Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Fragmentation - Auth

This thread has been viewed 64 times
  • 1.  ClearPass Fragmentation - Auth

    Posted Feb 05, 2024 12:12 PM

    Afternoon-

    We are experiencing timeouts with ClearPass authentication requests over our new AWS based network. We have isolated the issue itself to our Gateway Load Balancers in AWS as when static VPN routes are setup to bypass the GWLB authentication runs without issue. We believe we are experiencing issues related to fragmentation. 

    Our ClearPass instance has been running on AWS EC2 for months now without issue, however we ran into issues when recently migrating to our new network topology.

    Error Code:
    9002
    Error Category:
    RADIUS protocol
    Error Message:
    Request timed out

    RADIUS Last EAP Packet Processing Time = 3 ms
    RADIUS Client did not complete EAP transaction

    2024-02-01 19:34:24,222 [Th 19 Req 56654 SessId R00002c7e-01-65bc46a0] INFO RadiusServer.Radius - rlm_eap_tls: Initiate
    2024-02-01 19:34:24,222 [Th 19 Req 56654 SessId R00002c7e-01-65bc46a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 48:88:C8-34-8E-22-49-36:AOkAHQBKAH9O3QAAacBgJ9UNwTEcvtUwOd+b7A==
    2024-02-01 19:35:19,527 [main SessId R00002c7e-01-65bc46a0] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R00002c7e-01-65bc46a0, state - AOkAHQBKAH9O3QAAacBgJ9UNwTEcvtUwOd+b7A=
    2024-02-01 19:35:19,527 [main SessId R00002c7e-01-65bc46a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 48:391:88:C8-34-8E-22-49-36 recv 1706837664.218780 - resp 1706837664.222118
    2024-02-01 19:35:19,527 [main SessId R00002c7e-01-65bc46a0] INFO RadiusServer.Radius - Last EAP Packet Processing Time = 3 ms

    We cannot adjust MTU values as again our instance is running on EC2 and the commands have been removed. Default MTU I believe is 9001 which I understand Amazon manages, jumbo frames. Auth leverages RADIUS and I am starting to explore RadSec as this should hopefully resolve the timeout issues we are seeing. 

    I have an active support case that seems to be dragging a bit, hoping someone in the community has experienced this or has thoughts of a potential fix.

    -N



  • 2.  RE: ClearPass Fragmentation - Auth

    EMPLOYEE
    Posted Feb 13, 2024 09:08 AM

    RadSec may be the most realiable fix. But you can for EAP-TLS configure the EAP fragment size:

    And many network devices allow you to configure the eap fragment size as well. But when using load-balancers, using RadSec also resolves challenges around CoA. I think I heard issues before with the AWS load balancer.

    Did you get further already?



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: ClearPass Fragmentation - Auth

    Posted Feb 15, 2024 01:00 PM

    Herman! I appreciate the follow-up and support here. 

    I am currently building out RADSEC and will test in production over the next two weeks. I'll follow-up when I have more.




  • 4.  RE: ClearPass Fragmentation - Auth

    Posted Feb 20, 2024 04:22 PM

    I noticed there are no RADSEC specific attributes for related services in ClearPass. Is the idea here just to leverage RADIUS attributes and services, but make sure my AP's have RADSEC enabled and are using a RADSEC enabled wireless network? 

    I've already confirmed RADSEC services are running in CP.




  • 5.  RE: ClearPass Fragmentation - Auth

    EMPLOYEE
    Posted Feb 21, 2024 07:37 AM

    Not sure what you are looking for. RadSec is RADIUS encapsulated in a TLS/SSL tunnel, so there is no real difference in the protocol or attributes, just the transport is different. For clients or for your policy, it's all the same.

    If you want to block traditional RADIUS, set the RADIUS secret to some random/garbage value. Or block RADIUS traffic somewhere in a firewall or router in between the switch and ClearPass.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: ClearPass Fragmentation - Auth

    Posted Feb 21, 2024 10:31 AM

    Thanks Herman. If I check 'Enable RadSec' for my Access Devices in CP (my APs) will it stop accepting RADIUS traffic and only accept RADSEC? I am looking to pilot this change before we move it to production.

    Right now I have all my APs defined by a Device Group via their subnet, so to pilot I planned to create a one-off Access Device entry for one AP using its /32 and enable RadSec here, ideally not affecting my other APs during testing. I would pilot off this AP then make the change for my entire Access Device subnet when we cut over.

    I am planning to have everything tested her by end-of-week. 




  • 7.  RE: ClearPass Fragmentation - Auth

    EMPLOYEE
    Posted Feb 22, 2024 02:57 AM

    I just tested and indeed if you enable RadSec, the RADIUS entries seem to be disabled. Have not noticed before, but for testing creating a single device if you have a subnet defined already is probably the best approach.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: ClearPass Fragmentation - Auth

    Posted Feb 22, 2024 06:59 AM

    When you add the IP address for the testing, do not include /32. At least some older versions of ClearPass behaved a bit strange if a network device was added with the /32 notation instead of just the IP address.

    At the moment I do not remember exactly what happened, but I think ClearPass couldn't find the entry and instead utilized the larger subnet.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 9.  RE: ClearPass Fragmentation - Auth

    Posted Feb 22, 2024 07:09 AM

    Had this kind of issue recently.
    We found out that the network provider which was responsible for the connections between the offices and datacenter disrupted the EAP-TLS fragments.
    The IPsec back-up line worked fine so is must be the provider and they couldn't solve it.
    Also wireless EAP-TLS did well (other fragment size) Only the switches had issues.

    We did solve this bij adjusting the switch EAP frament size (which is now available) for Aruba AOS-S and AOS-CX switches
    Command AOS-S : aaa port-access authenticator eap-tls-fragment towards-server <size>
    Command AOS-CX : aaa authentication port-access dot1x authenticator eap-tls-fragment towards-server <size>

    Perhaps helpfull?



    ------------------------------
    Gerber van Beek
    ------------------------------



  • 10.  RE: ClearPass Fragmentation - Auth

    Posted Feb 22, 2024 04:34 PM

    I have RADSEC working through ClearPass, I plan to test over our AWS Network some night next week. I'll follow-up when I have more, hopefully this puts an end to our fragmentation issues.

    Appreciate everyones input here.




  • 11.  RE: ClearPass Fragmentation - Auth

    Posted Feb 28, 2024 11:21 AM

    I am happy to report that RADSEC resolved our issues here. We no longer experience fragmentation over our AWS network. 

    Appreciate everyones input and support here. Great community that I will look to be more involved in as we do more with ClearPass. 

    -N