Hello dear Aruba community,we're having pretty big problems with our ClearPass.Every now and then, computers fail to authenticate and generate error 216, but after a few minutes to hours it works again without changing anything.We authenticate according to the criteria whether a computer exists in the AD and it is in a special AD group. Basically, the authentication also works, ClearPass would know which enforcement profile has to be drawn.
I have attached screenshots of the access tracker and the alert. If further data are required, I will be happy to provide them.
Thanks in advance!
Is the client also trying to pass the user credentials as well instead of just machine authentication? What else does the failed access tracker entry have?
Could you provide additional details/observation like when you see such failures and accept for Machine authentication?
Was it an active client and suddenly ended up with such alert?
Attache the Access Tracker export of one of the failures to check further details.
Note: The machine/computer account also uses password for authentication. The windows computers generally maintains the current/new password and the previous password in the local registry. The computer would start with the new password for authentication and fall back to previous password is any failure occurs.
The Alert you have attached could mean, that AD did not accept the user credentials for those failures.
thanks for your answers.
I have attached the export of the AccessTracker.
Yes, clients are connected and sometimes this error occurs after being asked to reauthenticate. Before and after, the clients work perfectly.
The error occurs with all machines in the company, very rarely with around 2 machines per week.
We have only specified the computer object as the authentication mode in the 802.1x authentication of the network card via group policy (see appendix "8021X").The local user on the PC is a standard user and not employee-specific.Strangely enough, it can read out the AD groups and assigns the correct vlan to the PC, so the AD should in principle recognize the PC as valid.
Yea from the logs it looks like an authentication failure to DE51977X.VW-GROUP.COM. Do you have a successful access tracker record for this machine to compare?
Yes, it is in the appendix.
Yea I would guess something on the AD server side. Does this happen to the same computer accounts, or is it random? Also is this happening when the user plugs into the wired port, or during a re-auth?
One thing you could try is to remove the CP server from the domain, and then re-add it. I've seen this be the case in some implementations. Maybe see if this is happening only on one CP server, and try it there?
It's random and happens at re-auth.
Yeah, the user/computer look up is fine, the error is of MSCHAPv2 authentication failure and returned by the Active Directory. You may need to debug this further from the Active Directory end.
You could search for the event 4776 in the Windows Server/AD.
Ref - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
Generic logon failure.
Some of the potential causes for this:
An invalid username and/or password was used
You may also open a TAC case to debug this further.
Dear Saravanan,I will now answer in name of Nicolai to this issue. We have now checked the AD logs on the DCs and can't find such a log with 0xC000006D error.What do you mean with a TAC case?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.