Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

what the error code 215 on clearpass means..

This thread has been viewed 95 times

  • 1.  what the error code 215 on clearpass means..

    Posted Jan 28, 2014 02:04 PM

    One of the client got rejected on the clearpass with the error code 215. On the access tracker > alerts we were able to see the below information:

     

    error code: 215

    error category: Authentication failure

    Error Message: TLS session error

    Alerts for this Request

    Radius: EAP-PEAP: fatal alert by server - decryption_failed

     

     

     



  • 2.  RE: what the error code 215 on clearpass means..

    Posted Jan 28, 2014 02:26 PM

     

    It looks like the device is having issues bringing the MSCHAPv2 authentication process ? Is this happening with every device or just a particular one ?

     

    Can you please share your service config ?



  • 3.  RE: what the error code 215 on clearpass means..

    EMPLOYEE
    Posted Jan 28, 2014 02:55 PM

    Sounds like an issue with the PEAP TLS negotiation. Usually this is because of some type packet corruption in the process. We see this occasionaly.

     

    Is there another request immediately after it that succeeds?


    Are you using a RADIUS proxy or load balancer?

     

    If you only see these messages occasionally, it may be nothing to worry about.



  • 4.  RE: what the error code 215 on clearpass means..
    Best Answer

    EMPLOYEE
    Posted Jan 28, 2014 05:43 PM

    This is in the help section of CPPM  Error Codes

    The following table shows the CPPM error codes.

     

    Table 1: CPPM Error Codes

    Code

    Description

    Type

    0

    Success

    Success

    101

    Failed to perform service classification

    Internal Error

    102

    Failed to perform policy evaluation

    Internal Error

    103

    Failed to perform posture notification

    Internal Error

    104

    Failed to query authstatus

    Internal Error

    105

    Internal error in performing authentication

    Internal Error

    106

    Internal error in RADIUS server

    Internal Error

    201

    User not found

    Authentication failure

    202

    Password mismatch

    Authentication failure

    203

    Failed to contact AuthSource

    Authentication failure

    204

    Failed to classify request to service

    Authentication failure

    205

    AuthSource not configured for service

    Authentication failure

    206

    Access denied by policy

    Authentication failure

    207

    Failed to get client macAddress to perform webauth

    Authentication failure

    208

    No response from home server

    Authentication failure

    209

    No password in request

    Authentication failure

    210

    Unknown CA in client certificate

    Authentication failure

    211

    Client certificate not valid

    Authentication failure

    212

    Client certificate has expired

    Authentication failure

    213

    Certificate comparison failed

    Authentication failure

    214

    No certificate in authentication source

    Authentication failure

    215

    TLS session error

    Authentication failure

    216

    User authentication failed

    Authentication failure

    217

    Search failed due to insufficient permissions

    Authentication failure

    218

    Authentication source timed out

    Authentication failure

    219

    Bad search filter

    Authentication failure

    220

    Search failed

    Authentication failure

    221

    Authentication source error

    Authentication failure

    222

    Password change error

    Authentication failure

    223

    Username not available in request

    Authentication failure

    224

    CallingStationID not available in request

    Authentication failure

    225

    User account disabled

    Authentication failure

    226

    User account expired or not active yet

    Authentication failure

    227

    User account needs approval

    Authentication failure

    5001

    Internal Error

    Command and Control

    5002

    Invalid MAC Address

    Command and Control

    5003

    Invalid request received

    Command and Control

    5004

    Insufficient parameters received

    Command and Control

    5005

    Query - No MAC address record found

    Command and Control

    5006

    Query - No supported actions

    Command and Control

    5007

    Query - Cannot fetch MAC address details

    Command and Control

    5008

    Request - MAC address not online

    Command and Control

    5009

    Request - No MAC address record found

    Command and Control

    6001

    Unsupported TACACS parameter in request

    TACACS Protocol

    6002

    Invalid sequence number

    TACACS Protocol

    6003

    Sequence number overflow

    TACACS Protocol

       

     



  • 5.  RE: what the error code 215 on clearpass means..

    EMPLOYEE
    Posted Jan 28, 2014 05:45 PM

    Table 1: CPPM Error Codes

    Code

    Description

    Type

     

    		  

