Security

 View Only
  • 1.  Clearpass failing to write updated MAC cache values to endpoint (intermittent)

    Posted May 22, 2023 01:52 PM

    Hello guys,

    I have a bit of a doozy here that I'm trying to solve. This is for a guest network. Pertinent details below:

    - Guest wireless system using captive portal + MAC caching
    - Server-initiated setup
    - Interfaces with Cisco WLCs
    - Clients initiate with L2 MAC authentication. This service looks to see if Authorization:[Time Source]:Now  LESS_THAN  %{Endpoint:MAC-Address-Expiration}). If this is is true, it sends back an allow access. If not, it sends back a captive portal enforcement policy that returns url-redirect and url-redirect-acl
    - Portal accept button triggers a WEBAUTH that processes the request and updates two Endpoint values. Allow-Guest-Internet (boolean) and MAC-Address-Expiration (epoch)
    - Allow-Guest-Internet set to TRUE
    - MAC-Address-Expiration set to %{Authorization:[Time Source]:Now Plus 1day} (not a custom Time Source filter)
    - Client is set a CoA (below)


    - The client reauthenticates via L2 with the export anchor still active on the WLC anchor side
    - At this point, the client should satisfy Authorization:[Time Source]:Now  LESS_THAN  %{Endpoint:MAC-Address-Expiration}) so it will be given an allow access profile.
    - Login delay on page is set to 8 seconds
    - CoA delay on clearpass servers is set to 8 seconds

    The problem:

    Intermittently, clearpass is FAILING to write the output values of the WEBAUTH request into the endpoint database so the subsequent MAC auth triggers the portal again instead of an allow access. Clients on iPhones will get the hotspot login page error. Other devices will loop around the portal again. It depends on the device.

    Visual evidence:

    Here is a client exhibiting the problem.

    MAC Auth #1 Client has a previous value that is now expired of 1684682572. Time Source Now = 1684758610


    WEBAUTH Request Output. New expiration value = 1684848708


    MAC Auth #2. Shows MAC-Auth-Expiration value of 1684682572 which was the ORIGINAL value, not the updated one. 


    Client then went through the portal again, and on the second go around, it updated.

    I'm at a loss here and can't understand why the DB is failing to write these values intermittently. System stats are not not showing anything taxed, however I do see events in the event viewer showing long running queries so that's evidence to suggest the disk is not keeping up with these random I/O reads and writes. Another thing I'm looking at is our maximum number of DB connections is set to the default of 400. Would increasing this to 700  (or more) per Airheads Community be helpful?

    Any thoughts? I would be extremely grateful for any help with this. I do have a TAC case open but I wanted to get y'alls opnion on this as well.

    Thanks,
    Max Turpin



  • 2.  RE: Clearpass failing to write updated MAC cache values to endpoint (intermittent)

    Posted Jun 26, 2023 04:45 AM

    If you are increasing the number of database connections, you probably have a very high load on your system.

    What you describe is expected in an publisher-subscriber, where the client is authenticated on the subscriber. Updates are always ran through the publisher, then synchronized back to the subscribers, which introduces a delay. Normally 5-10 seconds replication delay would be considered acceptable. You should check if updates are really not performed, or that the replication delay is (sometimes) higher than 8 seconds. Increasing the CoA delay (if you are using CoA), or the Login Delay (if you are using controller initiated) and see if issues disappear or become less frequent may be worth trying. If you found the issue, please post the resolution here to help others.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Clearpass failing to write updated MAC cache values to endpoint (intermittent)

    Posted Oct 17, 2024 08:58 PM

    I would love to know what you found out on this. We are having the exact same issue. Intermittent. Seems the attribute just isn't getting written in time for the re-login after the COA delay. Not every time, but enough times that its causing issues.


    Thanks,

    David




  • 4.  RE: Clearpass failing to write updated MAC cache values to endpoint (intermittent)

    Posted Oct 17, 2024 10:13 PM

    We ditched CWA and went to controller initiated. Set virtual IP to 192.0.2.1, generated self signed certs on foreign and publicly signed wifi-remote.xyz.com cert for the anchors. NAS FQDN Hostname is wifi-remote.xyz. Change the ACL back to the right direction and make that return of your MAC auth. I wrote about it on my blog

    https://wiflymax.wordpress.com/2023/07/25/cisco-wlc-guest-wifi-with-mac-caching-and-anchor-wlc-clearpass-controller-initiated/




  • 5.  RE: Clearpass failing to write updated MAC cache values to endpoint (intermittent)

    Posted Oct 21, 2024 09:06 AM

    Thanks for the reply!

    We actually are having the attributes being slow to write issue without it being involved with anchoring or publisher/subscriber. Its just......slow to write the attribute. :)

    Thank you for your write up though. I think a lot of people are going to find that useful.

    David




  • 6.  RE: Clearpass failing to write updated MAC cache values to endpoint (intermittent)

    Posted Oct 21, 2024 10:00 AM

    I haven't blogged in a bit, but there are some other posts as well detailing a few different guest setups. Glad you got use out of it. And yes, you can have this issue even without a multi-node cppm setup. As much as I love clearpass, it's just not built right to process CWA, at least when using the endpoint DB to maintain state. You may have better luck with user accounts, but that wasn't something we considered as we do a straight passthrough portal.

    Again, I do not recommend CWA for any use case. I especially don't recommend it for any sort of high capacity guest. For us, we do around 30k users a day and CWA was a disaster for us almost from the start. You can do things like login delays and the like described above, but it's just curtains on the titanic.

    LWA is the way to go.

    Max