Security

We have a ClearPass cluster (4 boxes) on 6.9.7
And 10 x AOS 8.7.1.5 controller cluster

Guest is set up to allow social logins only (though Facebook appear to have scuttled this by withdrawing support for embedded browsers, but that's a whole different story).

We see occasional auth failures which we can't pin down the cause of. We are redirected to the social provider, we enter our credentials (or they are already saved), we see the ClearPass 'logging on' screen for a few seconds, then we end up back at the Captive portal with an authentication failed message. Then if we select Twitter (or whichever provider we are testing) again then sometimes it will just succeed, sometimes it will take 2 or 3 of these attempts but eventually works.

Looking at a successful auth in Access Tracker shows [Endpoints Repository], [Time Source], [Social Login Repository] as authorization sources, but the failures are all missing [Social Login Repository] from that list and show as "Error 216 RADIUS PAP: CLEAR TEXT password check failed". And in Roles we see [User Authenticated], twitter for successful auths, but this is blank for the failures. The failures aren't confined to one particular service provider.

There doesn't seem to be an obvious pattern but having read a couple of old Airheads posts previously ClearPass clusters were mentioned as possibly being problematic because of the time it takes for the boxes to be synced with the one-time password details. But I don't know where I would change timers to test this theory. In our AAA profile we have:

Logon wait minimum wait 5 sec
Logon wait maximum wait 10 sec
logon wait CPU utilization threshold 60 %

Should we be looking elsewhere? Does some sort of timeout sound likely here?

Thank you

Guy

------------------------------
Guy Goodrick
------------------------------

What happens 'under the hood' is that on a successful social login, a temporarily account is created in the Social Login Repository, which very likely needs to be synced from publisher to the subscribers, and that has a delay of few seconds. You can keep all your social logins to your publisher (both the HTTPS web login and the RADIUS) to avoid this issue, or create a login delay, which I think is a setting in the Guest page configuration in ClearPass Guest. That will delay the actual login, so the synchronization can be performed.

Aruba Support can also assist in troubleshooting if you can't solve this. For such a problem, it really helps if you see the issue happening, rather than work from a description.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 12, 2021 05:14 PM
From: Guy Goodrick
Subject: ClearPass Guest social login occasional auth failures

We have a ClearPass cluster (4 boxes) on 6.9.7
And 10 x AOS 8.7.1.5 controller cluster

Guest is set up to allow social logins only (though Facebook appear to have scuttled this by withdrawing support for embedded browsers, but that's a whole different story).

We see occasional auth failures which we can't pin down the cause of. We are redirected to the social provider, we enter our credentials (or they are already saved), we see the ClearPass 'logging on' screen for a few seconds, then we end up back at the Captive portal with an authentication failed message. Then if we select Twitter (or whichever provider we are testing) again then sometimes it will just succeed, sometimes it will take 2 or 3 of these attempts but eventually works.

Looking at a successful auth in Access Tracker shows [Endpoints Repository], [Time Source], [Social Login Repository] as authorization sources, but the failures are all missing [Social Login Repository] from that list and show as "Error 216 RADIUS PAP: CLEAR TEXT password check failed". And in Roles we see [User Authenticated], twitter for successful auths, but this is blank for the failures. The failures aren't confined to one particular service provider.

There doesn't seem to be an obvious pattern but having read a couple of old Airheads posts previously ClearPass clusters were mentioned as possibly being problematic because of the time it takes for the boxes to be synced with the one-time password details. But I don't know where I would change timers to test this theory. In our AAA profile we have:

Logon wait minimum wait 5 sec
Logon wait maximum wait 10 sec
logon wait CPU utilization threshold 60 %

Should we be looking elsewhere? Does some sort of timeout sound likely here?

Thank you

Guy

------------------------------
Guy Goodrick
------------------------------

Thanks for the useful explanation Herman,

I think you've probably hit the nail on the head (we had a couple of Aruba guys in the office today and they thought the same), we'll test the options and then decide which to use.

Is that delay in the sync just inherent in the design? It seems a shame to have to work around something like that. Any idea if that's something that might be addressed in future releases?

Guy

------------------------------
Guy Goodrick
------------------------------

Original Message:
Sent: Oct 13, 2021 06:30 AM
From: Herman Robers
Subject: ClearPass Guest social login occasional auth failures

What happens 'under the hood' is that on a successful social login, a temporarily account is created in the Social Login Repository, which very likely needs to be synced from publisher to the subscribers, and that has a delay of few seconds. You can keep all your social logins to your publisher (both the HTTPS web login and the RADIUS) to avoid this issue, or create a login delay, which I think is a setting in the Guest page configuration in ClearPass Guest. That will delay the actual login, so the synchronization can be performed.

Aruba Support can also assist in troubleshooting if you can't solve this. For such a problem, it really helps if you see the issue happening, rather than work from a description.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 12, 2021 05:14 PM
From: Guy Goodrick
Subject: ClearPass Guest social login occasional auth failures

We have a ClearPass cluster (4 boxes) on 6.9.7
And 10 x AOS 8.7.1.5 controller cluster

Guest is set up to allow social logins only (though Facebook appear to have scuttled this by withdrawing support for embedded browsers, but that's a whole different story).

We see occasional auth failures which we can't pin down the cause of. We are redirected to the social provider, we enter our credentials (or they are already saved), we see the ClearPass 'logging on' screen for a few seconds, then we end up back at the Captive portal with an authentication failed message. Then if we select Twitter (or whichever provider we are testing) again then sometimes it will just succeed, sometimes it will take 2 or 3 of these attempts but eventually works.

Looking at a successful auth in Access Tracker shows [Endpoints Repository], [Time Source], [Social Login Repository] as authorization sources, but the failures are all missing [Social Login Repository] from that list and show as "Error 216 RADIUS PAP: CLEAR TEXT password check failed". And in Roles we see [User Authenticated], twitter for successful auths, but this is blank for the failures. The failures aren't confined to one particular service provider.

There doesn't seem to be an obvious pattern but having read a couple of old Airheads posts previously ClearPass clusters were mentioned as possibly being problematic because of the time it takes for the boxes to be synced with the one-time password details. But I don't know where I would change timers to test this theory. In our AAA profile we have:

Logon wait minimum wait 5 sec
Logon wait maximum wait 10 sec
logon wait CPU utilization threshold 60 %

Should we be looking elsewhere? Does some sort of timeout sound likely here?

Thank you

Guy

------------------------------
Guy Goodrick
------------------------------

I see this problem but only have one CPPM server (so no pub/sub sync at issue). It's most noticeable for a server-initiated (CoA) captive portal web authentication login, I couldn't find any options that would delay the authentication check by ClearPass Guest, it gets checked immediately on return from the IdP (Azure AD OAuth). Clicking the social login button again works instantly. Looking in access tracker it seems the social attributes aren't in the endpoint repository yet (I discovered the social login repository is just a view on the endpoints repository) during the initial check, when I click again they are and it matches the correct service. The first time it matches a service which has this condition:

Endpoint

social_method

NOT_EQUALS

azure

When I click again it matches the service with this condition that is below the other service:

Endpoint

social_method

EQUALS

azure

I haven't opened a TAC case yet.

------------------------------
James Andrewartha
------------------------------

Original Message:
Sent: Oct 13, 2021 06:30 AM
From: Herman Robers
Subject: ClearPass Guest social login occasional auth failures

What happens 'under the hood' is that on a successful social login, a temporarily account is created in the Social Login Repository, which very likely needs to be synced from publisher to the subscribers, and that has a delay of few seconds. You can keep all your social logins to your publisher (both the HTTPS web login and the RADIUS) to avoid this issue, or create a login delay, which I think is a setting in the Guest page configuration in ClearPass Guest. That will delay the actual login, so the synchronization can be performed.

Aruba Support can also assist in troubleshooting if you can't solve this. For such a problem, it really helps if you see the issue happening, rather than work from a description.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 12, 2021 05:14 PM
From: Guy Goodrick
Subject: ClearPass Guest social login occasional auth failures

We have a ClearPass cluster (4 boxes) on 6.9.7
And 10 x AOS 8.7.1.5 controller cluster

Guest is set up to allow social logins only (though Facebook appear to have scuttled this by withdrawing support for embedded browsers, but that's a whole different story).

We see occasional auth failures which we can't pin down the cause of. We are redirected to the social provider, we enter our credentials (or they are already saved), we see the ClearPass 'logging on' screen for a few seconds, then we end up back at the Captive portal with an authentication failed message. Then if we select Twitter (or whichever provider we are testing) again then sometimes it will just succeed, sometimes it will take 2 or 3 of these attempts but eventually works.

Looking at a successful auth in Access Tracker shows [Endpoints Repository], [Time Source], [Social Login Repository] as authorization sources, but the failures are all missing [Social Login Repository] from that list and show as "Error 216 RADIUS PAP: CLEAR TEXT password check failed". And in Roles we see [User Authenticated], twitter for successful auths, but this is blank for the failures. The failures aren't confined to one particular service provider.

