Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

NAS-IP-Address 0.0.0.0

This thread has been viewed 2 times

  • 1.  NAS-IP-Address 0.0.0.0

    Posted Dec 13, 2017 08:11 PM

    I am trying to authenticate a new Meraki Z3 teleworker device to my clearpass policy manager, but the request is failing. If I look at event viewer I see the access device ip/port as 0.0.0.0 and the NAS-IP-Address as 0.0.0.0. Is Clearpass making its decision based on the NAS-IP-Address, which is clear violation of RFC 2865

     



  • 2.  RE: NAS-IP-Address 0.0.0.0

    EMPLOYEE
    Posted Dec 13, 2017 08:17 PM
    The NAD is not matched based on NAS-IP.


  • 3.  RE: NAS-IP-Address 0.0.0.0

    Posted Dec 13, 2017 08:23 PM

    Where do you think the 0.0.0.0 is coming from

     

    Session Identifier:
    R00045ff4-07-5a31c4de
    Date and Time:
    Dec 13, 2017 19:25:06 EST
    End-Host Identifier:
    A4-E9-75-A9-66-24
    Username:
    robinj06
    Access Device IP/Port:
    0.0.0.0:
    System Posture Status:
    UNKNOWN (100)


  • 4.  RE: NAS-IP-Address 0.0.0.0

    EMPLOYEE
    Posted Dec 13, 2017 08:36 PM
    NAD-IP is computed from NAS-IP and that is what is displayed as the ‘Access Device IP/Port’

    In most environments, the NAS-IP and Source IP will be the same.


  • 5.  RE: NAS-IP-Address 0.0.0.0

    Posted Dec 13, 2017 08:53 PM

    So is it failing casue the nas-ip is 0.0.0.0? 



  • 6.  RE: NAS-IP-Address 0.0.0.0

    EMPLOYEE
    Posted Dec 13, 2017 09:07 PM
    No. What does the alerts tab show in access tracker?


  • 7.  RE: NAS-IP-Address 0.0.0.0

    Posted Dec 13, 2017 09:16 PM
    Error Code:
    216
    Error Category:
    Authentication failure
    Error Message:
    User authentication failed
     Alerts for this Request  
    RADIUS[Local User Repository] - localhost: User not found.
    MSCHAP: Authentication failed
    EAP-MSCHAPv2: User authentication failure


  • 8.  RE: NAS-IP-Address 0.0.0.0

    EMPLOYEE
    Posted Dec 13, 2017 09:19 PM
    The alert text explains the problem. The authenticating user was not found in the authentication source.

    [Local User Repository] - localhost: User not found.


  • 9.  RE: NAS-IP-Address 0.0.0.0

    Posted Dec 13, 2017 09:38 PM

    This is supposed to Authenticate to AD, all of my other requests are successful 



  • 10.  RE: NAS-IP-Address 0.0.0.0

    EMPLOYEE
    Posted Dec 14, 2017 07:41 AM

    Have you included your Active Directory in the Authentication Sources for this service? The logs, as Tim indicates, appear to show that ClearPass is only checking the Local User Repository, not the AD.

     

    Log for wrong password in AD would look like Logon failure:

    MSCHAP: AD status:Logon failure (0xc000006d) 
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure

    For wrong username it would say User not found, like in your case:

     

    AD-arubalab.loc - dc01.arubalab.loc: User not found.
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure

    Please double-check your service, most specific the Authentication sources. I think it is very unlikely that the 0.0.0.0 in the NAS-IP-Address has something to do with your issue at this point in the process.