Security

 View Only

  • 1.  ClearPass 802.1x WIRED timeouts + Windows 10

    Posted Feb 22, 2023 10:26 AM

    Hey folks:

    We've deployed NAC to a bunch of sites (Aruba switches) and there is one site that is having constant timeout issues and the only way to fix it is to either unplugged the ethernet cable, go on wireless and do a gpo update or reboot the PC and VoIP phone.  The PCs security settings are configured via GPO.  We get about 10 to 15 users timeouts.  This is the log from Clearpass.  

    2023-02-21 09:53:32,401    [Th 37614 Req 35390948 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 105:459:b0-5c-da-25-43-a7
    2023-02-21 09:53:32,407    [Th 37614 Req 35390948 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - Service Categorization time = 6 ms
    2023-02-21 09:53:32,407    [Th 37614 Req 35390948 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "ENT-802.1X Wired-Aruba-HIGH"
    2023-02-21 09:53:32,407    [Th 37614 Req 35390948 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - rlm_ldap: searching for user host/FNFCORPTAXWK205.fnfglobal.local in AD:fnfglobal.local
    2023-02-21 09:53:32,452    [Th 37614 Req 35390948 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - rlm_ldap: found user PCNAME in AD:MYDOMAIN.local
    2023-02-21 09:53:32,452    [Th 37614 Req 35390948 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - LDAP/AD User lookup time = 45 ms
    2023-02-21 09:53:32,452    [Th 37614 Req 35390948 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - rlm_eap_tls: Initiate
    2023-02-21 09:53:32,452    [Th 37614 Req 35390948 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 105:88:b0-5c-da-25-43-a7:AGQA2QDhANfkBRwCyLV3WnvfTzkKcQ9fLBxV0w==
    2023-02-21 09:53:32,645    [Th 37605 Req 35390949 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "ENT-802.1X Wired-Aruba-HIGH" - 106:630:b0-5c-da-25-43-a7
    2023-02-21 09:53:32,646    [Th 37605 Req 35390949 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client certificate A
    2023-02-21 09:53:32,646    [Th 37605 Req 35390949 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client certificate A
    2023-02-21 09:53:32,646    [Th 37605 Req 35390949 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 106:1124:b0-5c-da-25-43-a7:ACIAxwDGALzlBRwC7vwmxdtIx1ws8OU7lcJXcg==
    2023-02-21 09:53:32,684    [Th 37610 Req 35390950 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "ENT-802.1X Wired-Aruba-HIGH" - 107:466:b0-5c-da-25-43-a7
    2023-02-21 09:53:32,684    [Th 37610 Req 35390950 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 107:1120:b0-5c-da-25-43-a7:ALsAVgCpAPfmBRwCHz8wBumYIdL4Ve5vUv5UJw==
    2023-02-21 09:53:32,702    [Th 37612 Req 35390951 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "ENT-802.1X Wired-Aruba-HIGH" - 108:466:b0-5c-da-25-43-a7
    2023-02-21 09:53:32,702    [Th 37612 Req 35390951 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 108:1120:b0-5c-da-25-43-a7:AIcA1gDcAJPnBRwC/KKCZQc+tWSVgpjWtJgyTg==
    2023-02-21 09:53:32,726    [Th 37607 Req 35390952 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "ENT-802.1X Wired-Aruba-HIGH" - 109:466:b0-5c-da-25-43-a7
    2023-02-21 09:53:32,727    [Th 37607 Req 35390952 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 109:1120:b0-5c-da-25-43-a7:AHYAcgBNAMDoBRwCyZFy+VzuOstEDCDmUcTThQ==
    2023-02-21 09:53:32,778    [Th 37611 Req 35390953 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "ENT-802.1X Wired-Aruba-HIGH" - 110:466:b0-5c-da-25-43-a7
    2023-02-21 09:53:32,778    [Th 37611 Req 35390953 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 110:1120:b0-5c-da-25-43-a7:AMQArwCEAPPpBRwCXYzszPRLM5Q0x/koQjxhrQ==
    2023-02-21 09:53:32,800    [Th 37608 Req 35390954 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "ENT-802.1X Wired-Aruba-HIGH" - 111:466:b0-5c-da-25-43-a7
    2023-02-21 09:53:32,800    [Th 37608 Req 35390954 SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 111:292:b0-5c-da-25-43-a7:AO4ACwA1AK3qBRwCuNsj+U9EUlJVQnnVPcM7Ag==
    2023-02-21 09:54:19,054    [main SessId R015cbb80-13-63f4daec] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R015cbb80-13-63f4daec, state - AO4ACwA1AK3qBRwCuNsj+U9EUlJVQnnVPcM7Ag=
    2023-02-21 09:54:19,054    [main SessId R015cbb80-13-63f4daec] ERROR RadiusServer.Radius - reqst_clean_list: Packet 105:459:88:b0-5c-da-25-43-a7 recv 1676991212.401139 - resp 1676991212.452937
    2023-02-21 09:54:19,054    [main SessId R015cbb80-13-63f4daec] ERROR RadiusServer.Radius - reqst_clean_list: Packet 106:630:1124:b0-5c-da-25-43-a7 recv 1676991212.645265 - resp 1676991212.646969
    2023-02-21 09:54:19,054    [main SessId R015cbb80-13-63f4daec] ERROR RadiusServer.Radius - reqst_clean_list: Packet 107:466:1120:b0-5c-da-25-43-a7 recv 1676991212.683808 - resp 1676991212.684597
    2023-02-21 09:54:19,054    [main SessId R015cbb80-13-63f4daec] ERROR RadiusServer.Radius - reqst_clean_list: Packet 108:466:1120:b0-5c-da-25-43-a7 recv 1676991212.701986 - resp 1676991212.702442
    2023-02-21 09:54:19,054    [main SessId R015cbb80-13-63f4daec] ERROR RadiusServer.Radius - reqst_clean_list: Packet 109:466:1120:b0-5c-da-25-43-a7 recv 1676991212.726553 - resp 1676991212.727060
    2023-02-21 09:54:19,054    [main SessId R015cbb80-13-63f4daec] ERROR RadiusServer.Radius - reqst_clean_list: Packet 110:466:1120:b0-5c-da-25-43-a7 recv 1676991212.778252 - resp 1676991212.778817
    2023-02-21 09:54:19,054    [main SessId R015cbb80-13-63f4daec] ERROR RadiusServer.Radius - reqst_clean_list: Packet 111:466:292:b0-5c-da-25-43-a7 recv 1676991212.800267 - resp 1676991212.800728
    2023-02-21 09:54:19,054    [main SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
    2023-02-21 09:54:19,069    [main SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - Policy Evaluation time = 15 ms
    2023-02-21 09:54:19,069    [main SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - rlm_policy: Received Deny Enforcement Profile
    2023-02-21 09:54:19,069    [main SessId R015cbb80-13-63f4daec] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response