There doesn't seem to be an obvious pattern but having read a couple of old Airheads posts previously ClearPass clusters were mentioned as possibly being problematic because of the time it takes for the boxes to be synced with the one-time password details. But I don't know where I would change timers to test this theory. In our AAA profile we have:

Logon wait minimum wait 5 sec
Logon wait maximum wait 10 sec
logon wait CPU utilization threshold 60 %

Should we be looking elsewhere? Does some sort of timeout sound likely here?

Thank you

Guy

------------------------------
Guy Goodrick
------------------------------

Hi, 
Try to increase "Login Delay" parameter in Guest Web Logins page configuration:

Regards,

------------------------------
Kestutis Virsilas
------------------------------

Original Message:
Sent: Oct 13, 2021 10:33 PM
From: James Andrewartha
Subject: ClearPass Guest social login occasional auth failures

I see this problem but only have one CPPM server (so no pub/sub sync at issue). It's most noticeable for a server-initiated (CoA) captive portal web authentication login, I couldn't find any options that would delay the authentication check by ClearPass Guest, it gets checked immediately on return from the IdP (Azure AD OAuth). Clicking the social login button again works instantly. Looking in access tracker it seems the social attributes aren't in the endpoint repository yet (I discovered the social login repository is just a view on the endpoints repository) during the initial check, when I click again they are and it matches the correct service. The first time it matches a service which has this condition:

Endpoint

social_method

NOT_EQUALS

azure

When I click again it matches the service with this condition that is below the other service:

Endpoint

social_method

EQUALS

azure

I haven't opened a TAC case yet.

------------------------------
James Andrewartha

Original Message:
Sent: Oct 13, 2021 06:30 AM
From: Herman Robers
Subject: ClearPass Guest social login occasional auth failures

What happens 'under the hood' is that on a successful social login, a temporarily account is created in the Social Login Repository, which very likely needs to be synced from publisher to the subscribers, and that has a delay of few seconds. You can keep all your social logins to your publisher (both the HTTPS web login and the RADIUS) to avoid this issue, or create a login delay, which I think is a setting in the Guest page configuration in ClearPass Guest. That will delay the actual login, so the synchronization can be performed.

Aruba Support can also assist in troubleshooting if you can't solve this. For such a problem, it really helps if you see the issue happening, rather than work from a description.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 12, 2021 05:14 PM
From: Guy Goodrick
Subject: ClearPass Guest social login occasional auth failures

We have a ClearPass cluster (4 boxes) on 6.9.7
And 10 x AOS 8.7.1.5 controller cluster

Guest is set up to allow social logins only (though Facebook appear to have scuttled this by withdrawing support for embedded browsers, but that's a whole different story).

We see occasional auth failures which we can't pin down the cause of. We are redirected to the social provider, we enter our credentials (or they are already saved), we see the ClearPass 'logging on' screen for a few seconds, then we end up back at the Captive portal with an authentication failed message. Then if we select Twitter (or whichever provider we are testing) again then sometimes it will just succeed, sometimes it will take 2 or 3 of these attempts but eventually works.

Looking at a successful auth in Access Tracker shows [Endpoints Repository], [Time Source], [Social Login Repository] as authorization sources, but the failures are all missing [Social Login Repository] from that list and show as "Error 216 RADIUS PAP: CLEAR TEXT password check failed". And in Roles we see [User Authenticated], twitter for successful auths, but this is blank for the failures. The failures aren't confined to one particular service provider.

There doesn't seem to be an obvious pattern but having read a couple of old Airheads posts previously ClearPass clusters were mentioned as possibly being problematic because of the time it takes for the boxes to be synced with the one-time password details. But I don't know where I would change timers to test this theory. In our AAA profile we have:

Logon wait minimum wait 5 sec
Logon wait maximum wait 10 sec
logon wait CPU utilization threshold 60 %

Should we be looking elsewhere? Does some sort of timeout sound likely here?

Thank you

Guy

------------------------------
Guy Goodrick
------------------------------

I've increased it previously to no effect, I don't think it's relevant for cloud identity. Well, it is, but it only affects the delay after cloud login succeeds, the initial login attempt occurs (and fails) immediately. Also FWIW I'm using a self-registration form with cloud identity as an option. For Aruba Controllers, which do a POST login via the client, everything works fine with the various delays.

