Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

MSCHAP: AD status:{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)

This thread has been viewed 10 times
  • 1.  MSCHAP: AD status:{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)

    Posted 19 days ago

    Hi 

    We're facing some issue regarding to our AD, it said that AD status {Device Timeout}

    We tried to re-join the AD to our ClearPass and it works but after several minutes the the Error 216 is back.

    Can someone explain to us why our AD is like this? 

    Thank you.



  • 2.  RE: MSCHAP: AD status:{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)

    EMPLOYEE
    Posted 18 days ago

    What is this service? WLAN? Wired? Admin access?

    What is the client? Configured security?

    Does this happen for all of your clients?

    If you rejoin ClearPass to your domain does it work initially (you mention error is back after a few minutes)?

    It may be from this information that you use PEAP-MSCHAPv2. Be informed that there are know security issues with MSCHAPv2 and the protocol should not be used anymore. Migration to EAP-TLS or TEAP would be recommended. This does not answer your question, but think it's important that you are aware.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: MSCHAP: AD status:{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)

    Posted 18 days ago

    Hi Herman,

    What is this service? WLAN? Wired? Admin access? - this service is WLAN 

    What is the client? Configured security? Users Laptop

    Does this happen for all of your clients? yes it happens to all the clients.

    If you rejoin ClearPass to your domain does it work initially (you mention error is back after a few minutes)? yes after we rejoin the AD to ClearPass it is working properly but after a few minutes and try to reconnect the client, it REJECT and the ALERTS shows that AD status {Device Timeout}

    So should I remove the PEAP-MSCHAPv2 then?

    Kindly see screenshots below for reference.

    connected time: 15:25


    Disconnected Time with the ALERTS AD status {Device Timeout}:15:58




  • 4.  RE: MSCHAP: AD status:{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)

    Posted 18 days ago

    Hi

    How many domain controllers do you have?

    Are they placed on different IP subnets?

    As you are using MSchapv2 ClearPass will try to find the closest domain controller with a DNS request, for this to work the subnet(s) where your ClearPass servers are placed must be added to a site in Active Directory Sites and Services.

    Ports must also be opened to allow traffic from to the domain controllers on all the RPC ports.

    I ha e seen a similar error where ClearPass tried to communicate with a remote domain controller where port ope ings where missing.

    Also add the domain controllers under Password Servers setting under the domain join.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------