues with CPPM 6.5 and accounting proxying

Just about to log this as a support call  but thought I'd see if anyone else is seeing this.

 

I am experiencing an issue with proxying RADIUS accounting packets to a 3rd party RADIUS server ( freeradius 2.2.5)  from within a clearpass 6.5 service.

While everything seems to work initially , eventually  all auth requests fail as the policy server has become unresponsive.  This is irrespective of the type of authentication.

Below is the log entry for a MAC auth that usually works. The only difference being that I've enabled the accounting proxy option in the service definition.

======
Request Details Summary -
 Session Identifier: R000015dd-01-550c09d4
 Date and Time: Mar 20, 2015 11:51:48 GMT
 Username: 00-1A-E8-54-7E-19
 End-Host Identifier: 00-1A-E8-54-7E-19
 Access Device IP/Port: 10.4.4.107:67116963
 Audit Posture Status:
 System Posture Status:
 Login Status: REJECT

Policies Used -
 Service:
 Authentication Method:
 Authentication Source: None
 Authorization Source:
 Roles:
 Enforcement Profiles:
 Service Monitor Mode:

Alerts -
 Error Code: 106
 Error Category: Internal error
 Error Message: Internal error in RADIUS server
 Alerts for this Request -
   RADIUS: Service Categorization failed\nCannot send request to Policy server


==========


In addition to this a watchdog process seems to be trying to help because its detected that the policy server has become unavailable and is restarting the policy server. (see below). I'm guessing that each time a service is called that has accounting proxy enabled it "uses up" a policy-server thread and  doesn't release it back into the pool. Eventually all the threads are used and subsequent  auth requests cannot contact the policy manager.

 

accounting-proxy-error.png
If you disable the  accounting proxy feature, everything springs back into life



Re: Issues with CPPM 6.5 and accounting proxying

Aruba TAC will be your best option .

 

The only question I have for you if this is a Virtual environment is if the instance was build up to spec ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Super Contributor I

Re: Issues with CPPM 6.5 and accounting proxying

Yes it is a VM. No its not built up to spec. This is a dev server that only I use. At most there are 2 or 3 auth requests every 15 mins. Clients are 3 IP phones, 1 OS X machine, 1 Windows VM and 1 iphone 6plus. Only other thing thats happening is processing of DHCP requests as I'm UDP helping DHCP requests into it so I can populate the endpoints database.

There isn't a lot of traffic on the VM

Rgds
Alex

Re: Issues with CPPM 6.5 and accounting proxying

The thing is that 6.5 has a lot of new features that requires a lot of resources , so the first thing that TAC may ask you is to make sure that your server is up to spec .

 

Of course this necessarily may not be your issue but is something to keep in mind, I have seen weird stuff in my lab environment when it wasn't build up to spec.

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II

Re: Issues with CPPM 6.5 and accounting proxying

Had same error on 6.5 CPPM, and found that it was due to a Firewall block for an authorization source.   

Once we allowed traffic from CPPM node to authorization source (external SQL db), we were able to avoid the error.   

 

I've seen this anytime you enable an authorization source and the query fails.    I'd like to make some authorization sources "optional" so that I can have other logic to handle when authorization sources are unavailable.      

 

Guess it's time for an RFE....

Super Contributor I

Re: Issues with CPPM 6.5 and accounting proxying

Wow! that's good to know. FWIW I'm now running full spec VMs for my CPPM 5K VMs. If I enable accounting proxying on more than 2 services and go have a cup of tea, within 30 -45 mins I'll be able to see my clearpass servers fail one by one. Policy manager drops off on each one and they start sending rejects. to get to 2 services proxying accounting I had to increase the value of

 

Server Configuration/Service Parameters/Policy Server/Authentication Thrtead Pool Size

 

from default to 50

 

Ah well, its also nice to know that our   checkpoint firewall crashes when send RADIUS accounting data to it if its configured to try and use the info.... at least its not just our end that fails!

 

A

 

 

Frequent Contributor II

Re: Issues with CPPM 6.5 and accounting proxying

i have same issue but the difference is i dont have any service that use accounting proxy.

my policy service cannot run, everytime i manually run it, it always go to stop in seconds.

i am running 6.7.7.

already opened a case but TAC isnt resnponding me yet.

anyone can give me a pointer what should i check? i am trying to debug the policy service at the moment.

Ricky E. Lee
CWNA | ACMP | ACCP
Super Contributor I

Re: Issues with CPPM 6.5 and accounting proxying

There was a hiccup this morning where an automagic A/V update resulted in the Policy Server stopping. This was fixed with A/V version 1.48751

 

Try doing a check for updates till you get that A/Vversion and restart the policy manager

Rgds

A

Frequent Contributor II

Re: Issues with CPPM 6.5 and accounting proxying

i confirm updating AV/AS to1.48.751 solves this issue.

this case causes me headache for few hours.

 

Ricky E. Lee
CWNA | ACMP | ACCP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: