Hi!
I'm having a issue with redundancy of AD-servers in a auth-source in clearpass.
I have 2 AD-servers in the list.
For our main EAP-TLS service the failover works fine.
But we have another service for eduroam (PEAP). This service does not work if we turn of the 1st AD-server in the list.
It seems to be timing out. I did notice DNS lookups took quite a while since 1st server is also 1st DNS server of the clearpass server.
And the AD-servers are added with dns-names for LDAP over SSL 636.
So maybe it's a timeout issue ? I kept getting different errors in the access tracker log.
Here are some:
MSCHAP: AD status:{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5) .
RADIUS Client did not complete EAP transaction
RADIUS MSCHAP: AD status:Reading winbind reply failed! (0xc0000001)
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure
RADIUS Client did not complete EAP transaction.
I did a switch for now adding primary DC as secondary DNS and secondary DC and primary DNS.
How should this be setup for best result ?