Security

 View Only
last person joined: 7 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

AD Authentication source breaks reliably - hostname weirdness

This thread has been viewed 23 times
  • 1.  AD Authentication source breaks reliably - hostname weirdness

    Posted Nov 19, 2019 02:57 PM

    We have 3 Clearpass 6.7.10 5k (or whatever they're called now) running in a publisher-subscriber setup.  All of our infrastructure is in-house, running on Vmware.  We have 3 domain controllers that we're querying via the Primary, Backup 1, and Backup 2 tabs.  Mysteriously, the Primary hostname keeps changing to 'localhost', using port 6432.  We change it back, and a week or so later, it flips back again.  The incorrect hostname shows up on all three Clearpass servers.  That domain controller works fine for other uses, and before the hostname gets changed, we can tell that it is being queried successfully by Clearpass.  After we correct the hostname, we can browse the domain via Clearpass.  There's nothing in the logs that we can find which could explain the issue.  TAC has been involved for quite some time, but they're stumped.  



  • 2.  RE: AD Authentication source breaks reliably - hostname weirdness

    Posted Dec 12, 2019 01:38 PM

    OK, after some digging, we discovered that the hostname changes when we clear the cache for the auth source.  The audit viewer shows that the user who cleared the cache changed the hostname, which is untrue.  This looks like a bug to me. 

     

     

    localhost.png



  • 3.  RE: AD Authentication source breaks reliably - hostname weirdness

    Posted Dec 18, 2019 03:50 PM

    Any resolution?  I'm seeing a similar behavior with one of my domain controllers.



  • 4.  RE: AD Authentication source breaks reliably - hostname weirdness

    Posted Dec 19, 2019 02:06 PM

    No, we have not found any resolution to this problem.  The workaround, which is to change the primary hostname every time you clear the cache, is not ideal.



  • 5.  RE: AD Authentication source breaks reliably - hostname weirdness

    MVP
    Posted Jan 28, 2020 09:47 AM

    Does this only happen to the primary? Have you tried putting the backup 1 or backup 2 as the primary to see if it still happens?



  • 6.  RE: AD Authentication source breaks reliably - hostname weirdness

    Posted Jan 29, 2020 04:43 PM

    It only happens to the primary.  Yes, we've shuffled them around, and it reliably happens to the primary.



  • 7.  RE: AD Authentication source breaks reliably - hostname weirdness

    Posted Sep 09, 2022 04:05 PM
    I wanted to provide an update to this: after several upgrades, and 3 years later, this issue was never solved. At some point, the username stopped changing, but the port keeps changing. Different administrators see different ports in the GUI; we have not identified a pattern.


  • 8.  RE: AD Authentication source breaks reliably - hostname weirdness

    EMPLOYEE
    Posted Sep 12, 2022 09:03 AM
    Please have your TAC case escalated if you still want to have this resolved. If there is a change in port and or host name, TAC should be able to find out what's causing it.

    Have you tested if this is browser dependent (like Chrome/Firefox/Safari/Edge)?

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 9.  RE: AD Authentication source breaks reliably - hostname weirdness

    Posted Sep 16, 2022 01:36 PM
    Thanks Herman. TAC is stumped so far. We have found no pattern (browser or otherwise).


  • 10.  RE: AD Authentication source breaks reliably - hostname weirdness

    Posted Sep 15, 2022 10:30 PM
    I never use Backup 1 , Backup 2 this kind of thing in AD auth source as I had unexpected behavior last time.
    So to create redundancy I just created another AD auth source and put all under one relevant Service.


  • 11.  RE: AD Authentication source breaks reliably - hostname weirdness

    Posted Sep 16, 2022 01:39 PM
    Hmmm - this is an interesting approach. Since we only ever have problems with our primary auth source (never the backups) I would be afraid to only use primary servers (even if there are multiples).