------------------------------
James Andrewartha
------------------------------

Original Message:
Sent: Oct 14, 2021 02:23 AM
From: Kestutis Virsilas
Subject: ClearPass Guest social login occasional auth failures

Hi, 
Try to increase "Login Delay" parameter in Guest Web Logins page configuration:

Regards,

------------------------------
Kestutis Virsilas

Original Message:
Sent: Oct 13, 2021 10:33 PM
From: James Andrewartha
Subject: ClearPass Guest social login occasional auth failures

I see this problem but only have one CPPM server (so no pub/sub sync at issue). It's most noticeable for a server-initiated (CoA) captive portal web authentication login, I couldn't find any options that would delay the authentication check by ClearPass Guest, it gets checked immediately on return from the IdP (Azure AD OAuth). Clicking the social login button again works instantly. Looking in access tracker it seems the social attributes aren't in the endpoint repository yet (I discovered the social login repository is just a view on the endpoints repository) during the initial check, when I click again they are and it matches the correct service. The first time it matches a service which has this condition:

Endpoint

social_method

NOT_EQUALS

azure

When I click again it matches the service with this condition that is below the other service:

Endpoint

social_method

EQUALS

azure

I haven't opened a TAC case yet.

------------------------------
James Andrewartha

Original Message:
Sent: Oct 13, 2021 06:30 AM
From: Herman Robers
Subject: ClearPass Guest social login occasional auth failures

What happens 'under the hood' is that on a successful social login, a temporarily account is created in the Social Login Repository, which very likely needs to be synced from publisher to the subscribers, and that has a delay of few seconds. You can keep all your social logins to your publisher (both the HTTPS web login and the RADIUS) to avoid this issue, or create a login delay, which I think is a setting in the Guest page configuration in ClearPass Guest. That will delay the actual login, so the synchronization can be performed.

Aruba Support can also assist in troubleshooting if you can't solve this. For such a problem, it really helps if you see the issue happening, rather than work from a description.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 12, 2021 05:14 PM
From: Guy Goodrick
Subject: ClearPass Guest social login occasional auth failures

We have a ClearPass cluster (4 boxes) on 6.9.7
And 10 x AOS 8.7.1.5 controller cluster

Guest is set up to allow social logins only (though Facebook appear to have scuttled this by withdrawing support for embedded browsers, but that's a whole different story).

We see occasional auth failures which we can't pin down the cause of. We are redirected to the social provider, we enter our credentials (or they are already saved), we see the ClearPass 'logging on' screen for a few seconds, then we end up back at the Captive portal with an authentication failed message. Then if we select Twitter (or whichever provider we are testing) again then sometimes it will just succeed, sometimes it will take 2 or 3 of these attempts but eventually works.

Looking at a successful auth in Access Tracker shows [Endpoints Repository], [Time Source], [Social Login Repository] as authorization sources, but the failures are all missing [Social Login Repository] from that list and show as "Error 216 RADIUS PAP: CLEAR TEXT password check failed". And in Roles we see [User Authenticated], twitter for successful auths, but this is blank for the failures. The failures aren't confined to one particular service provider.

There doesn't seem to be an obvious pattern but having read a couple of old Airheads posts previously ClearPass clusters were mentioned as possibly being problematic because of the time it takes for the boxes to be synced with the one-time password details. But I don't know where I would change timers to test this theory. In our AAA profile we have:

Logon wait minimum wait 5 sec
Logon wait maximum wait 10 sec
logon wait CPU utilization threshold 60 %

Should we be looking elsewhere? Does some sort of timeout sound likely here?

Thank you

Guy

------------------------------
Guy Goodrick
------------------------------

I don't want to muddy the waters (or spread info that might not be accurate) but our Aruba contact suggested (this morning) that we try using SSO as the auth method, we left just Social Repo as auth source though I'm not sure that's relevant. We have changed our login delay back to the default 5secs and we are now back to using the server group with all 4 boxes in. _Very_ early signs are good for this, it might be something to consider looking at - though I would be very interested to hear @Herman Robers thoughts on it?

I seem to remember reading something, possibly in some release notes, about SSO becoming the auth method for social logins.

(I can't stress enough that this has had very little testing as yet)
​

------------------------------
Guy Goodrick
------------------------------

Original Message:
Sent: Oct 14, 2021 02:58 AM
From: James Andrewartha
Subject: ClearPass Guest social login occasional auth failures

I've increased it previously to no effect, I don't think it's relevant for cloud identity. Well, it is, but it only affects the delay after cloud login succeeds, the initial login attempt occurs (and fails) immediately. Also FWIW I'm using a self-registration form with cloud identity as an option. For Aruba Controllers, which do a POST login via the client, everything works fine with the various delays.

