Security

Reply
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Troubleshooting dot1x wireless connection problems

Hi:

Can someone give me a method to troubleshoot dot1x connection problems.

I'm having problems with just one user. He can't login to any device. Other users can login to his devices, so it's not a device issue.

He can login to his wired computer, so it's not a credentials issue (Active Directory).

 

Going through the logs of the connection on Clearpass, I see this:

2014-08-06 16:22:55,256[Th 10 Req 70098 SessId R0000341a-01-53e28e9b] ERROR RadiusServer.Radius - rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
2014-08-06 16:22:55,257[Th 10 Req 70098 SessId R0000341a-01-53e28e9b] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

 

But his password is correct. I even had him change his password, just to force a reset on all domain controllers, but still no luck.

I'm not seeing this issue with any other users.

Any ideas on how to proceed?

 

Thanks,

Tony

 

Regular Contributor I
Posts: 178
Registered: ‎12-17-2008

Re: Troubleshooting dot1x wireless connection problems

[ Edited ]

What are the details for the rejection in access tracker?

 

Could potentially be a 'bad' character in his password.


--
ACMA ACMP
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Troubleshooting dot1x wireless connection problems

What does your primary tab in your auth source for AD screen look like 

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: Troubleshooting dot1x wireless connection problems

I finally rebooted the Clearpass server (VM) and the problem for that user went away.

 

Before the reboot, there was a message in the Clearpass Event viewer about being low on memory.

Usage was about 3GB before the reboot, and dropped to about 1GB after.

Are there any known memory leak issues with 6.3.4.64924?

 

Thanks,

Tony

Regular Contributor I
Posts: 178
Registered: ‎12-17-2008

Re: Troubleshooting dot1x wireless connection problems

Could this have been a policy cache issue?

If the user was inadvertantly blocked Clearpass would cache the decision for a certain amount of time (you can clear this on the entry in access tracker)


--
ACMA ACMP
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: Troubleshooting dot1x wireless connection problems

I knew that a controller could blacklist a user, but I wasn't aware that Clearpass could do so.

Under what circumstances does Clearpass block a user?

And how can I find out who's blocked, and clear it?

 

Thanks,

Tony

 

Regular Contributor I
Posts: 178
Registered: ‎12-17-2008

Re: Troubleshooting dot1x wireless connection problems

I don't necessarily mean blacklisted - any action including access-rejects is policy cached for the period of time defined in your cluster-wide settings.


--
ACMA ACMP
Search Airheads
Showing results for 
Search instead for 
Did you mean: