Security

Customer has 2 Clearpass servers in a cluster and tried to set up an enforcement policy that uses the Insight database as an authorisation source. The insight database is running on the subscriber. The lookup to Insight appears as if it is failing as I see this alert in all authentications that are using this service:

Session failed for Host=10.24.0.24, Reason=[Failed to connect to datasource: [unixODBC]FATAL: password authentication failed for user "appexternal"
FATAL: no pg_hba.conf entry for host "10.26.0.23", user "appexternal", database "insightdb", SSL off
SQLState=08001 ErrorCode=101].
Session failed for Host=10.26.0.23, Reason=[Failed to connect to datasource: [unixODBC]FATAL: password authentication failed for user "appexternal"
FATAL: no pg_hba.conf entry for host "10.26.0.23", user "appexternal", database "insightdb", SSL off
SQLState=08001 ErrorCode=101]

I have changed the real IP addresses but in this case 10.24.0.24 is the subscriber running Insight. 10.26.0.23 is the publisher
I understand that there is an 'appexternal' database account but I thought this was for databases that are external to the cluster so I should not need to change this.
Additionally, in the event viewer, starting about 1 week ago I see this warning every minute:
Unable to communicate with database 10.24.0.24 
and
Unable to communicate with database 10.26.0.23

Is there anything I can do before calling TAC?

Thanks

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
------------------------------

You may try to set the appexternal database password and see if that resolves the issue. If you use appexternal, you probably can just set it it to what is already is. The appexternal password is set under the Server Managers, Cluster Wide Options, Database.

As well under Authentication Sources -> Insight Repository, you should set the password (to my surprise it's also configured there, and it does use the appexternal account).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Dec 21, 2022 11:41 AM
From: Stewart Smith
Subject: Insight DB issue

Customer has 2 Clearpass servers in a cluster and tried to set up an enforcement policy that uses the Insight database as an authorisation source. The insight database is running on the subscriber. The lookup to Insight appears as if it is failing as I see this alert in all authentications that are using this service:

Session failed for Host=10.24.0.24, Reason=[Failed to connect to datasource: [unixODBC]FATAL: password authentication failed for user "appexternal"
FATAL: no pg_hba.conf entry for host "10.26.0.23", user "appexternal", database "insightdb", SSL off
SQLState=08001 ErrorCode=101].
Session failed for Host=10.26.0.23, Reason=[Failed to connect to datasource: [unixODBC]FATAL: password authentication failed for user "appexternal"
FATAL: no pg_hba.conf entry for host "10.26.0.23", user "appexternal", database "insightdb", SSL off
SQLState=08001 ErrorCode=101]

I have changed the real IP addresses but in this case 10.24.0.24 is the subscriber running Insight. 10.26.0.23 is the publisher
I understand that there is an 'appexternal' database account but I thought this was for databases that are external to the cluster so I should not need to change this.
Additionally, in the event viewer, starting about 1 week ago I see this warning every minute:
Unable to communicate with database 10.24.0.24
and
Unable to communicate with database 10.26.0.23

Is there anything I can do before calling TAC?

Thanks

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
------------------------------

Sorry for delay on coming back on this. 
We exported the configuration from the Auth source for the Insight DB which included the password. We then applied this same password under the server manager, cluster wide config. When saving, the config reported no changes made so the passwords already match.

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
------------------------------

Original Message:
Sent: Dec 22, 2022 04:29 AM
From: Herman Robers
Subject: Insight DB issue

You may try to set the appexternal database password and see if that resolves the issue. If you use appexternal, you probably can just set it it to what is already is. The appexternal password is set under the Server Managers, Cluster Wide Options, Database.

As well under Authentication Sources -> Insight Repository, you should set the password (to my surprise it's also configured there, and it does use the appexternal account).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 21, 2022 11:41 AM
From: Stewart Smith
Subject: Insight DB issue

Customer has 2 Clearpass servers in a cluster and tried to set up an enforcement policy that uses the Insight database as an authorisation source. The insight database is running on the subscriber. The lookup to Insight appears as if it is failing as I see this alert in all authentications that are using this service:

Session failed for Host=10.24.0.24, Reason=[Failed to connect to datasource: [unixODBC]FATAL: password authentication failed for user "appexternal"
FATAL: no pg_hba.conf entry for host "10.26.0.23", user "appexternal", database "insightdb", SSL off
SQLState=08001 ErrorCode=101].
Session failed for Host=10.26.0.23, Reason=[Failed to connect to datasource: [unixODBC]FATAL: password authentication failed for user "appexternal"
FATAL: no pg_hba.conf entry for host "10.26.0.23", user "appexternal", database "insightdb", SSL off
SQLState=08001 ErrorCode=101]

I have changed the real IP addresses but in this case 10.24.0.24 is the subscriber running Insight. 10.26.0.23 is the publisher
I understand that there is an 'appexternal' database account but I thought this was for databases that are external to the cluster so I should not need to change this.
Additionally, in the event viewer, starting about 1 week ago I see this warning every minute:
Unable to communicate with database 10.24.0.24
and
Unable to communicate with database 10.26.0.23

Is there anything I can do before calling TAC?