------------------------------
James Andrewartha

Original Message:
Sent: Oct 14, 2021 02:23 AM
From: Kestutis Virsilas
Subject: ClearPass Guest social login occasional auth failures

Hi, 
Try to increase "Login Delay" parameter in Guest Web Logins page configuration:

Regards,

------------------------------
Kestutis Virsilas

Original Message:
Sent: Oct 13, 2021 10:33 PM
From: James Andrewartha
Subject: ClearPass Guest social login occasional auth failures

I see this problem but only have one CPPM server (so no pub/sub sync at issue). It's most noticeable for a server-initiated (CoA) captive portal web authentication login, I couldn't find any options that would delay the authentication check by ClearPass Guest, it gets checked immediately on return from the IdP (Azure AD OAuth). Clicking the social login button again works instantly. Looking in access tracker it seems the social attributes aren't in the endpoint repository yet (I discovered the social login repository is just a view on the endpoints repository) during the initial check, when I click again they are and it matches the correct service. The first time it matches a service which has this condition:

Endpoint

social_method

NOT_EQUALS

azure

When I click again it matches the service with this condition that is below the other service:

Endpoint

social_method

EQUALS

azure

I haven't opened a TAC case yet.

------------------------------
James Andrewartha

Original Message:
Sent: Oct 13, 2021 06:30 AM
From: Herman Robers
Subject: ClearPass Guest social login occasional auth failures

What happens 'under the hood' is that on a successful social login, a temporarily account is created in the Social Login Repository, which very likely needs to be synced from publisher to the subscribers, and that has a delay of few seconds. You can keep all your social logins to your publisher (both the HTTPS web login and the RADIUS) to avoid this issue, or create a login delay, which I think is a setting in the Guest page configuration in ClearPass Guest. That will delay the actual login, so the synchronization can be performed.

Aruba Support can also assist in troubleshooting if you can't solve this. For such a problem, it really helps if you see the issue happening, rather than work from a description.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 12, 2021 05:14 PM
From: Guy Goodrick
Subject: ClearPass Guest social login occasional auth failures

We have a ClearPass cluster (4 boxes) on 6.9.7
And 10 x AOS 8.7.1.5 controller cluster

Guest is set up to allow social logins only (though Facebook appear to have scuttled this by withdrawing support for embedded browsers, but that's a whole different story).

We see occasional auth failures which we can't pin down the cause of. We are redirected to the social provider, we enter our credentials (or they are already saved), we see the ClearPass 'logging on' screen for a few seconds, then we end up back at the Captive portal with an authentication failed message. Then if we select Twitter (or whichever provider we are testing) again then sometimes it will just succeed, sometimes it will take 2 or 3 of these attempts but eventually works.

Looking at a successful auth in Access Tracker shows [Endpoints Repository], [Time Source], [Social Login Repository] as authorization sources, but the failures are all missing [Social Login Repository] from that list and show as "Error 216 RADIUS PAP: CLEAR TEXT password check failed". And in Roles we see [User Authenticated], twitter for successful auths, but this is blank for the failures. The failures aren't confined to one particular service provider.

There doesn't seem to be an obvious pattern but having read a couple of old Airheads posts previously ClearPass clusters were mentioned as possibly being problematic because of the time it takes for the boxes to be synced with the one-time password details. But I don't know where I would change timers to test this theory. In our AAA profile we have:

Logon wait minimum wait 5 sec
Logon wait maximum wait 10 sec
logon wait CPU utilization threshold 60 %

Should we be looking elsewhere? Does some sort of timeout sound likely here?

Thank you

Guy

------------------------------
Guy Goodrick
------------------------------

Original Message:
Sent: 10/14/2021 5:34:00 AM
From: cauliflower
Subject: RE: ClearPass Guest social login occasional auth failures

I don't want to muddy the waters (or spread info that might not be accurate) but our Aruba contact suggested (this morning) that we try using SSO as the auth method, we left just Social Repo as auth source though I'm not sure that's relevant. We have changed our login delay back to the default 5secs and we are now back to using the server group with all 4 boxes in. _Very_ early signs are good for this, it might be something to consider looking at - though I would be very interested to hear @Herman Robers thoughts on it?

I seem to remember reading something, possibly in some release notes, about SSO becoming the auth method for social logins.

(I can't stress enough that this has had very little testing as yet)
​

------------------------------
Guy Goodrick
------------------------------

Original Message:
Sent: Oct 14, 2021 02:58 AM
From: James Andrewartha
Subject: ClearPass Guest social login occasional auth failures

I've increased it previously to no effect, I don't think it's relevant for cloud identity. Well, it is, but it only affects the delay after cloud login succeeds, the initial login attempt occurs (and fails) immediately. Also FWIW I'm using a self-registration form with cloud identity as an option. For Aruba Controllers, which do a POST login via the client, everything works fine with the various delays.

