08-06-2014 01:52 PM
Can someone give me a method to troubleshoot dot1x connection problems.
I'm having problems with just one user. He can't login to any device. Other users can login to his devices, so it's not a device issue.
He can login to his wired computer, so it's not a credentials issue (Active Directory).
Going through the logs of the connection on Clearpass, I see this:
|2014-08-06 16:22:55,256||[Th 10 Req 70098 SessId R0000341a-01-53e28e9b] ERROR RadiusServer.Radius - rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.|
|2014-08-06 16:22:55,257||[Th 10 Req 70098 SessId R0000341a-01-53e28e9b] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect|
But his password is correct. I even had him change his password, just to force a reset on all domain controllers, but still no luck.
I'm not seeing this issue with any other users.
Any ideas on how to proceed?
08-06-2014 04:38 PM - edited 08-06-2014 04:40 PM
What are the details for the rejection in access tracker?
Could potentially be a 'bad' character in his password.
08-06-2014 04:39 PM
What does your primary tab in your auth source for AD screen look like
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos
08-07-2014 08:29 AM
I finally rebooted the Clearpass server (VM) and the problem for that user went away.
Before the reboot, there was a message in the Clearpass Event viewer about being low on memory.
Usage was about 3GB before the reboot, and dropped to about 1GB after.
Are there any known memory leak issues with 220.127.116.11924?
08-07-2014 09:26 PM
Could this have been a policy cache issue?
If the user was inadvertantly blocked Clearpass would cache the decision for a certain amount of time (you can clear this on the entry in access tracker)
08-08-2014 05:35 AM
I knew that a controller could blacklist a user, but I wasn't aware that Clearpass could do so.
Under what circumstances does Clearpass block a user?
And how can I find out who's blocked, and clear it?
08-09-2014 11:36 PM
I don't necessarily mean blacklisted - any action including access-rejects is policy cached for the period of time defined in your cluster-wide settings.