Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM AD Auth Source - Server Timeout

This thread has been viewed 3 times

  • 1.  CPPM AD Auth Source - Server Timeout

    Posted Jan 06, 2020 12:19 PM

    How does Clearpass behave when all backend AD Authentication Sources are down? Will it stop the RADIUS Server Service?

     

    I am planning for failure scenarios for Cisco Wired 802.1x. There are many options to place users into Critical VLANs when CPPM is marked as Dead. In a scenario that CPPM is UP but backend servers are down, I am not certain the servers will ever be marked as Dead. Has anyone tested and confirm the behavior?

     

    Thanks! 



  • 2.  RE: CPPM AD Auth Source - Server Timeout

    EMPLOYEE
    Posted Jan 07, 2020 06:25 AM

    If you have mapped AD as authentication /authorization source in service and all domain controllers are down or not reachable in your network then radius authenticaiton will fail and we can see this details in access tracker with Alert error message "no logon servers"



  • 3.  RE: CPPM AD Auth Source - Server Timeout

    Posted Jan 07, 2020 08:50 PM

    Thanks Pavan. I was more specifically looking to see what state this puts the Cisco Dead Server detection mechanisms in. So I labbed it up. 

     

    Depending on IBNS 1.0 vs 2.0 will change the available options for authentication failures. Basically, it can mark the server as Down if detecting that clearpass fails to respond to a radius authentication. However, detection mechanisms such as the automated-tester functionality will not work. 

     

    There is no change in the CPPM Radius serives if backend AD has become unreachable.