Wireless Access

POC of Server fail through in lab..

AAA Fastconnect / EAP Termination enabled on the MCs.

Created NPS server with bogus rules and receive the failure.

Logs show the failure from the MC but it never makes the next step on moving it to Clearpass..no access trackers logs. 

If I move Clearpass to the top of the list in the Server group authentication happens successfully.

Any gotchas I'm not aware about when configuring Fail-Through other than EAP-Termination? 

MC logs

Oct 8 06:02:37 authmgr[5595]: <124003> <5595> <INFO> |authmgr| Authentication result=Authentication failed(1), method=802.1x, server=fail, user=e8:4e:06:6d:a7:c7
Oct 8 06:02:37 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| In aal_authenticate
Oct 8 06:02:37 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| Select server for method=802.1x, user=hrtest, essid=ACMX-dot1x, server-group=ACMX-8021x, last_srv <>
Oct 8 06:02:37 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| aal_authenticate (1250)(INC) : os_reqs 1, s fail type 2 inservice 1 markedD 0
Oct 8 06:02:37 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| aal_authenticate (1260)(INC) : os_auths 1, s fail type 2 inservice 1 markedD 0 sg_name ACMX-8021x
Oct 8 06:02:37 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| server_cbh (257)(DEC) : os_reqs 0, s fail type 2 inservice 1 markedD 0
Oct 8 06:02:37 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| server_cbh (638)(DEC) : os_auths 0, s fail type 2 inservice 1 markedD 0 sg_name ACMX-8021x
Oct 8 06:02:37 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| unknown user=0.0.0.0, method=802.1x
Oct 8 06:02:37 authmgr[5595]: <124038> <5595> <INFO> |authmgr| Reused server fail for method=802.1x; user=hrtest, essid=ACMX-dot1x, domain=<>, server-group=ACMX-8021x
Oct 8 06:02:37 authmgr[5595]: <124097> <5595> <DBUG> |authmgr| Setting authserver 'fail' for user 0.0.0.0, client 802.1x.
Oct 8 06:02:37 authmgr[5595]: <124546> <5595> <DBUG> |authmgr| aal_authenticate user:hrtest vpnflags:0.
Oct 8 06:02:37 authmgr[5595]: <124547> <5595> <DBUG> |authmgr| aal_authenticate server_group:default.
Oct 8 06:02:37 authmgr[5595]: <124607> <5595> <DBUG> |authmgr| server_cbh(): response=1 from Auth server 'fail for client:4 proto:4 eap-type:0'.
Oct 8 06:02:37 authmgr[5595]: <124612> <5595> <DBUG> |authmgr| AuthSurv_onAuthFailed(authsurv:0): Entered, proto:4 eap-type:0x0 for username:'hrtest' auth-server:'fail' server-group:'ACMX-8021x' AnyRadLdapInOOS:'DontCare'.
Oct 8 06:02:44 authmgr[5595]: <121031> <5595> <DBUG> |authmgr| |aaa| [rc_sequence.c:117] seq_num_timeout_handler: Freed 0 entries

Looking at my own logs...

server-group=ACMX-8021x, last_srv <>

I'm going to create a new server group for testing.  "last_srv" makes it sound like its not going through the list

Yep making a new server group fixed it..can I give myself kudos? :D

Oct 8 06:11:47 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| server_cbh (957)(INC) : os_reqs 1, s Clearpass type 2 inservice 1 markedD 0
Oct 8 06:11:47 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| sta_add_l3: mac e8:4e:06:6d:a7:c7 ip 10.60.10.205
Oct 8 06:11:47 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| unknown user=0.0.0.0, method=802.1x
Oct 8 06:11:47 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| user_download: User 10.60.10.205 Router Acl(0)
Oct 8 06:11:47 authmgr[5595]: <124004> <5595> <DBUG> |authmgr| user_download: User N/A Router Acl(0)
Oct 8 06:11:47 authmgr[5595]: <124038> <5595> <INFO> |authmgr| Selected server Clearpass for method=802.1x; user=hrtest, essid=ACMX-dot1x, domain=<>, server-group=AAA-FAIL-THROUGH
Oct 8 06:11:47 authmgr[5595]: <124038> <5595> <INFO> |authmgr| Selected server fail for method=802.1x; user=hrtest, essid=ACMX-dot1x, domain=<>, server-group=AAA-FAIL-THROUGH
Oct 8 06:11:47 authmgr[5595]: <124097> <5595> <DBUG> |authmgr| Setting authserver 'Clearpass' for user 0.0.0.0, client 802.1x.
Oct 8 06:11:47 authmgr[5595]: <124105> <5595> <DBUG> |authmgr| MM: mac=e8:4e:06:6d:a7:c7, state=1, name=hrtest, role=authenticated, dev_type=Win 10, ip=10.60.10.205, new_rec=1.