Security

I have a new implementation with User Authentication with MAC caching in a cluster that is working 90% of the time....  New guest user is captive portaled correctly, they fill out basic form and accept terms, then receipt page auto submits and the user is allowed on (MAC is then cached for future access).

Intermittently, when the user fills out the registration form and submits it, the controller authentication back to clearpass guest fails with: Error Code 201 - Authentication Failure

Alerts for this Request:

RADIUS [Guest User Repository] - localhost: User not found.

Cannot select appropriate authentication method

Without changing anything, the user can then typically submit the form again and this time they are logged in and everything is working. Sometimes they can submit multiple times and get the same error each time.  Access Tracker shows it as a Reject, but the "incoming" RADIUS data is identical to a working scenario....          

It works most of the time across the cluster so I've not found anything configuration related.....      Note: it is possible the registration may occur on node 2 while the radius request is sent to node 3.  I thought maybe it could be a local database replication delay issue or something but don't know where to begin there.... and sometimes I see it fail when the user account is clearly visible on the node in question....

Has anyone seen this before?   Any thoughts?  

Sounds indeed like a database synchronization delay between the nodes. Guest accounts are created on the publisher, then synced back to the subscribers.

What might help is adding a delay to the login action, or let the user press a login button.

On the Guest Selfregistration page, under Advanced Editor, there is an option: Automatic Login - Guest Delay, with a default setting of 0 seconds. You may try setting this to 2 or 3 seconds and see if that resolves your issue.

If this does not help, please work with your partner or Aruba TAC to get this resolved.