------------------------------
James Andrewartha

Original Message:
Sent: Oct 14, 2021 02:23 AM
From: Kestutis Virsilas
Subject: ClearPass Guest social login occasional auth failures

Hi, 
Try to increase "Login Delay" parameter in Guest Web Logins page configuration:

Regards,

------------------------------
Kestutis Virsilas

Original Message:
Sent: Oct 13, 2021 10:33 PM
From: James Andrewartha
Subject: ClearPass Guest social login occasional auth failures

I see this problem but only have one CPPM server (so no pub/sub sync at issue). It's most noticeable for a server-initiated (CoA) captive portal web authentication login, I couldn't find any options that would delay the authentication check by ClearPass Guest, it gets checked immediately on return from the IdP (Azure AD OAuth). Clicking the social login button again works instantly. Looking in access tracker it seems the social attributes aren't in the endpoint repository yet (I discovered the social login repository is just a view on the endpoints repository) during the initial check, when I click again they are and it matches the correct service. The first time it matches a service which has this condition:

Endpoint

social_method

NOT_EQUALS

azure

When I click again it matches the service with this condition that is below the other service:

Endpoint

social_method

EQUALS

azure

I haven't opened a TAC case yet.

------------------------------
James Andrewartha

Original Message:
Sent: Oct 13, 2021 06:30 AM
From: Herman Robers
Subject: ClearPass Guest social login occasional auth failures

What happens 'under the hood' is that on a successful social login, a temporarily account is created in the Social Login Repository, which very likely needs to be synced from publisher to the subscribers, and that has a delay of few seconds. You can keep all your social logins to your publisher (both the HTTPS web login and the RADIUS) to avoid this issue, or create a login delay, which I think is a setting in the Guest page configuration in ClearPass Guest. That will delay the actual login, so the synchronization can be performed.

Aruba Support can also assist in troubleshooting if you can't solve this. For such a problem, it really helps if you see the issue happening, rather than work from a description.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 12, 2021 05:14 PM
From: Guy Goodrick
Subject: ClearPass Guest social login occasional auth failures

We have a ClearPass cluster (4 boxes) on 6.9.7
And 10 x AOS 8.7.1.5 controller cluster

Guest is set up to allow social logins only (though Facebook appear to have scuttled this by withdrawing support for embedded browsers, but that's a whole different story).

We see occasional auth failures which we can't pin down the cause of. We are redirected to the social provider, we enter our credentials (or they are already saved), we see the ClearPass 'logging on' screen for a few seconds, then we end up back at the Captive portal with an authentication failed message. Then if we select Twitter (or whichever provider we are testing) again then sometimes it will just succeed, sometimes it will take 2 or 3 of these attempts but eventually works.

Looking at a successful auth in Access Tracker shows [Endpoints Repository], [Time Source], [Social Login Repository] as authorization sources, but the failures are all missing [Social Login Repository] from that list and show as "Error 216 RADIUS PAP: CLEAR TEXT password check failed". And in Roles we see [User Authenticated], twitter for successful auths, but this is blank for the failures. The failures aren't confined to one particular service provider.

There doesn't seem to be an obvious pattern but having read a couple of old Airheads posts previously ClearPass clusters were mentioned as possibly being problematic because of the time it takes for the boxes to be synced with the one-time password details. But I don't know where I would change timers to test this theory. In our AAA profile we have:

Logon wait minimum wait 5 sec
Logon wait maximum wait 10 sec
logon wait CPU utilization threshold 60 %

Should we be looking elsewhere? Does some sort of timeout sound likely here?

Thank you

Guy

------------------------------
Guy Goodrick
------------------------------

I don't have thoughts on this. Would need to see it in a context and what has been configured before and after the change; hard to have a solid opinion based on many assumptions. I don't work on Social logins on a daily basis.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 14, 2021 05:33 AM
From: Guy Goodrick
Subject: ClearPass Guest social login occasional auth failures

I don't want to muddy the waters (or spread info that might not be accurate) but our Aruba contact suggested (this morning) that we try using SSO as the auth method, we left just Social Repo as auth source though I'm not sure that's relevant. We have changed our login delay back to the default 5secs and we are now back to using the server group with all 4 boxes in. _Very_ early signs are good for this, it might be something to consider looking at - though I would be very interested to hear @Herman Robers thoughts on it?

I seem to remember reading something, possibly in some release notes, about SSO becoming the auth method for social logins.

