Security

Reply
Contributor II

6.6.10 upgrade seems to have caused timeouts for MSCHAPv2

This morning we upgraded two of our 5k clearpass boxes from 6.6.9 to 6.6.10.  When those boxes were rebooted, an error appeared in the event log: 'Failed to start cpass-domain-server_[institution name]'.  This was fixed by restarting the domain service.

 

Since the update, all AD auths using MSCHAPv2 on those boxes results in a timeout.  The error appears in the access tracker:

 

 

MSCHAP: AD status:{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5) 
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure

The logs show a similar error, with the addition of this:

 

 

ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

The server that remains on 6.6.9 is unaffected by this behaviour, and the 6.6.10 servers can handle non-MSCHAPv2 authentications fine.

 

 

The release notes for 6.6.10 show a few small changes in AD auth behaviour: release notes.  Could this explain the problem?

 

 

 

MVP Guru

Re: 6.6.10 upgrade seems to have caused timeouts for MSCHAPv2

What was the previous version you were on ?


Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II

Re: 6.6.10 upgrade seems to have caused timeouts for MSCHAPv2

6.6.9

Guru Elite

Re: 6.6.10 upgrade seems to have caused timeouts for MSCHAPv2

Always best to work with Aruba TAC for things like this.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Frequent Contributor I

Re: 6.6.10 upgrade seems to have caused timeouts for MSCHAPv2

Does anyone have a fix on for this? 
After rebooting my machines (6.6.9) both of them show the same behaviour.

Error messsage:

MSCHAP: AD status:{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)

Network Engineer
ACCX #931 | ACMP
Aruba

Re: 6.6.10 upgrade seems to have caused timeouts for MSCHAPv2

Like Tim stated above I would work with TAC. There might be an underlying cause that we can’t troubleshoot here in the forum.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor I

Re: 6.6.10 upgrade seems to have caused timeouts for MSCHAPv2

Thanks for your answer. I just opened a TAC case!

Network Engineer
ACCX #931 | ACMP
New Contributor

Re: 6.6.10 upgrade seems to have caused timeouts for MSCHAPv2

have you resolved.

Aruba

Re: 6.6.10 upgrade seems to have caused timeouts for MSCHAPv2

This is an old thread. CPPM is currently on 6.8.x versions.6.6 is a very old version and if you are having issues with it then you need to call TAC.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: