Security

 View Only
  • 1.  Clearpass Auth Active Directory failover

    Posted Feb 28, 2019 10:11 AM

    Hi!

     

    I'm having a issue with redundancy of AD-servers in a auth-source in clearpass.

    I have 2 AD-servers in the list.

    For our main EAP-TLS service the failover works fine.

     

    But we have another service for eduroam (PEAP). This service does not work if we turn of the 1st AD-server in the list.

     

    It seems to be timing out. I did notice DNS lookups took quite a while since 1st server is also 1st DNS server of the clearpass server.

    And the AD-servers are added with dns-names for LDAP over SSL 636.

     

    So maybe it's a timeout issue ? I kept getting different errors in the access tracker log.

     

    Here are some:

     

    MSCHAP: AD status:{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5) .

     

    RADIUS Client did not complete EAP transaction
    RADIUS MSCHAP: AD status:Reading winbind reply failed! (0xc0000001)
    MSCHAP: Authentication failed
    EAP-MSCHAPv2: User authentication failure
    RADIUS Client did not complete EAP transaction.

     

    I did a switch for now adding primary DC as secondary DNS and secondary DC and primary DNS.

     

    How should this be setup for best result ?



  • 2.  RE: Clearpass Auth Active Directory failover

    Posted Feb 28, 2019 10:50 AM
    Do both AD servers reside on the same subnet and route out of the same interface on ClearPass?


  • 3.  RE: Clearpass Auth Active Directory failover

    Posted Feb 28, 2019 04:49 PM

    Yes on all those questions.



  • 4.  RE: Clearpass Auth Active Directory failover

    Posted Mar 05, 2019 02:44 AM

    No one has any suggestions ?



  • 5.  RE: Clearpass Auth Active Directory failover

    Posted Mar 05, 2019 02:56 AM
    First I would suggest opening a TAC case. It could be a timeout issue, config issue or just a bug. It would be easier for them to look at the logs.

    Second how is you failover setup. Is it multiple AD in the service or are you using 1 with backup servers defined?


  • 6.  RE: Clearpass Auth Active Directory failover

    Posted Mar 05, 2019 03:37 AM
    Have you tried leaving then rejoining the domain?


  • 7.  RE: Clearpass Auth Active Directory failover

    Posted Mar 05, 2019 03:42 AM

    The service contains only one AD with one primare server and one backup.

     

    This setup should be able to fail over faster ? It's the only service that doesn't work with the one AD server down. 

    So it seems to have something with the binds lookup to do.

     

    Haven't tried rejoining the domain. Would I have to do something more except leaving then rejoining ? (remove adcomputer accounts ?)



  • 8.  RE: Clearpass Auth Active Directory failover

    Posted Feb 17, 2021 10:23 AM
    Hi, 

    Did you enable the DNS caching in the server configuration. If not, please enable it non-production hours since it will restart all services upon the changes. 

    Go to Administration->Server Manager->Server Configuration->Click on the server and enable the DNS caching in DNS settings.

    If we do not have the DNS caching enabled, every time ClearPass send request to primary DNS and then go to secondary DNS. If the primary DNS is not reachable then the authentication will get timeout.



    ------------------------------
    Naresh Gunasekharan
    ------------------------------