Security

 View Only
last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Make Subscriber Error

This thread has been viewed 78 times

  • 1.  Clearpass Make Subscriber Error

    Posted Sep 28, 2021 12:25 PM
    Scenario:

    Primary clearpass server at HQ.  Just built a subscriber node at a different office with the plan to join it (different subnet).

    I have upgraded both servers to 6.9.7.  Created certs for the new server (local for database).  When I try to make it a subscriber it immediately says wrong IP/password.

    When I do it from command line I get the "echo GET failed, will retry..." error.

    I've cracked open the logs and see the following.



    HTTPError: HTTP Error 401: basic auth failed
    2021-09-28 08:15:00,021 WARNING OUT ClusterControlAPI 10.211.8.20: echo GET failed. Will retry...
    2021-09-28 08:15:02,628 DEBUG Tips.Db pgq_monitoring Num subscribers 0
    2021-09-28 08:15:02,628 DEBUG Tips.Db pgq_monitoring Pgq checks not applicable on stand alone publisher
    2021-09-28 08:15:02,658 INFO Tips.Db DbSubscriberStatusCheck Skip checks since this node is the publisher
    2021-09-28 08:15:02,740 DEBUG Tips.Db DbClusterDiagnostics Skip node=NodeId=1 ServerIp=None ServerIpv6= ManagementIp=10.220.0.22 ManagementIpv6= Uuid=627a4a5d-3887-4c11-8ece-0c8f71d0802e ProviderUuid=627a4a5d-3887-4c11-8ece-0c8f71d0802e ProviderNodeId=1 isMaster=True replicationStatus=ENABLED
    2021-09-28 08:15:30,052 DEBUG Tips.Util certhttp https_open(https://10.211.8.20/tipsapi/cluster/echo)
    2021-09-28 08:15:30,052 DEBUG Tips.Util certhttp htts_class_wrapper({'timeout': None})
    2021-09-28 08:15:30,052 DEBUG Tips.Util certhttp CertHTTPConnection(10.211.8.20 None None None None None {'timeout': None})
    2021-09-28 08:15:30,053 DEBUG Tips.Util certhttp connect()
    2021-09-28 08:15:30,090 DEBUG Tips.Util ClusterControlAPI _handle_exception( 10.211.8.20, echo GET, HTTP Error 401: basic auth failed)
    2021-09-28 08:15:30,091 ERROR Tips.Util ClusterControlAPI 10.211.8.20 echo GET: cluster-control action failed
    Traceback (most recent call last):
    File "/usr/local/avenda/tips/lib64/python2.4/ClusterControlAPI.py", line 88, in _GET
    resp = urllib2.urlopen(req, timeout=timeout)
    File "/usr/lib64/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
    File "/usr/lib64/python2.7/urllib2.py", line 437, in open
    response = meth(req, response)
    File "/usr/lib64/python2.7/urllib2.py", line 550, in http_response
    'http', request, response, code, msg, hdrs)
    File "/usr/lib64/python2.7/urllib2.py", line 469, in error
    result = self._call_chain(*args)
    File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain
    result = func(*args)
    File "/usr/lib64/python2.7/urllib2.py", line 926, in http_error_401
    url, req, headers)
    File "/usr/lib64/python2.7/urllib2.py", line 889, in http_error_auth_reqed
    headers, None)



    When I navigate to the URL listed in the error I get presented with an authentication window.  I enter in the known admin/appadmin account and get "HTTP ERROR 401"

    Is there a different password that I should be using?  Is the publisher cluster password desynced from the admin/appadmin account?

    Can anyone point me in a better direction on troubleshooting this?

    ------------------------------
    Mike Traylor
    ------------------------------


  • 2.  RE: Clearpass Make Subscriber Error

    EMPLOYEE
    Posted Sep 29, 2021 03:06 AM
    Hi,

    The error points to an issue with the credential. Would you try updating the cluster password from Publisher UI > Administration > Server Manager > Server Configuration > Change cluster password and then use the new password to join the node to the cluster?

    ------------------------------
    Nimal Varampetran
    ------------------------------

    Original Message


  • 3.  RE: Clearpass Make Subscriber Error

    Posted Sep 29, 2021 04:00 PM
    Nimal,

    I have a cluster in my lab environment where I went to test the credentials for the https://applianceip/tipsapi/cluster/echo with known working credentials and the admin/appadmin account does not authenticate with that.  Is there a different account that should be used?

    FYI, my lab environment is on 6.10.1 and production is 6.9.7

    ------------------------------
    Mike Traylor
    ------------------------------

    Original Message


  • 4.  RE: Clearpass Make Subscriber Error

    EMPLOYEE
    Posted Sep 30, 2021 01:51 AM
    Hi Mike,

    Try using the username as 'clusteradmin' and the cluster password.

    ------------------------------
    Nimal Varampetran
    ------------------------------

    Original Message


  • 5.  RE: Clearpass Make Subscriber Error

    EMPLOYEE
    Posted Sep 30, 2021 04:09 AM
    Just for all clarity, the password that you need to join as a subscriber to a publisher is the password that is configured for the appadmin account that you can use to login to the CLI (ssh/console).

    Try to ssh to your publisher with appadmin as username, and that password to validate it. If you don't know the appadmin password anymore, change the cluster password under Administration -> Server manager, and it will tell you that on all nodes (currently) in the cluster the appadmin password will be reset to your new password as well.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 6.  RE: Clearpass Make Subscriber Error

    Posted Oct 01, 2021 03:53 PM
    Herman and Nimal,

    For security reasons, SSH to the appliance is blocked by firewall.

    I am able to log in with the documented password with admin.  I'm trying to use the same password.

    As the logs only point to not being able to authenticate with that GET echo URL I don't know how to troubleshoot this further.

    In my lab environment I'm also unable to authenticate with that URL with the known password but I was able to join the subscriber without an issue.

    (In the lab) I've tried admin, appadmin, clusteradmin, and the password that appadmin works with in SSH and it can't authenticate.

    Any recommendations on where to look in logs or elsewhere to actually determine why this is failing?

    Thanks

    ------------------------------
    Mike Traylor
    ------------------------------

    Original Message


  • 7.  RE: Clearpass Make Subscriber Error

    EMPLOYEE
    Posted Oct 02, 2021 10:10 AM
    Is your firewall that block SSH allowing the cluster traffic? Please open a TAC case as with direct an interactive access to the environment it is much easier to solve this.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 8.  RE: Clearpass Make Subscriber Error

    Posted Oct 04, 2021 01:56 PM
    do you have the https server trust setup correctly? 

    make sure you're following the instructions in the clustering guide and have the correct certificate trust settings for https cert

    https://community.arubanetworks.com/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=951498fd-b130-48de-8649-2e208bce0f28