Wireless Access

Hi,

we have a aruba controller 3200 and we configured the tacacs authentication to aruba CPPM. We already properly configured the keys and the other parameters in both controller and CPPM but when I do aaa test-server pap [CPPM server name] [username] [password] this error will came up "Auth server did not reply in time or auth module is too busy using aruba" Can somebody has same exprience this kind of issue? We have a lot of controllers authentication tacacs to CPPM but this controller has an issue like this.

I would look in Monitoring>  Event Viewer on ClearPass to see if possibly CPPM is discarding it for some reason:

Hi,

Yes I already check the CPPM but it doestn't came up any logs from there.

Do you have a TACACS service configured on CPPM to service the TACACS request?

Yes, we already configured the Tacacs parameters in the CPPM side. But we cannot see any logs from this controller to the CPPM Access Tracker.

Is the controller already pointed to that CPPM server to do radius authentication?  Is the CPPM working for other services on that controller?  Is there a firewall between the controller and CPPM (TACACS uses port TCP 49).?

yes controller already pointed to CPPM server properly. CPPM work very well in other controller that we manage. Raduis authentication test from controller to CPPM radius is good. Yes there is a firewall between the controller and the CCPM server. But our firewall team says that they didn't block in the firewall side for the Tacacs traffic.

Okay.  Then the firewall team should be able to see the TACACS request coming through or being blocked.  Please work with them to see if they see it coming through or not.  If it is not coming through, we need to do a packet capture on the controller's port to see what is being sent.

ok thanks I will work in the firewall team for that. I will make update on this post once the firewall team will done checking their part.

is the tacacs key correct on the controller / clearpass device list?

yes tacacs key is correct in clearpass server and other parameter.

Okay.  Can the firewall team see hits from the controller on the TACACS port?  They should be able to show you the statement allowing traffic on port 49.

I've found the log-collection function on CPPM to be very helpful - specifically the fact that it will include a packet capture.

The collection gives you the incoming request (if it gets to CPPM) and the decision making process followed by the outgoing reply if you get the timing right.