Security

Reply
Occasional Contributor I

NAS-IP-Address 0.0.0.0

I am trying to authenticate a new Meraki Z3 teleworker device to my clearpass policy manager, but the request is failing. If I look at event viewer I see the access device ip/port as 0.0.0.0 and the NAS-IP-Address as 0.0.0.0. Is Clearpass making its decision based on the NAS-IP-Address, which is clear violation of RFC 2865

 

Guru Elite

Re: NAS-IP-Address 0.0.0.0

The NAD is not matched based on NAS-IP.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: NAS-IP-Address 0.0.0.0

Where do you think the 0.0.0.0 is coming from

 

Session Identifier:
R00045ff4-07-5a31c4de
Date and Time:
Dec 13, 2017 19:25:06 EST
End-Host Identifier:
A4-E9-75-A9-66-24
Username:
robinj06
Access Device IP/Port:
0.0.0.0:
System Posture Status:
UNKNOWN (100)
Guru Elite

Re: NAS-IP-Address 0.0.0.0

NAD-IP is computed from NAS-IP and that is what is displayed as the ‘Access Device IP/Port’

In most environments, the NAS-IP and Source IP will be the same.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: NAS-IP-Address 0.0.0.0

So is it failing casue the nas-ip is 0.0.0.0? 

Guru Elite

Re: NAS-IP-Address 0.0.0.0

No. What does the alerts tab show in access tracker?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: NAS-IP-Address 0.0.0.0

Error Code:
216
Error Category:
Authentication failure
Error Message:
User authentication failed
 Alerts for this Request  
RADIUS[Local User Repository] - localhost: User not found.
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure
Guru Elite

Re: NAS-IP-Address 0.0.0.0

The alert text explains the problem. The authenticating user was not found in the authentication source.

[Local User Repository] - localhost: User not found.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: NAS-IP-Address 0.0.0.0

This is supposed to Authenticate to AD, all of my other requests are successful 

Re: NAS-IP-Address 0.0.0.0

Have you included your Active Directory in the Authentication Sources for this service? The logs, as Tim indicates, appear to show that ClearPass is only checking the Local User Repository, not the AD.

 

Log for wrong password in AD would look like Logon failure:

MSCHAP: AD status:Logon failure (0xc000006d) 
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure

For wrong username it would say User not found, like in your case:

 

AD-arubalab.loc - dc01.arubalab.loc: User not found.
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure

Please double-check your service, most specific the Authentication sources. I think it is very unlikely that the 0.0.0.0 in the NAS-IP-Address has something to do with your issue at this point in the process.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: