We have a ClearPass cluster (4 boxes) on 6.9.7
And 10 x AOS 8.7.1.5 controller cluster
Guest is set up to allow social logins only (though Facebook appear to have scuttled this by withdrawing support for embedded browsers, but that's a whole different story).
We see occasional auth failures which we can't pin down the cause of. We are redirected to the social provider, we enter our credentials (or they are already saved), we see the ClearPass 'logging on' screen for a few seconds, then we end up back at the Captive portal with an authentication failed message. Then if we select Twitter (or whichever provider we are testing) again then sometimes it will just succeed, sometimes it will take 2 or 3 of these attempts but eventually works.
Looking at a successful auth in Access Tracker shows [Endpoints Repository], [Time Source], [Social Login Repository] as authorization sources, but the failures are all missing [Social Login Repository] from that list and show as "Error 216 RADIUS PAP: CLEAR TEXT password check failed". And in Roles we see [User Authenticated], twitter for successful auths, but this is blank for the failures. The failures aren't confined to one particular service provider.
There doesn't seem to be an obvious pattern but having read a couple of old Airheads posts previously ClearPass clusters were mentioned as possibly being problematic because of the time it takes for the boxes to be synced with the one-time password details. But I don't know where I would change timers to test this theory. In our AAA profile we have:
Logon wait minimum wait 5 sec
Logon wait maximum wait 10 sec
logon wait CPU utilization threshold 60 %
Should we be looking elsewhere? Does some sort of timeout sound likely here?
Thank you
Guy
------------------------------
Guy Goodrick
------------------------------