last person joined: 17 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CPPM timeout received instead of ACCESS-REJECT

  • 1.  CPPM timeout received instead of ACCESS-REJECT

    Posted Mar 29, 2016 02:08 PM


    I deployed CPPM solution for 802.1X and MAB auth. Everything works but I have one issue - CPPM doesn't responding for requests with bad Password/non-known MAC.


    My service & Policies configuration:

    Authentication Method Allow All MAC AUTH
    Authentication Source Endpoint Repository
    Enforcement Type RADIUS
    Enforcement Policy (Authentication:MacAuth EQUALS KnownClient) => Enforcement Profile Allow Access Profile
    Default Profile Deny Access Profile


    1) Above service 'TEST MAC' is configured and my Radius MAC-Auth request matches to that SERVICE Rule which I see in syslog from CPPM and Access-Tracker:

    Syslog returnsService classification result = TEST MAC

    Access-Tracker returns:   Output

                                                     Enforcement Profiles: [Deny Access Profile]
                                                     System Posture Status: UNKNOWN (100)
                                                     Audit Posture Status: UNKNOWN (100)


                                                     Error Code: 206
                                                     Error Category: Authentication failure
                                                     Error Message: Access denied by policy

                                                     Alerts for this Request
                                                     RADIUS [Endpoints Repository] - localhost: User not found.
                                                     Applied 'Reject' profile


    2) Request doesn't match Enforcement Policy, as MAC is not-Known then Enforcement Profile Deny Access Profile is used


    And my Radius client doesn't receive any response. Just Radius timeout. I adjusted timeout to even 30 seconds , but no resonse at all. Tested same scenario with FreeRadius which responding Access-Reject to not known user/MAC and I'm expecting same behevior from CPPM. What I should change to archive this ?


    I'm using ClearPass Policy Manager




  • 2.  RE: CPPM timeout received instead of ACCESS-REJECT

    Posted Mar 29, 2016 03:00 PM

    Just want to add that earlier I used below radius-server settings on client/network devices requesting auth with CPPM:


    radius-server retransmit 1
    radius-server timeout 10


    And 10 seconds was to small out of time to wait for CPPM/Radius response. I increased timeout to two minutes (120 seconds) and got ACCEPT-REJECT respone finally but AFTER 31 seconds of waiting!


    Can I adjust these timeouts somewhere within CPPM or tell CPPM to respond more quickly ?




  • 3.  RE: CPPM timeout received instead of ACCESS-REJECT

    Posted Mar 29, 2016 04:15 PM

    I was digging and found source of problem. There is variable 'Reject Packet Delay' (in Security section) of Administration » Server Manager » Server Configuration - CPPM -> Service Parameters -> Radius Server

    Default value of this variable is '1' second. If I set here 0 seconds then CPPM Radius sends ACCESS-REJECT asap. If it's set to >0 then CPPM repies after 'Maximum Request Time' + 'Reject Packet Delay' seconds which means 30 + 1 = 31 seconds. But why is takeing care of 'Maximum Request Time' ? Is it bug or expected behavior ?




  • 4.  RE: CPPM timeout received instead of ACCESS-REJECT

    Posted May 13, 2016 03:15 PM

    Thank you so much for posting your follow-ups!  This was driving me crazy, and if it hadn't been for your post, I very probably would have lost my mind.


    I actually logged into this site for the first time just to give kudos to this post, your replies, and to post here to say THANK YOU!