Security

 View Only
Expand all | Collapse all

errorlog "Authentication server request Timeout": Client, or Clearpass timeout?

This thread has been viewed 40 times
  • 1.  errorlog "Authentication server request Timeout": Client, or Clearpass timeout?

    Posted May 16, 2019 11:32 PM

    For Mobility Controller error log messages like: 

    "May 16 22:53:48 <authmgr 520002>  <4100> <ERRS> |authmgr|  Authentication server request Timeout, username=..."

     

    So, did the "Auth Server" reply with "Request Timeout"?

     

    Or, did our "Auth Server Request", "Timeout" with no reply?

     

     

    That is, does this error mean that the RADIUS controller (Clearpass in our case) did not reply to the mobility controller?

     

    Or, did Clearpass merely report that this particular user authentication did not succeed, for the reason that the client device didn't complete their auth process?

     

    I was thinking it was the first case, which seems Bad. But, tech support suggests that client timeouts happen all the time, which is true, and not really a problem. 

     

    (FWIW, I looked up this error message in the manual, and the description of the error text, "Authentication server request Timeout" is exactly, "Description: This shows request timeout for authentication server."  I guessed that, I just need to know what it means.) 

     



  • 2.  RE: errorlog "Authentication server request Timeout": Client, or Clearpass timeout?
    Best Answer

    Posted May 18, 2019 06:10 AM

    timeout means the server did not respond, e.g.

    (7008-core) [mynode] (config) #aaa authentication-server radius does_not_exist
    (7008-core) ^[mynode] (RADIUS Server "does_not_exist") #host 10.1.1.1
    (7008-core) ^[mynode] (RADIUS Server "does_not_exist") #key blah
    (7008-core) ^[mynode] (RADIUS Server "does_not_exist") #!
    (7008-core) ^[mynode] (config) #write mem

    now test it

    (7008-core) [mynode] #aaa test-server pap does_not_exist no_such_user aaaaaaa
    
    AAA server timeout
    (7008-core) [mynode] #

    resulting log

    (7008-core) [mynode] #show log errorlog 20
    May 18 17:54:50 <authmgr 520002>  <3806> <ERRS> |authmgr|  Authentication server request Timeout, username=no_such_user userip=0.0.0.0 usermac=00:00:00:00:00:00 servername= does_not_exist server-group= serverip= 10.1.1.1 bssid=00:00:00:00:00:00 apname=
    May 18 17:54:55 <authmgr 520002>  <3806> <ERRS> |authmgr|  Authentication server request Timeout, username=no_such_user userip=0.0.0.0 usermac=00:00:00:00:00:00 servername= does_not_exist server-group= serverip= 10.1.1.1 bssid=00:00:00:00:00:00 apname=
    May 18 17:55:00 <authmgr 520002>  <3806> <ERRS> |authmgr|  Authentication server request Timeout, username=no_such_user userip=0.0.0.0 usermac=00:00:00:00:00:00 servername= does_not_exist server-group= serverip= 10.1.1.1 bssid=00:00:00:00:00:00 apname=
    May 18 17:55:05 <authmgr 520002>  <3806> <ERRS> |authmgr|  Authentication server request Timeout, username=no_such_user userip=0.0.0.0 usermac=00:00:00:00:00:00 servername= does_not_exist server-group= serverip= 10.1.1.1 bssid=00:00:00:00:00:00 apname=
    

    You can see 4 messages 5 seconds apart, corresponds to 3 rexmt at 5 seconds (default of a new radius server)

    show aaa authentication-server radius does_not_exist 
    
    RADIUS Server "does_not_exist"
    ------------------------------
    Parameter                              Value
    ---------                              -----
    Enable IPv6                            Disabled
    Host                                   10.1.1.1
    Key                                    ********
    <snip>
    Retransmits                            3
    Timeout                                5 sec
    NAS ID                                 N/A
    

     

    check stats

    (7008-core) [mynode] #show aaa authentication-server radius statistics 
    
    RADIUS Server Statistics
    ------------------------
    Server          Acct Rq  Raw Rq  PAP Rq  CHAP Rq  MSCHAP Rq  MSCHAPv2 Rq  Mismatch Rsp  Bad Auth  Acc  Rej  Acct Rsp  Chal  Ukn Rsp  Tmout  AvgRspTm  Tot Rq  Tot Rsp  Rd Err  Outstanding Auths  Outstanding Requests  Acc-RTTS Rq  Acc-RTTS Rsp  ExpAuthTm  Uptime  SEQ
    ------          -------  ------  ------  -------  ---------  -----------  ------------  --------  ---  ---  --------  ----  -------  -----  --------  ------  -------  ------  -----------------  --------------------  -----------  ------------  ---------  ------  ---
    does_not_exist  0        0       1       0        0          0            0             0         0    0    0         0     0        4      0         1       0        0       0                  0                     0            0             5022       0:0:1   255/254
    
    

    items of note in the above

    PAP Rq = 1
    Tmout = 4
    Tot Rq = 1

    as to why your server is timing out - that could be any number of things.

     

    I presume that your CPPM is in a healthy state and not under and duress (what does the CPPM monitoring say?). When there is a timeout what does the access tracker say, is it rejecting/ignoring an auth attempt.

     

    As you note it's happening all of the time, perhaps you can setup a packet capture for udp 1812/1813 and let it run for a while until you know there is at least one timeout according to the controller CLI. Now, go through the capture and try to ascertain what device may be at fault, this will also tell you the mac/user involved and you can go check in access tracker what happened at the CPPM side.

     

    hth.
    -jeff