Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Authentication source Server Timeout and TACACS timeout

This thread has been viewed 6 times
  • 1.  Authentication source Server Timeout and TACACS timeout

    Posted Jul 23, 2024 01:09 PM

    Have been working on a reported issue in this ClearPass (6.11 publisher / subscriber - L3) environment where the AD authentication source doesnt fail over correctly when the primary AD server is down for TACACS requests. This is a well connected environment with 10ms max between the sites.

    Narrowed it down to the TACACS timeout on the switch (procurve / AOS-s) and the Server Timeout in the ClearPass authentication source.

    With for example 2 seconds timeout on the ClearPass AD authentication source and 6 seconds on the switch TACACS timeout it works fine. The switch waits long enough for ClearPass to attempt to reach the backup 1 server. Which it seems to attempt twice?

    Are these "normal" values? Or can you handle it with lower / higher in your environment?



  • 2.  RE: Authentication source Server Timeout and TACACS timeout
    Best Answer

    Posted Jul 24, 2024 06:20 AM

    I believe it's expected to see delays/timeouts when your primary AD server is unavailable. There is different timeouts (tcp-syn, server response, retry) , and failover to a backup server may happen only after 10-15 seconds or so after an authentication source is not responding. If your authentication/authorization server is unavailable for a longer time, it's recommended to remove the server from your authentication source (list). Authentication and authorization sources are supposed to be highly available. Authorization sources have the 'benefit' that they cache data, so it's less visible.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Authentication source Server Timeout and TACACS timeout

    Posted Jul 31, 2024 02:21 AM

    Thanks Herman, will keep that in mind.