(I can't stress enough that this has had very little testing as yet)
​

------------------------------
Guy Goodrick

Original Message:
Sent: Oct 14, 2021 02:58 AM
From: James Andrewartha
Subject: ClearPass Guest social login occasional auth failures

I've increased it previously to no effect, I don't think it's relevant for cloud identity. Well, it is, but it only affects the delay after cloud login succeeds, the initial login attempt occurs (and fails) immediately. Also FWIW I'm using a self-registration form with cloud identity as an option. For Aruba Controllers, which do a POST login via the client, everything works fine with the various delays.

------------------------------
James Andrewartha

Original Message:
Sent: Oct 14, 2021 02:23 AM
From: Kestutis Virsilas
Subject: ClearPass Guest social login occasional auth failures

Hi, 
Try to increase "Login Delay" parameter in Guest Web Logins page configuration:

Regards,

------------------------------
Kestutis Virsilas

Original Message:
Sent: Oct 13, 2021 10:33 PM
From: James Andrewartha
Subject: ClearPass Guest social login occasional auth failures

I see this problem but only have one CPPM server (so no pub/sub sync at issue). It's most noticeable for a server-initiated (CoA) captive portal web authentication login, I couldn't find any options that would delay the authentication check by ClearPass Guest, it gets checked immediately on return from the IdP (Azure AD OAuth). Clicking the social login button again works instantly. Looking in access tracker it seems the social attributes aren't in the endpoint repository yet (I discovered the social login repository is just a view on the endpoints repository) during the initial check, when I click again they are and it matches the correct service. The first time it matches a service which has this condition:

Endpoint

social_method

NOT_EQUALS

azure

When I click again it matches the service with this condition that is below the other service:

Endpoint

social_method

EQUALS

azure

I haven't opened a TAC case yet.

------------------------------
James Andrewartha

Original Message:
Sent: Oct 13, 2021 06:30 AM
From: Herman Robers
Subject: ClearPass Guest social login occasional auth failures

What happens 'under the hood' is that on a successful social login, a temporarily account is created in the Social Login Repository, which very likely needs to be synced from publisher to the subscribers, and that has a delay of few seconds. You can keep all your social logins to your publisher (both the HTTPS web login and the RADIUS) to avoid this issue, or create a login delay, which I think is a setting in the Guest page configuration in ClearPass Guest. That will delay the actual login, so the synchronization can be performed.

Aruba Support can also assist in troubleshooting if you can't solve this. For such a problem, it really helps if you see the issue happening, rather than work from a description.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 12, 2021 05:14 PM
From: Guy Goodrick
Subject: ClearPass Guest social login occasional auth failures

We have a ClearPass cluster (4 boxes) on 6.9.7
And 10 x AOS 8.7.1.5 controller cluster

Guest is set up to allow social logins only (though Facebook appear to have scuttled this by withdrawing support for embedded browsers, but that's a whole different story).

We see occasional auth failures which we can't pin down the cause of. We are redirected to the social provider, we enter our credentials (or they are already saved), we see the ClearPass 'logging on' screen for a few seconds, then we end up back at the Captive portal with an authentication failed message. Then if we select Twitter (or whichever provider we are testing) again then sometimes it will just succeed, sometimes it will take 2 or 3 of these attempts but eventually works.

Looking at a successful auth in Access Tracker shows [Endpoints Repository], [Time Source], [Social Login Repository] as authorization sources, but the failures are all missing [Social Login Repository] from that list and show as "Error 216 RADIUS PAP: CLEAR TEXT password check failed". And in Roles we see [User Authenticated], twitter for successful auths, but this is blank for the failures. The failures aren't confined to one particular service provider.

There doesn't seem to be an obvious pattern but having read a couple of old Airheads posts previously ClearPass clusters were mentioned as possibly being problematic because of the time it takes for the boxes to be synced with the one-time password details. But I don't know where I would change timers to test this theory. In our AAA profile we have:

Logon wait minimum wait 5 sec
Logon wait maximum wait 10 sec
logon wait CPU utilization threshold 60 %

Should we be looking elsewhere? Does some sort of timeout sound likely here?

Thank you

Guy

------------------------------
Guy Goodrick
------------------------------

Ok thanks Herman

------------------------------
Guy Goodrick
------------------------------

Original Message:
Sent: Oct 14, 2021 05:55 AM
From: Herman Robers
Subject: ClearPass Guest social login occasional auth failures

I don't have thoughts on this. Would need to see it in a context and what has been configured before and after the change; hard to have a solid opinion based on many assumptions. I don't work on Social logins on a daily basis.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 14, 2021 05:33 AM
From: Guy Goodrick
Subject: ClearPass Guest social login occasional auth failures

I don't want to muddy the waters (or spread info that might not be accurate) but our Aruba contact suggested (this morning) that we try using SSO as the auth method, we left just Social Repo as auth source though I'm not sure that's relevant. We have changed our login delay back to the default 5secs and we are now back to using the server group with all 4 boxes in. _Very_ early signs are good for this, it might be something to consider looking at - though I would be very interested to hear @Herman Robers thoughts on it?

