Security

Reply
Frequent Contributor II
Posts: 120
Registered: ‎10-31-2012

Timeouts on Reject only.

On my Clearpass 6.3 server

I am getting timeouts: "RADIUS Client did not complete EAP transaction"

when a user fails radius auth, with wrong username/pass.  However with the correct username/password  he recives the ACCEPT message fine.   Why would a REJECT time out and a ACCEPT make it ?

Guru Elite
Posts: 8,638
Registered: ‎09-08-2010

Re: Timeouts on Reject only.

[ Edited ]

Timeouts generally occur when a user waits too long before entering their credentials or when a device has disassociated before authentication can complete.

 

Sometimes when bad credentials are entered, the supplicant will bounce back and ask for credentials again. Many times this will timeout.

 

I notice this behavior mostly on Mac OS X when bad credentials are entered, the OS just spins its wheels sometimes and ClearPass shows a TIMEOUT.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 1,545
Registered: ‎06-12-2012

Re: Timeouts on Reject only.

What version of cppm is this?
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Timeouts on Reject only.

I most often see timeouts when the client does not trust the certificate that CPPM sends.  This may be the case if the cert chain is not present on the client. 

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Frequent Contributor II
Posts: 120
Registered: ‎10-31-2012

Re: Timeouts on Reject only.

These are request being proxied to our campus via Eduroam.  Not sure  what they use for the radius server,  (freeRadius is my guess). Let me know if there is any other info that would be helpful.

MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Timeouts on Reject only.

[ Edited ]

NVM!  Wasn't thinking when I responded... :)

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Frequent Contributor II
Posts: 120
Registered: ‎10-31-2012

Re: Timeouts on Reject only.

Logs if this helps...

