Security

TLDR: it makes me reluctant to make further changes, which indeed i need to.

Happened again at my project when configuring services. This week 3 times because I have a green-field project; last year once because it was existing environment.

 Total number of times encountered: 4

1. Incoming RADIUS traffic in WLAN didn't hit WLAN service. Service order is WIRED on top of the WLAN, but this incoming traffic always hits the WIRED.
1. Attempt to fix: put the WLAN on top of WIRED, still it hits the WIRED.
2. Solution: delete the WLAN service, copy from other existing WLAN service, then reconfigure condition within it. Then it works, it can hit the WLAN which put below the WIRED.

1. RADIUS output is none. As we know, in the Output tab in access tracker, there are RADIUS output and possible Posture Evaluation result if we enable posturing. Issue: RADIUS output is none, only can see the Posture Evaluation result.
1. Attempt to fix:

1. Copy from other similar service, edit the rest.
2. Create new service, edit the rest

1. Solution: restore the config from a working backup file. Those above attempts did not work.

 
Yesterday it happens again, I just made a small service accepting any webauth. After that my other Services went haywire, the working dot1x became not-working anymore because the RADIUS response under Output tab is missing. The endpoint got Deny because of this. To "fix" this, i need to reconnect the endpoint several times to the network until the RADIUS response is there in the Output tab.

And also it affects the OnGuard agent behavior at the client side, it says Processing health authentication failed in black colored and I couldnt see any webauth in the Access Tracker. This happens 3-4 times, until the 5th attempt, it suddenly just works, i can see the webauth log in the access tracker.

I use Chrome to make all these config changes.

Anyone encountered this before ? Any fix in 6.10.x ?

This issue makes me feel reluctant to do changes, so everytime a scenario is working, I always take a server backup.

I can rule out it is a browser issue, because the result we are getting at the endpoint is not as expected as well.

Probably next time I change something I need to use Incognito browser.

I think it's best to work with your local Aruba services or TAC. We are running 6.9.9 with about 50 services including wired 802.1X, wired MAC auth, wireless 802.1X, wireless guest services (mac caching & login), various admin services for TACACS/RADIUS administration, etc. I haven't run into this issue at all.

From your 1st point, if a service is not being matched, that means the service rules are not matching the authentication request, I would verify those rules. If your output is empty, can you verify the authentication request from the device has the correct roles to assign the correct Enforcement Profile(s) that return the RADIUS response attributes?

------------------------------
Michael Haring
------------------------------

Original Message:
Sent: Apr 22, 2022 11:03 PM
From: BERNHARD HUSTOMO
Subject: Policy Evaluation Error in 6.8.9 and 6.9.9

TLDR: it makes me reluctant to make further changes, which indeed i need to.

Happened again at my project when configuring services. This week 3 times because I have a green-field project; last year once because it was existing environment.

 Total number of times encountered: 4

1. Incoming RADIUS traffic in WLAN didn't hit WLAN service. Service order is WIRED on top of the WLAN, but this incoming traffic always hits the WIRED.
1. Attempt to fix: put the WLAN on top of WIRED, still it hits the WIRED.
2. Solution: delete the WLAN service, copy from other existing WLAN service, then reconfigure condition within it. Then it works, it can hit the WLAN which put below the WIRED.

1. RADIUS output is none. As we know, in the Output tab in access tracker, there are RADIUS output and possible Posture Evaluation result if we enable posturing. Issue: RADIUS output is none, only can see the Posture Evaluation result.
1. Attempt to fix:

1. Copy from other similar service, edit the rest.
2. Create new service, edit the rest

1. Solution: restore the config from a working backup file. Those above attempts did not work.

 
Yesterday it happens again, I just made a small service accepting any webauth. After that my other Services went haywire, the working dot1x became not-working anymore because the RADIUS response under Output tab is missing. The endpoint got Deny because of this. To "fix" this, i need to reconnect the endpoint several times to the network until the RADIUS response is there in the Output tab.

And also it affects the OnGuard agent behavior at the client side, it says Processing health authentication failed in black colored and I couldnt see any webauth in the Access Tracker. This happens 3-4 times, until the 5th attempt, it suddenly just works, i can see the webauth log in the access tracker.

I use Chrome to make all these config changes.

Anyone encountered this before ? Any fix in 6.10.x ?

This issue makes me feel reluctant to do changes, so everytime a scenario is working, I always take a server backup.

I can rule out it is a browser issue, because the result we are getting at the endpoint is not as expected as well.

Probably next time I change something I need to use Incognito browser.