I am having a hard time explaining this in the subject so hopefully I can get the case across in the body.
Environement: Campus
Controllers: 2 - 7210 Controllers running in Master/Local
Version: 6.3.1.6
APs: 165 - AP225
Clearpass: HW-5K running 6.2.6.62196
SSID1: Corp users using CP as Radius Authenticating against AD
SSID2: Guest Users using Guest Registration Portal
Total Devices on any given day: 700-1000
PROBLEM:
The problem is about 90% of the connections work and about 10% of the attempted connections are failing. Totally random on who it is or what device. It happens on both SSIDs either through radius or guest registration. The Guest user connections make the handshake with the SSID and say they are connected but show a 169 local address. At this point you can not find them on the controller when looking up by mac address. The Corp SSID Connections that fail, dont even complete the handshake, it just fails to connect to the SSID. Again, no trace of the mac address on the controller.
When attempting to connect to Guest the users show up in clearpass with this record:
Guest MAC Authentication REJECT
Failed to construct filter=SELECT FLOOR(EXTRACT(EPOCH FROM (NOW() - timestamp)))::integer AS seconds_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/60)::integer AS minutes_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/3600)::integer AS hours_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/86400)::integer AS days_since_auth FROM auth WHERE auth.timestamp < NOW() AND auth.error_code = 0 AND auth.username = '%{Endpoint:Username}' AND auth.mac = '%{Connection:Client-Mac-Address-NoDelim}' ORDER BY timestamp DESC LIMIT 1.
Failed to get value for attributes=[Days-Since-Auth, Hours-Since-Auth, Minutes-Since-Auth, Seconds-Since-Auth].
Failed to construct filter=SELECT user_id as guest_device_user FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard') AND (enabled = 't') AND ((expire_time is null) OR (expire_time > CURRENT_TIMESTAMP))).
Failed to get value for attributes=[UserName].
Failed to construct filter=SELECT FLOOR(EXTRACT(EPOCH FROM (NOW() - timestamp)))::integer AS seconds_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/60)::integer AS minutes_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/3600)::integer AS hours_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/86400)::integer AS days_since_auth FROM auth WHERE auth.timestamp < NOW() AND auth.error_code = 0 AND auth.username = '%{Endpoint:Username}' AND auth.mac = '%{Connection:Client-Mac-Address-NoDelim}' ORDER BY timestamp DESC LIMIT 1.
Failed to get value for attributes=[Days-Since-Auth]
When connecting to the Corp SSID, it fails to connect but never shows up in clearpass or the controller. Hard to troubleshoot when there is no trail left behind on either device.
DETAILS:
This is a new Aruba system installed about a 1 1/2 months ago. We have been having this issue and other strange issues since it was installed. We have a TAC case open and they were unable to figure out why. We have replaced the Master Controller with another new Controller, same issue.
We have had our config combed over numerous times and do not think the issue is with the configuration. We have been told that it is probably something to do with the Firmware on the controllers we are running. We have fixed this issue over the last month or so by rebooting clearpass and the controllers, or dropping one controller priority back to local and promoting the other to master. Works great for a week then if we simulate a power outage or run an update then restart them, the problem comes back.
Any help would be appreciated. Please let me know if there is any other information i can provide.
#AP225#7210#3600