If you have used Microsoft NPS or IAS for radius service and looked at Event Viewer to troubleshoot user denied access, it was probably a pain because Event Viewer lacks crucial information to identify the problem. On the other hand, CPPM Access Tracker is overwhelming with the amount of information it gives. But if you have a better understanding of this information, it will help to identify the problem quickly.
In this troubleshooting guide, I will show you what I have seen in my enviroment and point out the meaning of the message in Access Tracker Request Details.
CASE #1: Fail, account not present in Authentication Sources
I am using CPPM to authenticate all logins to controllers, CPPM and AirWave, thus the service name ARUBA_LOGIN_ SVC. “clearpass” is the generic logon domain account for AirWave to logon to controllers who were denied.
Figure 1: Start with Access Tracker Summary. By looking at Authentication Source and Roles you can tell this user was denied by DC1.boystown.org
Figure 2: Move to the next tab Input/RADIUS Request. This tab shows the request sent from the controller to CPPM. Called-Station-Id is the mac address of the client, which is my computer trying to ssh to the controller; Calling-Station-Id and Framed-IP-Address are the IP address of the client; NAS-IP-Address is the controller ip address
Figure 3: Scroll down to Input/Computed Attributes: Dest-IP-Address is the CPPM doing the authentication; not useful information for this case.
Figure 4: not much information here, we already know the user was denied in Summary tab
Figure 5: My authentication sources include two domains and Local User Repository; CPPM could not find this user in all three sources.
Conclusion: CPPM performed LDAP query two ADs and Admin User Repository for this user account. It found no user “clearpass” in any of them, so the authentication failed. User received default Deny Access Role.
Tips: If user was not found in AD, CPPM moved to the next Authentication Sources, but if user found and failed authentication, CPPM stopped and denied access immediately after the first Authentication Source.CASE #2: User did not update password in smart devices
Our AD requires that users change their passwords every three months. We support user’s smart devices for syncing with Outlook, but when they change passwords on their desktops, they forget to update password in their phones.
Figure 6: This Summary tells me user JOEDOE was denied by DC1. I am using certificate, so the Authentication Method EAP-PEAP, EAP-MSCHAPv2 indicates this is NOT a domain computer. If it is a domain computer, the Authentication Method is EAP-TLS
Figure 7: This Input/RADIUS Request has many useful information about this JOEDOE user:
Tips: This tab lays out very nicely the authentication processes from user device to AP to local controller and finally to master controller. You can configure local controller to bypass master controller and send authenticate directly to CPPM by configure “ip radius source-interface” and “ip radius nas-ip” at the local controller.
Figure 8: CPPM shows User authentication failure.
CASE #3: The “Time-Out” Failure
In Access Tracker you want to see a lot of black (ACCEPT). It is usually not a good sign if you see a lot of red (REJECT) or orange (TIME-OUT). The reason for REJECT is usually easy to find, but the TIME-OUT is not clear. The CPPM alert for TIME-OUT is “Client did not complete EAP transaction”, it could be anything!!!
Figure 9: The Summary, Input and Output tabs are the same as the other cases, the only difference is in Alerts tab where CPPM indicates the client did not complete EAP transaction.
By default, each transaction has 10 seconds to complete or the client will time-out. The complication is where did the time go? Client took too long? Server is too busy? CPPM has bad configuration (it is never the problem with CPPM right?)?
Conclusion:CPPM is a wonderful product; if you have used it you probably agree it is the best NAC for wireless. But it is a monster. If you take some time to work with it, you will find it is useful to help you with your daily task as a network engineer, either for its quick and secured configuration for wireless access or troubleshooting the issues with authentication.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.