    6101

    Not enough inputs to perform authentication

    TACACS Authentication

    6102

    Authentication privilege level mismatch

    TACACS Authentication

    6103

    No enforcement profiles matched to perform authentication

    TACACS Authentication

    6201

    Authorization failed as session is not authenticated

    TACACS Authorization

    6202

    Authorization privilege level mismatch

    TACACS Authorization

    6203

    Command not allowed

    TACACS Authorization

    6204

    No enforcement profiles matched to perform command authorization

    TACACS Authorization

    6301

    New password entered does not match

    TACACS Change Password

    6302

    Empty password

    TACACS Change Password

    6303

    Change password allowed only for local users

    TACACS Change Password

    6304

    Internal error in performing change password

    TACACS Change Password

    9001

    Wrong shared secret

    RADIUS Protocol

    9002

    Request timed out

    RADIUS Protocol

    9003

    Phase2 PAC failure

    RADIUS Protocol

    9004

    Client rejected after PAC provisioning

    RADIUS Protocol

    9005

    Client does not support posture request

    RADIUS Protocol

    9006

    Received error TLV from client

    RADIUS Protocol

    9007

    Received failure TLV from client

    RADIUS Protocol

    9008

    Phase2 PAC not found

    RADIUS Protocol

    9009

    Unknown Phase2 PAC

    RADIUS Protocol

    9010

    Invalid Phase2 PAC

    RADIUS Protocol

    9011

    PAC verification failed

    RADIUS Protocol

    9012

    PAC binding failed

    RADIUS Protocol

    9013

    Session resumption failed

    RADIUS Protocol

    9014

    Cached session data error

    RADIUS Protocol

    9015

    Client does not support configured EAP methods

    RADIUS Protocol

    9016

    Client did not send Cryptobinding TLV

    RADIUS Protocol

    9017

    Failed to contact OCSP Server

    RADIUS Protocol



  • 6.  RE: what the error code 215 on clearpass means..

    Posted Jul 22, 2015 05:42 AM

    Hi All,

     

    what does the Message says:

     

    Error: TLS session error

    RADIUS: EAP-PEAP: fatal alert by client - access_denied 

    TLS session reuse error

     

    It appears during onboarding process for private Windows Clients of employee with AD Account. Windows stops onboarding process into SSID.



  • 7.  RE: what the error code 215 on clearpass means..

    Posted Jul 22, 2015 06:54 AM

    Ca you please provide more info related to the client, Client OS, CPPM version?



  • 8.  RE: what the error code 215 on clearpass means..

    Posted Jul 22, 2015 09:07 AM

    Hi,

    it is a problem with the server certificate.

    If the device is a Windows device, the problem is that the ClearPass certificate is not trusted by the client. The client rejects the server and disconnects. 

    Tried to solve the problem by adding the Clearpass Server Certificate in the laptop but wont work.

    The Question is first: Which Clearpass Server Certificate should I use (for RADIUS or HTTPS)?

    Second: Where to implement on Windows? Tried to install the cert automatically - wont work. Imported it manually to trusted Root - wont work. Tried to import the cert everywhere - wont work.

    If I use other OSs like Ubuntu or Mac OS, it works.



  • 9.  RE: what the error code 215 on clearpass means..

    EMPLOYEE
    Posted Jul 22, 2015 09:09 AM
    Which CA signed your RADIUS server certificate?


  • 10.  RE: what the error code 215 on clearpass means..

    Posted Jul 22, 2015 09:13 AM

    It is Thawte as Root CA



  • 11.  RE: what the error code 215 on clearpass means..

    EMPLOYEE
    Posted Jul 22, 2015 09:16 AM

    OK, so on the client you will only have to check the Thawte Root CA certificate in the 802.1X configuration and put the common name of the certificate in the server name box.



  • 12.  RE: what the error code 215 on clearpass means..

    Posted Jul 22, 2015 09:24 AM

    Sorry, dont know where to click and what to do.

    Please provide me with detailed information, I am new on Aruba and Certificates on Windows



  • 13.  RE: what the error code 215 on clearpass means..

    EMPLOYEE
    Posted Jul 22, 2015 09:29 AM

    Here's an example. You'll want to change the values according to your environment.

     

    eap-peap-win.png

     

     

    Side note. If everything is configured properly on the ClearPass side, the clients should be able to connect without manually configuring anything since you're using a public certificate.

    Also, you'll want to push down a GPO to your AD-joined Windows machines with an 802.1X configuration.



  • 14.  RE: what the error code 215 on clearpass means..

    Posted Jul 22, 2015 10:06 AM

    thx

     

    it works for windows 10

    but not for windows 7

     

    and the workaround is to complicated and not accetable for us.

     

    For internal devices we uses GPO, but in this case, there are non-coporate-devices from employees.

    Our wishes were to work with certificates, are there other recommandations? Solution that is user friendly and easy to use and configure.



  • 15.  RE: what the error code 215 on clearpass means..

    EMPLOYEE
    Posted Jul 22, 2015 10:07 AM

    Have you tried multiple Windows 7 devices? This is not expected behavior.

     

    Also please post some screenshot of the access tracker request where the user is getting denied.



  • 16.  RE: what the error code 215 on clearpass means..

    Posted Jul 22, 2015 10:11 AM

    Yes, multiple devices, many Laptops and from IT Staff private and coporate devices. From Mac over Linux to Windows, iPhones, Tablets, Androids,....

     

    Is it time for a ticket? Have I go to our Distributor?



  • 17.  RE: what the error code 215 on clearpass means..

    EMPLOYEE
    Posted Jul 22, 2015 10:13 AM

    Yes, you may want to work with your Aruba Partner if you haven't setup 802.1X before.



  • 18.  RE: what the error code 215 on clearpass means..

    Posted Jan 04, 2017 04:08 PM

    I am receiving Error Code 215 for Google Pixel for one of the user in Clear pass.

     

    Can anyone help



  • 19.  RE: what the error code 215 on clearpass means..

    EMPLOYEE
    Posted Jan 04, 2017 04:10 PM

    We need more details about your environment and configuration. Please start a new thread or open a TAC case.



  • 20.  RE: what the error code 215 on clearpass means..

    Posted Jul 22, 2015 10:14 AM

    Ok, thank you ;-)