Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clear Pass Authentication rejected for some users- Help

  • 1.  Clear Pass Authentication rejected for some users- Help

    Posted Oct 04, 2019 03:28 PM
      |   view attached

    Hi, 

    I am new to the community and has an issue. 

    we have multiple remote sites and all of them are using Aruba wireless network to connect different SSIDs. These users are being authenticated via ClearPass and AD. We have upgraded a Domain Controller at one of the site. After upgrade the users at specific site are not being authenticated but for rest of the sites it works fine. 

     

    On clear pass the status is Timeout and Reject but few of the users are able to authenticate successfully. 

     

    Alerts -
    Error Code: 206
    Error Category: Authentication failure
    Error Message: Access denied by policy
    Alerts for this Request -
    RADIUS: Applied 'Reject' profile

     

    Attached the logs for analysis. 

     

    Regards

    Pankaj 

    Attachment(s)

    zip
    Wireless_Logs.zip   9K 1 version


  • 2.  RE: Clear Pass Authentication rejected for some users- Help

    Posted Oct 05, 2019 03:34 AM
    Please check if clearpass is able to browse the ou and that you can get to the folder where the user accounts are stored.


  • 3.  RE: Clear Pass Authentication rejected for some users- Help

    Posted Oct 05, 2019 12:38 PM
    Yes Clear Pass is able to browse all the accounts.


  • 4.  RE: Clear Pass Authentication rejected for some users- Help

    Posted Oct 05, 2019 01:36 PM

    By upgrade do you mean the code version or the model? Could you give some more info on this

     

    Have any configuration changes been made to the interfaces? 

     

    What happens when you do a aaa test server from the controller diagnostics page with a user's credentials?

     

     

    --Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
    --Problem Solved? Click "Accepted Solution" in a post.



  • 5.  RE: Clear Pass Authentication rejected for some users- Help

    Posted Oct 06, 2019 02:35 AM
    By upgrade do you mean the code version or the model? Could you give some more info on this. - We have upgraded the Windows server active directory services on server side. Have any configuration changes been made to the interfaces? No changes have been made. What happens when you do a aaa test server from the controller diagnostics page with a user's credentials? It's an instant AP.


  • 6.  RE: Clear Pass Authentication rejected for some users- Help

    Posted Oct 06, 2019 04:38 AM

    @pmbisht333 wrote:
    By upgrade do you mean the code version or the model? Could you give some more info on this. - We have upgraded the Windows server active directory services on server side. Have any configuration changes been made to the interfaces? No changes have been made. What happens when you do a aaa test server from the controller diagnostics page with a user's credentials? It's an instant AP.

    Are the users setup to receive downloadable roles? what is FQDN in the RADIUS server in IAP configuration?

     

     



  • 7.  RE: Clear Pass Authentication rejected for some users- Help

    Posted Oct 07, 2019 09:09 AM

    Thanks for the reply. Can you please let me know how to validate if roles are downloadable.

     

    RADIUS server is configured atatically on IAP.

    Name- abcd

    IP Address- 1.2.3.4

    Auth Port- 1812

    Acc Port- 1813

    Shared Secret- xxxx

     

    The IAP Model and AOS are as below.

    Name:
    Aruba Operating System Software
    Type:
    115
    Build Time:
    2015-08-05 00:40:30 PDT
    Version:
    6.4.3.1-4.2.0.0_51112


  • 8.  RE: Clear Pass Authentication rejected for some users- Help

    Posted Oct 05, 2019 02:42 PM

    @pmbisht333 wrote:

    Hi, 

    I am new to the community and has an issue. 

    we have multiple remote sites and all of them are using Aruba wireless network to connect different SSIDs. These users are being authenticated via ClearPass and AD. We have upgraded a Domain Controller at one of the site. After upgrade the users at specific site are not being authenticated but for rest of the sites it works fine. 

     

    On clear pass the status is Timeout and Reject but few of the users are able to authenticate successfully. 

     

    Alerts -
    Error Code: 206
    Error Category: Authentication failure
    Error Message: Access denied by policy
    Alerts for this Request -
    RADIUS: Applied 'Reject' profile

     

    Attached the logs for analysis. 

     

    Regards

    Pankaj 


    If ClearPass is being rejected by "Policy" you should look into the Attributes on the "Input" TAB of the Access Tracker of the rejected devices and compare that to the rules on the "Enforcement" TAB of the service that it is hitting to see why your user does not satisfy any of those rules.  It may or may not have anything to do with what you last did, but you need to compare them.  There is no easy way to figure this out.



  • 9.  RE: Clear Pass Authentication rejected for some users- Help

    Posted Oct 07, 2019 09:29 AM

    @pmbisht333 wrote:

    Hi, 

    I am new to the community and has an issue. 

    we have multiple remote sites and all of them are using Aruba wireless network to connect different SSIDs. These users are being authenticated via ClearPass and AD. We have upgraded a Domain Controller at one of the site. After upgrade the users at specific site are not being authenticated but for rest of the sites it works fine. 

     

    On clear pass the status is Timeout and Reject but few of the users are able to authenticate successfully. 

     

    Alerts -
    Error Code: 206
    Error Category: Authentication failure
    Error Message: Access denied by policy
    Alerts for this Request -
    RADIUS: Applied 'Reject' profile

     

    Attached the logs for analysis. 

     

    Regards

    Pankaj 


    Based on your original post, if you are using 802.1x to authenticate users and you upgraded a domain controller, and you are having timeouts, it is possible that ClearPass is sending authentications to domain controllers that are far away, creating latency and possible timeout issues.  The solution is to define "password servers" so that you can be sure ClearPass uses a domain controller that is close to your ClearPass servers:  https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/index.htm#CPPM_UserGuide/Admin/ServerConfig_addpwdserver.htm?Highlight=password%20server

     

    With regards to the "reject", you need to look at what parameters on the authentication that is rejected do not satisfy your enforcement policy rules.