Security

Hi,

 

I´ve set up clearpass in a test enviroment.

We´ve a 650 Controller with firmware 6.2.0.3.

CPPM  Version 6.0.2.24585.

 

When I make an AAA test from the Controller:

 

My CPPM shows thin in AccessTracker:

 

 

 

 

What is wrong?

 

Maybe anybody have an idea.

 

Thanks

 

Your services probably have something specific that a test authentication does not.  If your service has aruba-essid-name as an attribute, for example, a test does not have an ssid, so it will not be categorized.  Look in the details of the input tab of the failed message and compare it to existing services to see what you are missing.

 

 

 

 

I never seen this error but I am wondering if you have the ip source radius configured correctly on the controller .

 

(controller) #show ip radius source-interface

Global radius client source IP address = 10.10.10.1 ====> this should match the ip address you have configured in CCPM > Configuration > Network > Devices 

This is local configuration to each controller

 

Ok vfabian I checked it, there is the right ip address.

the problem is still there.

 

thanks

Just as Colin stated your service is not being classified by CPPM.

 

You need to check your settings in the service to catch your auth request otherwise CPPM will just send a reject no matter what. 

Leon123,

 

Let me be specific:  A service only classifies or handles an incoming authentication if the attributes of the incoming authentication contain elements in the service rules tab of that service:  In the service below, it is stipulating that the Aruba ESSID needs to be "Guest" for the incoming authentication.  I know for a fact that a test authentication does NOT have an SSID or WLAN component to it, so it will fail.  If you KNOW a service should be handing your test, take a look at the SERVICE TAB on the service and compare the INPUT tab of the failed authentication and make sure what the service requires is in the authentication.

 

My test authentication below just like yours does NOT hsave an Aruba-Essid-Name radius attribute in the radius request so it would not be processed by that rule above.  That is because it is not a real client associated to a real wireless network.  You can remove the service rule that makes it too restrictive to your test authentication or you can create a new service that has the attributes of your test so that it gets classified:

 

This 204 error occured for me when the source SSID name did not exactly match service rule value.  I learned that the value is case sensitive and must match source SSID name exactly.

 

Once case was matched, users were authenticating successfully.

I Have the the same problems but i don not get radius input:

 

 

Is that a real authentication request or are you using the aaa test option?

It was a real client. Solved it to include pre Auth radius settings in the authentication configuration. But got some other issues posted in other treads