Time Message

2014-01-14 15:54:52,331[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80007 h=127 r=R006be078-05-52d5ce4c] INFO Core.ServiceReqHandler - Service classification result = EDUROAM ROAMING USERS
2014-01-14 15:55:42,115[main SessId R006be078-05-52d5ce4c] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R006be078-05-52d5ce4c, state - 0x0046008b004b00dfdc45ad02b7232c88963502f8df832067c88ae3da
2014-01-14 15:55:42,115[main SessId R006be078-05-52d5ce4c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 213:139:110:70-6F-6C-69-73-68 recv 1389743692.312669 - resp 1389743693.505437
2014-01-14 15:55:42,115[main SessId R006be078-05-52d5ce4c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 214:156:76:70-6F-6C-69-73-68 recv 1389743693.625021 - resp 1389743694.794394
2014-01-14 15:55:42,115[main SessId R006be078-05-52d5ce4c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 215:251:1112:70-6F-6C-69-73-68 recv 1389743694.879621 - resp 1389743696.120393
2014-01-14 15:55:42,115[main SessId R006be078-05-52d5ce4c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 216:156:1108:70-6F-6C-69-73-68 recv 1389743696.205641 - resp 1389743697.443419
2014-01-14 15:55:42,116[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80080 h=135 r=R006be078-05-52d5ce4c] INFO Common.EndpointTable - Returning NULL (EndpointPtr) for macAddr 706f6c697368
2014-01-14 15:55:42,116[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80080 h=135 r=R006be078-05-52d5ce4c] INFO Common.TagDefinitionCacheTable - No TagDefCacheMap could be found for instance id = 1 entity id = 29
2014-01-14 15:55:42,116[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80080 h=135 r=R006be078-05-52d5ce4c] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=1
2014-01-14 15:55:42,116[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80080 h=135 r=R006be078-05-52d5ce4c] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=1|entityId=29
2014-01-14 15:55:42,116[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80080 h=135 r=R006be078-05-52d5ce4c] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=1|entity=Device
2014-01-14 15:55:42,116[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80080 h=135 r=R006be078-05-52d5ce4c] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
2014-01-14 15:55:42,116[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80080 h=135 r=R006be078-05-52d5ce4c] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
2014-01-14 15:55:42,116[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80080 h=135 r=R006be078-05-52d5ce4c] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
2014-01-14 15:55:42,116[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80080 h=135 r=R006be078-05-52d5ce4c] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
2014-01-14 15:55:42,117[RequestHandler-1-0x7fe1ce7f3700 h=726652 c=R006be078-05-52d5ce4c] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
2014-01-14 15:55:42,117[RequestHandler-1-0x7fe1ce7f3700 h=726654 c=R006be078-05-52d5ce4c] INFO Core.PETaskRoleMapping - Roles:
2014-01-14 15:55:42,117[RequestHandler-1-0x7fe1ce7f3700 h=726657 c=R006be078-05-52d5ce4c] INFO Core.PETaskEnforcement - EnfProfiles: Deny Access Profile]
2014-01-14 15:55:42,118[RequestHandler-1-0x7fe1ce7f3700 h=726662 c=R006be078-05-52d5ce4c] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device
2014-01-14 15:55:42,118[RequestHandler-1-0x7fe1ce7f3700 h=726658 c=R006be078-05-52d5ce4c] WARN Core.SessionInfoOperations - Skip SessionInfoOperations::persistSessionInfo because of NULL NAD or NAD IP matching localhost
2014-01-14 15:55:42,118[RequestHandler-1-0x7fe1ce7f3700 h=726658 c=R006be078-05-52d5ce4c] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=DENY
2014-01-14 15:55:42,118[RequestHandler-1-0x7fe1ce7f3700 h=726658 c=R006be078-05-52d5ce4c] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Deny Access Profile]
2014-01-14 15:55:42,118[RequestHandler-1-0x7fe1ce7f3700 h=726658 c=R006be078-05-52d5ce4c] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 0
2014-01-14 15:55:42,118[RequestHandler-1-0x7fe1ce7f3700 h=726663 c=R006be078-05-52d5ce4c] INFO Core.PETaskCliEnforcement - startHandler: Request rejected. Skip CLI enforcement
2014-01-14 15:55:42,118[RequestHandler-1-0x7fe1ce7f3700 r=R006be078-05-52d5ce4c h=726661 c=R006be078-05-52d5ce4c] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=
2014-01-14 15:55:42,118[RequestHandler-1-0x7fe1ce7f3700 r=R006be078-05-52d5ce4c h=726661 c=R006be078-05-52d5ce4c] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device
2014-01-14 15:55:42,119[RequestHandler-1-0x7fe1ce7f3700 r=R006be078-05-52d5ce4c h=726659 c=R006be078-05-52d5ce4c] WARN Core.PETaskRadiusCoAEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=
2014-01-14 15:55:42,121[RequestHandler-1-0x7fe1ce7f3700 h=726665 c=R006be078-05-52d5ce4c] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
2014-01-14 15:55:42,121[RequestHandler-1-0x7fe1ce7f3700 h=726665 c=R006be078-05-52d5ce4c] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2014-01-14 15:55:42,121[RequestHandler-1-0x7fe1ce7f3700 h=726664 c=R006be078-05-52d5ce4c] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2014-01-14 15:55:42,121[RequestHandler-1-0x7fe1ce7f3700 r=R006be078-05-52d5ce4c h=726652 c=R006be078-05-52d5ce4c] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***
Frequent Contributor II
Posts: 120
Registered: ‎10-31-2012

Re: Timeouts on Reject only.

[ Edited ]

So after further testing, we have narrowed the scope of the issue.  The  timeouts only occur when doing a LDAP lookup for a username that does not exist in ActiveDirectory.  Bad passwords are properly rejected, also if internal DB is used for user management that also will properly Reject users.   So it is tied to the LDAP lookup,  I noticed from the logs that  even after receiving a "user not found" message  it continued to retry the AD server 5 more times!   I am not sure if there is a knob to turn this off, and if it is truly based on attempts OR just a countdown timer.     

MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Timeouts on Reject only.

Did you enable "fail through" in your server group for that AAA profile? 

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Frequent Contributor II
Posts: 120
Registered: ‎10-31-2012

Re: Timeouts on Reject only.

this particular request does not come from a mobility controller, it comes directly from EDUROAM, which is proxing request from other Universities. So the only piece that is used is Clearpass 6.3 on our side.  Is there is an option for failthru on Clearpass directly?

 

 

Thanks

Matt

Search Airheads
Showing results for 
Search instead for 
Did you mean: