Security

last person joined: 3 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass not getting request

This thread has been viewed 22 times
  • 1.  Clearpass not getting request

    Posted Oct 01, 2021 10:47 AM
    Hi Folks - 

    I'm having these weird connectivity problems on my K-12 campus.  Hoping you can give me some troubleshooting tips on where to source the problem.

    (2) 7210 Controllers (v 8.5)
    (1) Mobility Master (v 8.5)
    ~ (125) Access Points (mix of 315/515 a few remaining 205 waiting on inventory to be changed to 515)

    Clearpass is handling the authentication ---> looking at my active directory for user lookups 

    What's happening is - let's say (16) students are in a classroom.  13 of them connect fine - 3 of them do not.  What i've noticed is the (3) that aren't connecting, ClearPass doesn't even show the computers request to connect.  

    The odd part - if I take that computer and physically move it to another area/access point - the computer will connect - ill see the request in ClearPass and it's fine.  

    It's like - whatever is happening in that specific moment - the request is not getting to ClearPass and the client is just sitting there not connecting and waiting for authentication.

    (2) changes to my network :

    500 series AP's 
    A big influx of macbooks 

    Also note - i'm on a very old version of ClearPass, and in the process of updating 

    Any troubleshooting tips ?

    Thx

    ------------------------------
    Mike Robertson
    ------------------------------


  • 2.  RE: Clearpass not getting request

    Posted Oct 01, 2021 10:59 AM

    Wireless is the most congested layer in this picture, because it is shared.  ClearPass cannot respond to requests if they are not making it across the wireless. 
    To see if ClearPass is experiencing timeouts, type this command on the commandline of your 7210s:  "show aaa authentication-server radius statistics".  The tmout column will tell if ClearPass is not responding in general as a percentage of raw requests.  If the tmout column is low, it is not ClearPass.

    Let's hear about your wireless and your clients:
    How many SSIDs do you have?
    What is your channel Width on the 5ghz band?
    Do you have broadcast filtering enabled on all of your SSIDs?
    What is the transmit power range of your access points?

    All of these play a part in congestion handling and should be considered.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: Clearpass not getting request

    Posted Oct 01, 2021 12:41 PM
    Controller #1 Timeout​ shows 503 
    Controller #2 Timeout shows 419

    I am broadcasting (2) SSID's
    1 - Guest (WEP encryption with password - isolated vlan)
    2 - "Secure" (802.1x)

    5ghz Band
    20 mhz min channel
    40 mhz max channel 

    Broadcast filtering - i'm not sure how to enable/disable 

    Transmit power range :
    2.4 Ghz
    Min 6
    Max 9 

    5 Ghz
    Min 12
    Max 18 


    ------------------------------
    Mike Robertson
    ------------------------------



  • 4.  RE: Clearpass not getting request

    Posted Oct 01, 2021 01:25 PM
    Timeouts are transient.  If as a percentage of Raw rq (raw requests), it is small, it is nothing to worry about (maintenance, occasional small outages?).

    WEP, unfortunately limits transmissions to 54 megs and hurts performance.  That means guests will take longer to transmit and receive, which will make your guests also occupy more shared bandwidth that your 802.1x clients need.  I would consider upgrading to WPA2-PSK so that your guest clients can get on and off the network more quickly and allow your 802.1x more transmission time.

    Broadcast Filtering is configured on the Virtual AP profile.  It is mandatory for high performance networks.  Enable "Broadcast filter all" for both virtual APs for a performance boost.  Broadcasts can destroy wireless networks and their random nature could generate calls that are hard to troubleshoot.

    For now, your transmit power looks good.  I guess another question is, are you using DFS channels?  If not, at 40mhz you only have 4 non-overlapping channels which would be an issue in high density environments.









    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 5.  RE: Clearpass not getting request

    Posted Oct 01, 2021 01:47 PM
    I do not have DFS channels enabled - and I've been wondering if this is the root cause because like i said in the above, a client that isn't connecting in room A --> move to room B (which is empty) and it connects fine.  

    Re : Broadcast Filtering 

    The only setting i see in my version of Aruba OS is "DROP BROADCAST AND MULTICAST" - on the virtual AP profile?

    Question - if i check that box - would i then need to utilize airgroup so that my clients can wirelessly connect to network projectors?

    ------------------------------
    Mike Robertson
    ------------------------------



  • 6.  RE: Clearpass not getting request

    Posted Oct 01, 2021 02:04 PM
    I do not have DFS channels enabled - and I've been wondering if this is the root cause because like i said in the above, a client that isn't connecting in room A --> move to room B (which is empty) and it connects fine.  

    It is possible, or it is contributing to your issue.  You could either add DFS channels or limit your channel width to 20mhz.

    Re : Broadcast Filtering 

    The only setting i see in my version of Aruba OS is "DROP BROADCAST AND MULTICAST" - on the virtual AP profile?  Correct.

    Question - if i check that box - would i then need to utilize airgroup so that my clients can wirelessly connect to network projectors?  Yes, if your wireless projectors rely on broadcasts for discovery.    Also, see if your wireless projectors have a more centralized way to advertise their presence that does not rely on broadcast traffic.  Many projector manufacturers understand that relying on broadcasts reduces performance and they might have an alternative method.

    It is possible that neither of these are the main issue, but configuring them correctly could significantly reduce the issue or make the real issue more apparent.


    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------