I seem to remember reading something, possibly in some release notes, about SSO becoming the auth method for social logins.

(I can't stress enough that this has had very little testing as yet)
​

------------------------------
Guy Goodrick

Original Message:
Sent: Oct 14, 2021 02:58 AM
From: James Andrewartha
Subject: ClearPass Guest social login occasional auth failures

I've increased it previously to no effect, I don't think it's relevant for cloud identity. Well, it is, but it only affects the delay after cloud login succeeds, the initial login attempt occurs (and fails) immediately. Also FWIW I'm using a self-registration form with cloud identity as an option. For Aruba Controllers, which do a POST login via the client, everything works fine with the various delays.

------------------------------
James Andrewartha

Original Message:
Sent: Oct 14, 2021 02:23 AM
From: Kestutis Virsilas
Subject: ClearPass Guest social login occasional auth failures

Hi, 
Try to increase "Login Delay" parameter in Guest Web Logins page configuration:

Regards,

------------------------------
Kestutis Virsilas

Original Message:
Sent: Oct 13, 2021 10:33 PM
From: James Andrewartha
Subject: ClearPass Guest social login occasional auth failures

I see this problem but only have one CPPM server (so no pub/sub sync at issue). It's most noticeable for a server-initiated (CoA) captive portal web authentication login, I couldn't find any options that would delay the authentication check by ClearPass Guest, it gets checked immediately on return from the IdP (Azure AD OAuth). Clicking the social login button again works instantly. Looking in access tracker it seems the social attributes aren't in the endpoint repository yet (I discovered the social login repository is just a view on the endpoints repository) during the initial check, when I click again they are and it matches the correct service. The first time it matches a service which has this condition:

Endpoint

social_method

NOT_EQUALS

azure

When I click again it matches the service with this condition that is below the other service:

Endpoint

social_method

EQUALS

azure

I haven't opened a TAC case yet.

------------------------------
James Andrewartha

Original Message:
Sent: Oct 13, 2021 06:30 AM
From: Herman Robers
Subject: ClearPass Guest social login occasional auth failures

What happens 'under the hood' is that on a successful social login, a temporarily account is created in the Social Login Repository, which very likely needs to be synced from publisher to the subscribers, and that has a delay of few seconds. You can keep all your social logins to your publisher (both the HTTPS web login and the RADIUS) to avoid this issue, or create a login delay, which I think is a setting in the Guest page configuration in ClearPass Guest. That will delay the actual login, so the synchronization can be performed.

Aruba Support can also assist in troubleshooting if you can't solve this. For such a problem, it really helps if you see the issue happening, rather than work from a description.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 12, 2021 05:14 PM
From: Guy Goodrick
Subject: ClearPass Guest social login occasional auth failures

We have a ClearPass cluster (4 boxes) on 6.9.7
And 10 x AOS 8.7.1.5 controller cluster

Guest is set up to allow social logins only (though Facebook appear to have scuttled this by withdrawing support for embedded browsers, but that's a whole different story).

We see occasional auth failures which we can't pin down the cause of. We are redirected to the social provider, we enter our credentials (or they are already saved), we see the ClearPass 'logging on' screen for a few seconds, then we end up back at the Captive portal with an authentication failed message. Then if we select Twitter (or whichever provider we are testing) again then sometimes it will just succeed, sometimes it will take 2 or 3 of these attempts but eventually works.

Looking at a successful auth in Access Tracker shows [Endpoints Repository], [Time Source], [Social Login Repository] as authorization sources, but the failures are all missing [Social Login Repository] from that list and show as "Error 216 RADIUS PAP: CLEAR TEXT password check failed". And in Roles we see [User Authenticated], twitter for successful auths, but this is blank for the failures. The failures aren't confined to one particular service provider.

There doesn't seem to be an obvious pattern but having read a couple of old Airheads posts previously ClearPass clusters were mentioned as possibly being problematic because of the time it takes for the boxes to be synced with the one-time password details. But I don't know where I would change timers to test this theory. In our AAA profile we have:

Logon wait minimum wait 5 sec
Logon wait maximum wait 10 sec
logon wait CPU utilization threshold 60 %

Should we be looking elsewhere? Does some sort of timeout sound likely here?

Thank you

Guy

------------------------------
Guy Goodrick
------------------------------