Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

MSCHAP: AD status:{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)

This thread has been viewed 21 times
  • 1.  MSCHAP: AD status:{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)

    Posted May 28, 2024 06:56 AM

    Hi 

    We're facing some issue regarding to our AD, it said that AD status {Device Timeout}

    We tried to re-join the AD to our ClearPass and it works but after several minutes the the Error 216 is back.

    Can someone explain to us why our AD is like this? 

    Thank you.



  • 2.  RE: MSCHAP: AD status:{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)

    Posted May 28, 2024 11:20 AM

    What is this service? WLAN? Wired? Admin access?

    What is the client? Configured security?

    Does this happen for all of your clients?

    If you rejoin ClearPass to your domain does it work initially (you mention error is back after a few minutes)?

    It may be from this information that you use PEAP-MSCHAPv2. Be informed that there are know security issues with MSCHAPv2 and the protocol should not be used anymore. Migration to EAP-TLS or TEAP would be recommended. This does not answer your question, but think it's important that you are aware.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: MSCHAP: AD status:{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)

    Posted May 28, 2024 10:00 PM

    Hi Herman,

    What is this service? WLAN? Wired? Admin access? - this service is WLAN 

    What is the client? Configured security? Users Laptop

    Does this happen for all of your clients? yes it happens to all the clients.

    If you rejoin ClearPass to your domain does it work initially (you mention error is back after a few minutes)? yes after we rejoin the AD to ClearPass it is working properly but after a few minutes and try to reconnect the client, it REJECT and the ALERTS shows that AD status {Device Timeout}

    So should I remove the PEAP-MSCHAPv2 then?

    Kindly see screenshots below for reference.

    connected time: 15:25


    Disconnected Time with the ALERTS AD status {Device Timeout}:15:58




  • 4.  RE: MSCHAP: AD status:{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)

    Posted May 29, 2024 02:04 AM

    Hi

    How many domain controllers do you have?

    Are they placed on different IP subnets?

    As you are using MSchapv2 ClearPass will try to find the closest domain controller with a DNS request, for this to work the subnet(s) where your ClearPass servers are placed must be added to a site in Active Directory Sites and Services.

    Ports must also be opened to allow traffic from to the domain controllers on all the RPC ports.

    I ha e seen a similar error where ClearPass tried to communicate with a remote domain controller where port ope ings where missing.

    Also add the domain controllers under Password Servers setting under the domain join.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: MSCHAP: AD status:{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)

    Posted Sep 10, 2024 05:29 AM

    Hi all, I have same errors with peap authentication. after fews tcpdump , it's seem clearpass re-use a "existing" RPCDCE tcp session (dynamic port) to send

    a ms-netlogon request (screen shot below). BUT this session was previously close by our infrastructure ( fw ... lb ..) 

    I didn't yet capture the three ways handshake of this session to know how long clearpass could re-use or maintain a RPCDCE session .  as clearpass limited to 1000s ...
    We know anyway that session exceed 360s and close by our LB ( idle time-out ).
    without wanting to conclude too quickly, we are migrated from ise to clearpass on same net infrastructure and not issues observe on ISE side.
    I will open a ticket for more investigation.
    regard
    netlogon request


    ------------------------------
    Berni
    ------------------------------