Thanks

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
------------------------------

Ok so we fixed this. The password set for 'appexternal' contained special characters. After checking here: https://www.arubanetworks.com/techdocs/ClearPass/6.10/PolicyManager/Content/CPPM_UserGuide/Insight/Overview.htm - There is a section that shows allowed special characters for passwords used in all Clearpass modules. We could see that two of the characters were not allowed so we changed them to ones that are shown as allowed - a '?' and a '+' but this still did not work. We removed all special characters and the connectivity now works
It should be noted that we have never previously set or changed this password. We are running version 6.10.7

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
------------------------------

Original Message:
Sent: Jan 05, 2023 05:42 AM
From: Stewart Smith
Subject: Insight DB issue

Sorry for delay on coming back on this.
We exported the configuration from the Auth source for the Insight DB which included the password. We then applied this same password under the server manager, cluster wide config. When saving, the config reported no changes made so the passwords already match.

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------

Original Message:
Sent: Dec 22, 2022 04:29 AM
From: Herman Robers
Subject: Insight DB issue

You may try to set the appexternal database password and see if that resolves the issue. If you use appexternal, you probably can just set it it to what is already is. The appexternal password is set under the Server Managers, Cluster Wide Options, Database.

As well under Authentication Sources -> Insight Repository, you should set the password (to my surprise it's also configured there, and it does use the appexternal account).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 21, 2022 11:41 AM
From: Stewart Smith
Subject: Insight DB issue

Customer has 2 Clearpass servers in a cluster and tried to set up an enforcement policy that uses the Insight database as an authorisation source. The insight database is running on the subscriber. The lookup to Insight appears as if it is failing as I see this alert in all authentications that are using this service:

Session failed for Host=10.24.0.24, Reason=[Failed to connect to datasource: [unixODBC]FATAL: password authentication failed for user "appexternal"
FATAL: no pg_hba.conf entry for host "10.26.0.23", user "appexternal", database "insightdb", SSL off
SQLState=08001 ErrorCode=101].
Session failed for Host=10.26.0.23, Reason=[Failed to connect to datasource: [unixODBC]FATAL: password authentication failed for user "appexternal"
FATAL: no pg_hba.conf entry for host "10.26.0.23", user "appexternal", database "insightdb", SSL off
SQLState=08001 ErrorCode=101]

I have changed the real IP addresses but in this case 10.24.0.24 is the subscriber running Insight. 10.26.0.23 is the publisher
I understand that there is an 'appexternal' database account but I thought this was for databases that are external to the cluster so I should not need to change this.
Additionally, in the event viewer, starting about 1 week ago I see this warning every minute:
Unable to communicate with database 10.24.0.24
and
Unable to communicate with database 10.26.0.23

Is there anything I can do before calling TAC?

Thanks

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
------------------------------

Thread is a little old but we just migrated to from 6.10 to 6.11. It seems the insightdb is no longer on the new platform. Or is just located within the tipsdb now. Only issue is appexternal no longer has access. 

Our "FleetMGMT" software integrated with this to show where devices are in the district.

Use to connect to

DB: insightdb

Table: public.endpoints

Is there anyway to query to get
User, MAC, AP,timestamp? 

Original Message:
Sent: Dec 22, 2022 04:29 AM
From: Herman Robers
Subject: Insight DB issue

You may try to set the appexternal database password and see if that resolves the issue. If you use appexternal, you probably can just set it it to what is already is. The appexternal password is set under the Server Managers, Cluster Wide Options, Database.

As well under Authentication Sources -> Insight Repository, you should set the password (to my surprise it's also configured there, and it does use the appexternal account).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 21, 2022 11:41 AM
From: Stewart Smith
Subject: Insight DB issue

Customer has 2 Clearpass servers in a cluster and tried to set up an enforcement policy that uses the Insight database as an authorisation source. The insight database is running on the subscriber. The lookup to Insight appears as if it is failing as I see this alert in all authentications that are using this service:

Session failed for Host=10.24.0.24, Reason=[Failed to connect to datasource: [unixODBC]FATAL: password authentication failed for user "appexternal"
FATAL: no pg_hba.conf entry for host "10.26.0.23", user "appexternal", database "insightdb", SSL off
SQLState=08001 ErrorCode=101].
Session failed for Host=10.26.0.23, Reason=[Failed to connect to datasource: [unixODBC]FATAL: password authentication failed for user "appexternal"
FATAL: no pg_hba.conf entry for host "10.26.0.23", user "appexternal", database "insightdb", SSL off
SQLState=08001 ErrorCode=101]

I have changed the real IP addresses but in this case 10.24.0.24 is the subscriber running Insight. 10.26.0.23 is the publisher
I understand that there is an 'appexternal' database account but I thought this was for databases that are external to the cluster so I should not need to change this.
Additionally, in the event viewer, starting about 1 week ago I see this warning every minute:
Unable to communicate with database 10.24.0.24
and
Unable to communicate with database 10.26.0.23

Is there anything I can do before calling TAC?

Thanks

------------------------------
--------------------
Stewart Smith
ACMX, ACDX, ACCP, ACSA
--------------------
------------------------------