Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Authentication successful only from one IAP

This thread has been viewed 1 times

  • 1.  Authentication successful only from one IAP

    Posted Jul 06, 2018 11:43 AM

    Hi guys,

     

    I am doing some testing about authentication against AD via ClearPass. I have a cluster of two IAPs, I have created the Instant cluster VC IP as NAD in ClearPass, and created the ClearPass as RADIUS server in Instant. The problem is the authentication is successful only from one IAP, and I see the ACCEPT messages in Access Tracker, but from the other IAP I can't connect to the network, and I don't see any message in Access Tracker. I don't know where is the problem because as said, the NAD in ClearPass is the cluster VC IP, and I have also enabled the Dynamic Proxy RADIUS feature in the Instant cluster. Can you help me?

     

    Regards,

    Julián



  • 2.  RE: Authentication successful only from one IAP

    EMPLOYEE
    Posted Jul 06, 2018 12:01 PM

    On ClearPass, check the Event Viewer (not Access Tracker) to see if CPPM is receiving unauthorized radius requests from the other IAP.



  • 3.  RE: Authentication successful only from one IAP

    Posted Jul 06, 2018 12:04 PM

    Nothing, in Event Viewer I see no messages about RADIUS requests and the other IAP.

     

    Regards,

    Julián



  • 4.  RE: Authentication successful only from one IAP

    EMPLOYEE
    Posted Jul 06, 2018 12:21 PM

    I would start with the CLI of the IAP that is not authenticating and work out from there. Does the IAP have the correct configuration? Does it see the user association attempted? Any error logs showing the authentication fail?



  • 5.  RE: Authentication successful only from one IAP

    Posted Jul 06, 2018 06:00 PM

    Hi Charlie,

     

    This is what I have got from CLI:

    instantcli.JPG

    I suppose the message "Client 78:0c:b8:f6:70:de authenticate fail because RADIUS server connection failure" refers to the ClearPass server. But you can see I can ping successfully (it has IP 192.168.1.98).  And I don't know is the output of the two last commands is useful. Can you think of anything else?

     

    Regards,

    Julián



  • 6.  RE: Authentication successful only from one IAP

    Posted Jul 06, 2018 07:02 PM

    Hi guys,

     

    I think what's going on. My Instant cluster fails to connect to ClearPass because my ClearPass RADIUS certificate has expired, and I think for the same reason the radius server service has stopped, and I can't restart it. I think that's the root cause. What can I do to overcome this issue? Do I need to install a new certificate? Because this is a ClearPass with an eval license for testing purposes, is there any site to get free certificates? Sorry for these questions but I am a begginer in the certificates world.

     

    Regards,

    Julián



  • 7.  RE: Authentication successful only from one IAP

    EMPLOYEE
    Posted Jul 06, 2018 07:07 PM
    A valid EAP server certificate is required for the RADIUS service to start. Use your organization's preferred CA to acquire the appropriate certificate(s).


  • 8.  RE: Authentication successful only from one IAP

    Posted Jul 06, 2018 07:30 PM

    Hi Tim,

    Yes, I have read in another thread that the expiration of the RADIUS certificate stops the Radius service.

    The problem from the beggining was I was doing tests with authentication from only one IAP when the RADIUS certificate was valid. Then the next day I kept doing tests from the other IAP, but what a coincidence that the RADIUS certificate expired at the end of the previous day.

    I will try to acquire new certificates and we'll see.

     

    Regards,

    Julián