Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Request Timeout before 7AM

This thread has been viewed 50 times
  • 1.  Request Timeout before 7AM

    Posted Aug 03, 2022 03:06 AM
    Hello Everyone

    Multiple user experience following problem:
    We have a corp wpa2-enterprise ssid that auths with our AD.
    Before 7AM users are not able to connect with said SSID.
    I looked at all our settings and firewall rules but there is no Time defined rule or else.
    The only error we find is in our clearpass where we see that the Request ended in following Radius error:
    Client did not complete EAP transaction
    MSCHAP: AD status:Reading winbind reply failed! (0xc0000001)
    MSCHAP: Authentication failed
    EAP-MSCHAPv2: User authentication or password change failed

    I looked at previous posts but didnt find anything similar because everything works fine after 7AM.

    Does anyone have an Idea what could cause this?


  • 2.  RE: Request Timeout before 7AM

    EMPLOYEE
    Posted Aug 03, 2022 03:28 AM
    "Reading winbind reply failed" generally indicates that the clearpass node is not properly joined the AD
    how many clearpass nodes do you have?

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 3.  RE: Request Timeout before 7AM

    Posted Aug 03, 2022 03:52 AM
    We currently have 2 nodes


  • 4.  RE: Request Timeout before 7AM

    EMPLOYEE
    Posted Aug 03, 2022 04:03 AM
    so both of them have joined the AD domain right?

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 5.  RE: Request Timeout before 7AM

    Posted Aug 03, 2022 04:08 AM
    Yes, both of them


  • 6.  RE: Request Timeout before 7AM

    Posted Aug 03, 2022 07:40 AM
    ClearPass version?


  • 7.  RE: Request Timeout before 7AM

    Posted Aug 03, 2022 07:58 AM
    Version: 6.9.7.131609


  • 8.  RE: Request Timeout before 7AM

    Posted Aug 03, 2022 08:07 AM
    You could try installing Patch 11 but I don't think this is your issue.  I agree with @ariyap that something has happened to your AD join.  ​


  • 9.  RE: Request Timeout before 7AM

    Posted Aug 03, 2022 08:38 AM
    @ahollifield This issue only appears before a certain time, wouldnt it appear for every request if it is an AD join issue?​


  • 10.  RE: Request Timeout before 7AM

    Posted Aug 03, 2022 12:50 PM
    Have you asked your AD team?  Does anything happen on the server side during that time?


  • 11.  RE: Request Timeout before 7AM

    Posted Aug 04, 2022 02:15 AM
    Nothing besides some backups


  • 12.  RE: Request Timeout before 7AM

    EMPLOYEE
    Posted Aug 04, 2022 05:54 AM
    'winbind reply failed' suggests to me that the AD servers are not responding. Maybe the backups are putting that much load on the AD servers so they can't respond in a timely way; or if the backups are running over the same network, it may be that the network is simply overloaded and drops traffic.

    Or, if you have ClearPass as a VM, and are creating a live snapshot or so, it may be that ClearPass itself is not responding fast enough. Everything points to a resource issue (on ClearPass, AD or the path in between).

    Please note that winbind suggests that you implemented EAP-PEAP with MS-CHAPv2. This is deprecated because there are known vulnerabilities in the MS-CHAPv2 protocol. Only if you can't change to EAP-TLS, and you have full client control and strictly configured server certificate validation, you might get this risk signed off by your security department.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------