Security

 View Only
  • 1.  eduroam proxy timeouts from downstream failures

    Posted Dec 29, 2022 03:27 PM
    Edited by skbohrer Dec 29, 2022 03:33 PM
    Our clearpass Events logs shows fairly frequent timeouts from both eduroam.us proxy servers, and it responds by marking the proxy as down for a minimum of 60 seconds. The cause is when some random school somewhere doesn't reply, and clearpass can't tell the difference between no response from the proxy (which is up, and is handling _lots_ of downstream schools) and the failure of a single down stream. Mostly one or the other proxy is up, but I think that is just luck -- is there a better way?

    Maybe I just have too short a timeout on these proxies? What is a recommended setting?

    If I establish a radsec connection to eduroam.us rather than our existing bare RADIUS, would that let clearpass tell that the proxy is up, even if a particular remote .edu is non-responsive? 

    Or, is there any way to have a shorter "down time" after a failed proxy than the 60 sec minimum the GUI allows?

    Here's the events I'm concerned about, which hit pretty frequently, (though not so many now with all the students away for break):
    Shows CPPM Event viewer with Description contains Proxy 
    And the details of one:
    Marking tlrs1.eduroam.us for service Eduroam - Proxy as DOWN, will re-activate based on config
    Following through with the event viewer at the specified time shows a "no response from home server", and that is enough for CPPM to shut down half of our connection to Eduroam.us !

    (Our campus is on the edge of Boston Common, so we get lots of walk-by eduroam traffic)


  • 2.  RE: eduroam proxy timeouts from downstream failures

    Posted Jan 02, 2023 07:57 AM
    I see the issue that with a RADIUS proxy it may not be useful to disable the upstream RADIUS server if one backend service does not respond. On the other hand, you would like ClearPass to respond if the server itself would go down.

    Have not tried, but would running your RADIUS proxy over RadSec help?

    If not, please work/report with Aruba Support so they can see if there is an option to find a better balance between error detection and not shutting down the service too fast. If these remote domains are (always) the same and persistently down, you may create a service before your eduroam service to 'catch' those domains and authenticate locally/deny access to avoid them to go to your eduroam.us servers.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: eduroam proxy timeouts from downstream failures

    Posted Jan 14, 2023 09:35 AM
    Thanks! I do have a case for this issue, and you're right, it is a short coming of the original RADIUS protocol. I guess I can try RadSec and see if that helps


  • 4.  RE: eduroam proxy timeouts from downstream failures

    Posted Mar 26, 2023 01:10 PM

    Did you get further with this?

    We are looking at a similar situation with an eduroam like setup. Marking the servers down seems not what we want, but the cause makes sense.




  • 5.  RE: eduroam proxy timeouts from downstream failures

    Posted Mar 29, 2023 11:35 AM

    Not really. I had a case, and it was suggested that RADSEC might maybe resolve the issue, though they weren't sure, and I haven't tried that out yet. They did confirm that I could not reduce the timeout after a no-response lower than 1 minute.  I also read some of the RADIUS RFCs, and found that this is indeed a known issue. The FreeRadius site has a handy list of RADIUS RFCs ( https://freeradius.org/rfc/ ), and RFC 5997 about server status packets talks about this issue.

    In the past, back when we were still on Aruba 6, we this same issue between our local Mobility Controllers and our two clearpass boxes. That time, the issue was that the MC would time out based on no reply from clearpass, and mark the local clearpass box as down. Our workaround then was to split our eduroam auths from our local ones, with a longer timeout on the eduroam ones. Eduroam says they should reply in 10 seconds, so our local controllers allow 12 seconds on Radius requests to clearpass. (I don't know where the clearpass timeout setting for RADIUS proxies is, though!) 



    ------------------------------
    Steve Bohrer
    IT Infrastructure, Emerson College
    ------------------------------



  • 6.  RE: eduroam proxy timeouts from downstream failures

    Posted Feb 09, 2024 10:53 AM

    At the risk of necro-ing this again, did you come to a solution you ended up liking? I'm running into this myself at my org.