Security

Hi, 

I am new to the community and has an issue. 

we have multiple remote sites and all of them are using Aruba wireless network to connect different SSIDs. These users are being authenticated via ClearPass and AD. We have upgraded a Domain Controller at one of the site. After upgrade the users at specific site are not being authenticated but for rest of the sites it works fine. 

 

On clear pass the status is Timeout and Reject but few of the users are able to authenticate successfully. 

 

Alerts -
Error Code: 206
Error Category: Authentication failure
Error Message: Access denied by policy
Alerts for this Request -
RADIUS: Applied 'Reject' profile

 

Attached the logs for analysis. 

 

Regards

Pankaj 

Please check if clearpass is able to browse the ou and that you can get to the folder where the user accounts are stored.

Yes Clear Pass is able to browse all the accounts.

By upgrade do you mean the code version or the model? Could you give some more info on this

 

Have any configuration changes been made to the interfaces? 

 

What happens when you do a aaa test server from the controller diagnostics page with a user's credentials?

 

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

By upgrade do you mean the code version or the model? Could you give some more info on this. - We have upgraded the Windows server active directory services on server side. Have any configuration changes been made to the interfaces? No changes have been made. What happens when you do a aaa test server from the controller diagnostics page with a user's credentials? It's an instant AP.

---

@pmbisht333 wrote:
By upgrade do you mean the code version or the model? Could you give some more info on this. - We have upgraded the Windows server active directory services on server side. Have any configuration changes been made to the interfaces? No changes have been made. What happens when you do a aaa test server from the controller diagnostics page with a user's credentials? It's an instant AP.

---

Are the users setup to receive downloadable roles? what is FQDN in the RADIUS server in IAP configuration?

 

 

Thanks for the reply. Can you please let me know how to validate if roles are downloadable.

 

RADIUS server is configured atatically on IAP.

Name- abcd

IP Address- 1.2.3.4

Auth Port- 1812

Acc Port- 1813

Shared Secret- xxxx

 

The IAP Model and AOS are as below.

Name:	Aruba Operating System Software
Type:	115
Build Time:	2015-08-05 00:40:30 PDT
Version:	6.4.3.1-4.2.0.0_51112

---

@pmbisht333 wrote:

Hi, 

I am new to the community and has an issue. 

we have multiple remote sites and all of them are using Aruba wireless network to connect different SSIDs. These users are being authenticated via ClearPass and AD. We have upgraded a Domain Controller at one of the site. After upgrade the users at specific site are not being authenticated but for rest of the sites it works fine. 

 

On clear pass the status is Timeout and Reject but few of the users are able to authenticate successfully. 

 

Alerts -
Error Code: 206
Error Category: Authentication failure
Error Message: Access denied by policy
Alerts for this Request -
RADIUS: Applied 'Reject' profile

 

Attached the logs for analysis. 

 

Regards

Pankaj 

---

If ClearPass is being rejected by "Policy" you should look into the Attributes on the "Input" TAB of the Access Tracker of the rejected devices and compare that to the rules on the "Enforcement" TAB of the service that it is hitting to see why your user does not satisfy any of those rules.  It may or may not have anything to do with what you last did, but you need to compare them.  There is no easy way to figure this out.

---

@pmbisht333 wrote:

Hi, 

I am new to the community and has an issue. 

we have multiple remote sites and all of them are using Aruba wireless network to connect different SSIDs. These users are being authenticated via ClearPass and AD. We have upgraded a Domain Controller at one of the site. After upgrade the users at specific site are not being authenticated but for rest of the sites it works fine. 

 

On clear pass the status is Timeout and Reject but few of the users are able to authenticate successfully. 

 

Alerts -
Error Code: 206
Error Category: Authentication failure
Error Message: Access denied by policy
Alerts for this Request -
RADIUS: Applied 'Reject' profile

 

Attached the logs for analysis. 

 

Regards

Pankaj 

---

Based on your original post, if you are using 802.1x to authenticate users and you upgraded a domain controller, and you are having timeouts, it is possible that ClearPass is sending authentications to domain controllers that are far away, creating latency and possible timeout issues.  The solution is to define "password servers" so that you can be sure ClearPass uses a domain controller that is close to your ClearPass servers:  https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/index.htm#CPPM_UserGuide/Admin/ServerConfig_addpwdserver.htm?Highlight=password%20server

 

With regards to the "reject", you need to look at what parameters on the authentication that is rejected do not satisfy your enforcement policy rules.