    Any help would be greatly appreciated.  



  • 2.  RE: ClearPass 802.1x WIRED timeouts + Windows 10

    Posted Feb 23, 2023 03:21 AM

    What type of authentication method are you using?

    Have you tried to remove the VoIP device between the PC and the switch? Sometimes VoIP devices are snooping EAP packets.

    Please also check the Windows Event log. Sometimes there is useful information there. What error is displayed in the Access Tracker alert tab?



    ------------------------------
    William Bargeman
    Systems Engineer Aruba
    ------------------------------

    Original Message


  • 3.  RE: ClearPass 802.1x WIRED timeouts + Windows 10

    Posted Feb 27, 2023 07:56 AM

    We're using EAP-TLS and yes, we have tried removing the VoIP devices.  Windows Even Log is showing Event ID: 15514 "The network stopped answering" but looking at pcaps is the client that stops responding.  From there it goes into a loop, not until the pc gets either power cycled, or pull out the ethernet cable.  


    Original Message


  • 4.  RE: ClearPass 802.1x WIRED timeouts + Windows 10

    Posted Feb 27, 2023 08:10 AM

    Can you run a packet capture / port mirror on the client port and on the ClearPass server (collect logs).

    If it is 'one site' I suspect that you have a small MTU somewhere in the path between your switch and ClearPass. If the certificates are sent, it can be that your RADIUS traffic is fragmented and dropped for that reason. With packet captures on both sides you can see if/where the fragmentation happens and resolve that.

    Is this 'all clients on a specific site'? Or some clients? Or even all sites?



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


Related Content