Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Can't reach RADIUS

This thread has been viewed 12 times
  • 1.  Can't reach RADIUS

    Posted Aug 22, 2024 08:50 AM

    Hi All,

    Its my first post here. Sorry if this is not the best place to put this topic.

    We implemented dot1X (using TEAP) on LAN over a year ago to all our branches.

    From time to time were visible single messages "can't reach RADIUS" in logs on switches but this didn't impact users at all.

    After about 2 months in one branch we had an issue that no one using LAN can login to company network. Multiple logs "can't reach RADIUS" visible on all switches in that branch.

    Any tries to solve issue didn't worked so we disable dot1x in this branch. 

    Next day was next try and then all works as before.

    Until next time the same issue back in the same brunch. 

    During issue sometimes there wasn't access trucker logs form LAN users in Clearpass from affected switches. Other time they were, with Timeouts.

    We opened TAC ticket if they can help us to resolve this but they didn't helped. Problem back few times, then we decide to disable dot1X on LAN in that brunch. Only few ports were left with dot1x for testing purpose.

    From that time we jumped from ClearPass 6.10.6 to 6.12.2 but this change noting.

    After updateing Clearpass new ticket were opened. We collect as much logs as we can (from CP, switches). We had live sessions with TAC (Clearpass and switches support) but still without luck.

    Hosts are managed by GPO (WIN10) and Intune (WIN11). Settings similar as in all other branches.

    We are using 5400R ZL2, 2930F, 2530 switches in affected brunch. For last TAC ticket test were done only on 5400.

    Issue were never visible on Wifi, current authentication setup is similar to LAN authentication setup (TEAP, same Clearpass).

    We also have configured AAA access to switches using same Clearpass. There were no problem to login to switches in that branch during "issue time".

    Maybe You have some ideas what we can check/change?

    Best regards!



    ------------------------------
    MZimny
    ------------------------------



  • 2.  RE: Can't reach RADIUS

    EMPLOYEE
    Posted Aug 22, 2024 10:01 AM

    What kind of WAN connection is in place?  What's the MTU of that connection?

    The switch configuration has at least two RADIUS servers configured as targets for 802.1X?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: Can't reach RADIUS

    Posted Aug 23, 2024 03:53 AM

    Timeouts typically are because of reachability issues somewhere between the client and ClearPass, and limited MTU or firewalls in between are a common root-cause.

    Can you easily change/test if the issues are resolved by changing to RadSec (maybe on one switch to test first)?



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: Can't reach RADIUS

    Posted Aug 23, 2024 04:00 AM

    Hi @hemmersbach

    Check MTU size on your wan links. By default Clearpass has TLS MTU fragment size of 1024 bytes. Maybe you need to adjust it according to your WAN MTU size.

    Here is some docs for ArubaOS-S switches regarding EAP-TLS fragmentation.

    https://www.arubanetworks.com/techdocs/AOS-S/16.11/ASG/YC/content/common%20files/ove-eap-tls-fra.htm

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------