Security

Reply
Super Contributor I
Posts: 294
Registered: ‎02-07-2013

Issues with CPPM 6.5 and accounting proxying

Just about to log this as a support call  but thought I'd see if anyone else is seeing this.

 

I am experiencing an issue with proxying RADIUS accounting packets to a 3rd party RADIUS server ( freeradius 2.2.5)  from within a clearpass 6.5 service.

While everything seems to work initially , eventually  all auth requests fail as the policy server has become unresponsive.  This is irrespective of the type of authentication.

Below is the log entry for a MAC auth that usually works. The only difference being that I've enabled the accounting proxy option in the service definition.

======
Request Details Summary -
 Session Identifier: R000015dd-01-550c09d4
 Date and Time: Mar 20, 2015 11:51:48 GMT
 Username: 00-1A-E8-54-7E-19
 End-Host Identifier: 00-1A-E8-54-7E-19
 Access Device IP/Port: 10.4.4.107:67116963
 Audit Posture Status:
 System Posture Status:
 Login Status: REJECT

Policies Used -
 Service:
 Authentication Method:
 Authentication Source: None
 Authorization Source:
 Roles:
 Enforcement Profiles:
 Service Monitor Mode:

Alerts -
 Error Code: 106
 Error Category: Internal error
 Error Message: Internal error in RADIUS server
 Alerts for this Request -
   RADIUS: Service Categorization failed\nCannot send request to Policy server


==========


In addition to this a watchdog process seems to be trying to help because its detected that the policy server has become unavailable and is restarting the policy server. (see below). I'm guessing that each time a service is called that has accounting proxy enabled it "uses up" a policy-server thread and  doesn't release it back into the pool. Eventually all the threads are used and subsequent  auth requests cannot contact the policy manager.

 

accounting-proxy-error.png
If you disable the  accounting proxy feature, everything springs back into life



MVP
Posts: 4,269
Registered: ‎07-20-2011

Re: Issues with CPPM 6.5 and accounting proxying

Aruba TAC will be your best option .

 

The only question I have for you if this is a Virtual environment is if the instance was build up to spec ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Super Contributor I
Posts: 294
Registered: ‎02-07-2013

Re: Issues with CPPM 6.5 and accounting proxying

Yes it is a VM. No its not built up to spec. This is a dev server that only I use. At most there are 2 or 3 auth requests every 15 mins. Clients are 3 IP phones, 1 OS X machine, 1 Windows VM and 1 iphone 6plus. Only other thing thats happening is processing of DHCP requests as I'm UDP helping DHCP requests into it so I can populate the endpoints database.

There isn't a lot of traffic on the VM

Rgds
Alex
MVP
Posts: 4,269
Registered: ‎07-20-2011

Re: Issues with CPPM 6.5 and accounting proxying

The thing is that 6.5 has a lot of new features that requires a lot of resources , so the first thing that TAC may ask you is to make sure that your server is up to spec .

 

Of course this necessarily may not be your issue but is something to keep in mind, I have seen weird stuff in my lab environment when it wasn't build up to spec.

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 56
Registered: ‎04-22-2009

Re: Issues with CPPM 6.5 and accounting proxying

Had same error on 6.5 CPPM, and found that it was due to a Firewall block for an authorization source.   

Once we allowed traffic from CPPM node to authorization source (external SQL db), we were able to avoid the error.   

 

I've seen this anytime you enable an authorization source and the query fails.    I'd like to make some authorization sources "optional" so that I can have other logic to handle when authorization sources are unavailable.      

 

Guess it's time for an RFE....

Super Contributor I
Posts: 294
Registered: ‎02-07-2013

Re: Issues with CPPM 6.5 and accounting proxying

Wow! that's good to know. FWIW I'm now running full spec VMs for my CPPM 5K VMs. If I enable accounting proxying on more than 2 services and go have a cup of tea, within 30 -45 mins I'll be able to see my clearpass servers fail one by one. Policy manager drops off on each one and they start sending rejects. to get to 2 services proxying accounting I had to increase the value of

 

Server Configuration/Service Parameters/Policy Server/Authentication Thrtead Pool Size

 

from default to 50

 

Ah well, its also nice to know that our   checkpoint firewall crashes when send RADIUS accounting data to it if its configured to try and use the info.... at least its not just our end that fails!

 

A

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: