Security

I am seeing some errors in access tracker that I cant make sense of. I have a ClearPass publisher that is only used for guest self-provisioning. The guest connect through an Aruba controller running 6.3.1.5 with the policy manager running 6.3. once signed up the guest click on login there is a webauth event in access tracker with virtually no information in it which has a ServiceClassification failure and it looks like no NAD IP address exists in the request. There is then an event, sometimes up to 25 seconds later where the access tracker event is the properly formatted RADIUS request which is successful. Any ideas whats happening here - the events are worryingly often, perhaps one in twenty requests.

sounds like you have Pre-Auth Check enabled on your web login, but no service for it defined, is that possible?

via templates both were created in the past, currently it seems you have to use two, for the pre-auth part you can use "Guest Access - Web Login". you can also turn the pre-auth part off on the guest side.

I'm not aware of any pre-auth check, where would i look to verify this?. The service was originally build from the template and its working in most cases however not for some. Its about to be rolled out to a wider audience soon and I'm worried this may cause issues when it is.

look in your clearpass guest section,  Home » Configuration » Web Logins  and then the web login used in this case. there look for Pre-Auth Check in the Login Form section. it is probably set to App Auth - check using Aruba Application Authentication.

i believe it does little harm to disable it if you are also doing the further auth on ClearPass. from an earlier thread i recall it is mainly useful to show extended errors, something which is dificult after the final auth.

if you dont want to disable it you should use the template i mentioned before to make sure the auth request are classified correctly and picked up by the CPPM.

There are no we logins defined in this section.

web login you mean?

the page on which the guest enters their credentials, where is it hosted? on the clearpass or on the controller or somewhere else? if it is on that clearpass then there should be a web login i believe.

[EDIT] oh you use self provisioning, then the page is at:  Home » Configuration » Guest Self-Registration, when you use advanced edit you can find at Login Form  the pre-auth check. disable it to get rid of this or add the service.

I will keep that in mind - we've applied the latest patch yesterday morning and it hasn't happened again since so fingers crossed.

just wondering, did the patch clear it up fully?

It seems to have done, there have been no more of these events.