Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass - Authentication Server Timeout / Pre-emption

This thread has been viewed 10 times
  • 1.  Clearpass - Authentication Server Timeout / Pre-emption

    Posted Nov 23, 2014 05:02 PM

    Hi All,

     

    i'm wondering if someone could clarify / confirm the expected behaviour in ClearPass (6.3) when an AD authentication server fails. 

     

    i've got a couple of scenarios in mind:

     

    1) LDAP Connection failed / terminated during authentication  - ClearPass appears to retry to connect to original source and then if this fails goes to the Backup 1 server after the 10 second timeout? (see below edited log output.)

     

    Time Message
    2014-11-22 19:07:50,049 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 208:76:CID
    2014-11-22 19:07:50,053 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "AD-Auth-Service"
    2014-11-22 19:07:50,054 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_ldap: searching for user DOMAIN\User in AD:DC06.mycompany.com
    2014-11-22 19:07:55,060 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] ERROR RadiusServer.Radius - rlm_ldap: <SERVICE ACCOUNT> bind to DC06.mycompany.com:636 failed: Can't contact LDAP server
    2014-11-22 19:07:55,060 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] ERROR RadiusServer.Radius - rlm_ldap: (re)connection attempt failed
    2014-11-22 19:07:55,060 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_ldap: searching for user DOMAIN\User in AD:DC07.mycompany.com
    2014-11-22 19:07:55,061 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_ldap: found user DOMAIN\User in AD:DC07.mycompany.com
    2014-11-22 19:07:55,061 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_ldap: authenticating "DOMAIN\User"
    2014-11-22 19:07:55,139 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_ldap: user DOMAIN\User authenticated succesfully
    2014-11-22 19:07:55,139 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
    2014-11-22 19:08:05,256 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_policy: Received Accept Enforcement Profile
    2014-11-22 19:08:05,256 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_policy: Added Class attribute with value Class = 0x4062592904944b83b38ec2d2be05bb97180c0000000000005230303230346365362d31382d35343730343435360000000000000000000000
    2014-11-22 19:08:05,256 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response

     

     

    In this instance, will all future authentication requests be then processed by the backup AD server immediately or after the 10 second server timeout? if so what is the process for pre-emption or failback to the original server if it comes back into service.

     

    2) Second scenario is simple timeout (i.e. Primary server doesn't respond at all), i assume the 10 seconds applies and then the secondary backup server is selected for all future auth? When does it deviced to try the original server again / fail back?



  • 2.  RE: Clearpass - Authentication Server Timeout / Pre-emption

    Posted Nov 28, 2022 04:04 PM
    This is a very old question, but I found myself wondering exactly what was asked in this post. Could someone explain the Authentication Server timeout?