Wireless Access

We have syslog logging for our clearpass server.
Recently we noticed that there is alot of errors from clearpass
how do i check who/what devices are causing this?
Our AP are now under Aruba Central, there is no on-premise controller.

Did you checked the access tracker on clearpass side?

It seem's this is an message related to GUI logon on ClearPass itself.

------------------------------
Best regards, mom
------------------------------

Original Message:
Sent: Jan 18, 2023 01:06 AM
From: yeowkm
Subject: Clearpass authentication logs

We have syslog logging for our clearpass server.
Recently we noticed that there is alot of errors from clearpass
how do i check who/what devices are causing this?
Our AP are now under Aruba Central, there is no on-premise controller.

That is the computer account that is created during the 'join domain' of your ClearPass server.
It may be that someone disabled or deleted the account, and if you don't do PEAP authentication, you can leave the ClearPass from the domain

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 18, 2023 01:06 AM
From: yeowkm
Subject: Clearpass authentication logs

We have syslog logging for our clearpass server.
Recently we noticed that there is alot of errors from clearpass
how do i check who/what devices are causing this?
Our AP are now under Aruba Central, there is no on-premise controller.

the username and remote device actually refers to my clearpass server hostname.
it is currently not in my AD, either as username or computer name.
i can only see the hostname in my DNS server.
the logging has since stopped since i power down the clearpass server for 12 hrs last thursday.
Original Message:
Sent: Jan 26, 2023 11:06 AM
From: Herman Robers
Subject: Clearpass authentication logs

That is the computer account that is created during the 'join domain' of your ClearPass server.
It may be that someone disabled or deleted the account, and if you don't do PEAP authentication, you can leave the ClearPass from the domain

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 18, 2023 01:06 AM
From: yeowkm
Subject: Clearpass authentication logs

We have syslog logging for our clearpass server.
Recently we noticed that there is alot of errors from clearpass
how do i check who/what devices are causing this?
Our AP are now under Aruba Central, there is no on-premise controller.

The ClearPass is likely joined to the domain, and if you don't see it in AD, your AD admin probably deleted the computer account and that results in the logs you shared.

Then also it's logical that if you power off the ClearPass server that the messages disappear. If you want to use the ClearPass server, go in Administration -> Server Configuration -> select your appliance -> Use the Leave Domain button to remove the domain membership of ClearPass:

If you use PEAP authentication against your AD, that is likely to fail, but it's supposed to be failing already if the account in AD has been removed.

Please work with your local Aruba partner as they may be able to explain all better than I can; they probably know your deployment as well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 26, 2023 08:58 PM
From: yeowkm
Subject: Clearpass authentication logs

the username and remote device actually refers to my clearpass server hostname.
it is currently not in my AD, either as username or computer name.
i can only see the hostname in my DNS server.
the logging has since stopped since i power down the clearpass server for 12 hrs last thursday.
Original Message:
Sent: Jan 26, 2023 11:06 AM
From: Herman Robers
Subject: Clearpass authentication logs

That is the computer account that is created during the 'join domain' of your ClearPass server.
It may be that someone disabled or deleted the account, and if you don't do PEAP authentication, you can leave the ClearPass from the domain

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 18, 2023 01:06 AM
From: yeowkm
Subject: Clearpass authentication logs

We have syslog logging for our clearpass server.
Recently we noticed that there is alot of errors from clearpass
how do i check who/what devices are causing this?
Our AP are now under Aruba Central, there is no on-premise controller.