Security

 View Only
last person joined: 2 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

RADIUS requests not reaching server through second access switch

Jump to Best Answer
This thread has been viewed 11 times
  • 1.  RADIUS requests not reaching server through second access switch

    Posted Jul 27, 2022 09:58 AM
    Hi there.  I'm deploying Clearpass across our large Aruba campus network and I've found a snag in a particular setting.  In a couple of locations I have a small 8-port 2530 switch hanging off the normal 2930M access switches feeding temporary offices.  Access switches in each area go back to a layer 3 capable 8320x acting as the distribution layer, by the way.  There is a trunk between the 8-port and the main access switch with all the VLAN's and everything runs fine until I try to run Clearpass on the 8-port.

    When I put my normal Clearpass configuration on the 24-port 2930M it works just fine.  When I add the configuration to the 8-port however then I have an issue.  The 8-port switches refuse to work as they cannot reach the RADIUS server.  I get an error saying either the RADIUS server cannot be reached (error 00421) or cannot authenticate (00428 802.1x Auth Failures).

    There's no issues with reaching the RADIUS server with pings from the switches but for some reason the RADIUS traffic doesn't seem to be making it.  I assume it's not making it across the 24-port access switch to reach anywhere beyond.  I'm rather new at this and nothing I've tried has made any difference.  I'm guessing it's something simple that I'm not taking into account but it's got me stumped.  Does anyone have any idea why the RADIUS traffic isn't getting to the server in this scenario?


  • 2.  RE: RADIUS requests not reaching server through second access switch
    Best Answer

    EMPLOYEE
    Posted Jul 27, 2022 10:02 AM
    Look in Clearpass under Monitoring> Eventviewer to see if there are any messages.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: RADIUS requests not reaching server through second access switch

    Posted Jul 27, 2022 10:23 AM
    Thanks for that.  Event viewer showed a lot of errors stating requests were coming from an unknown NAD.  I assumed this meant a device and when I checked the device groups it turns out the vendor has missed those 2 switches when he was building the Clearpass servers.  I think they may have been installed just after he finished his job.  I've added them to the various device groups and we're back in business.  Thank you for the advice.


  • 4.  RE: RADIUS requests not reaching server through second access switch

    MVP GURU
    Posted Jul 27, 2022 10:10 AM
    Yea, to tag on with cjoseph here. You may have a mismatch on your RADIUS key between the switch and clearpass. Double check this under your network devices in clearpass.

    ------------------------------
    Dustin Burns

    Lead Mobility Engineer @Worldcom Exchange, Inc.

    ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
    If my post was useful accept solution and/or give kudos
    ------------------------------



  • 5.  RE: RADIUS requests not reaching server through second access switch

    Posted Jul 27, 2022 10:59 AM
    Did you check event viewer in ClearPass?
    confirm the RADIUS share key in ClearPass and the switch matches.
    also in access tracker can you filter using the IP address of the switch.
    what's the radius source interface on the switch?

    ------------------------------
    Victor Fabian, ACEX#8
    Mobility Architect @ WEI
    ------------------------------