Security

last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Policy Server Failed:

This thread has been viewed 24 times

  • 1.  Policy Server Failed:

    Posted Nov 07, 2019 02:37 AM

    Hi,

    I am getting the following error after I configured the Guest Captive Portal on Aruba clearpass(Virtual) version 6.8.

    Alerts for this Request 

    Policy serverFailed to construct filter=SELECT
    CASE WHEN expire_time is null or expire_time > now() THEN 'false'
    ELSE 'true'
    END AS is_expired,
    CASE WHEN enabled = true THEN 'true' ELSE 'false' END as is_enabled
    FROM tips_guest_users
    WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard')).
    Failed to get value for attributes=[AccountEnabled, AccountExpired]
    RADIUS[Endpoints Repository] - localhost: User not found.
    Applied 'Reject' profile

    The network Architecture has 2 master controllers and 2 Local Controllers. I used the Master controller IP address in the Service created for guests to be specific Guest User Authentication with Mac Cashing and I used the VRRP IP address address of the master controller instead of securelogin.arubanetowrks.com on the Login page of Self-Registration page.

     

    When I provide the Guest Role ID, MAC-Auth Expiry, and Username on the endpoint attribute, it works correctly.

     

    without the above attribute, the portal is not redirecting the user to register. It timed out and below is the URL address displayed.

     

    https://10.90.104.4/guest/aau_guest.php?cmd=login&mac=e4:a7:a0:ef:19:b5&ip=10.6.240.9&essid=AAU%2DMain%2DGuest&apname=AAU-MC-CA-GF-CAP2&apgroup=AAU-Main-APG&url=http%3A%2F%2Fwww%2Emsftconnecttest%2Ecom%2Fredirect&_browser=1

     

    Any feedback will be appriciated!

     

     



  • 2.  RE: Policy Server Failed:
    Best Answer

    EMPLOYEE
    Posted Nov 08, 2019 09:48 AM

    First, make sure that you have a valid and trusted certificate on your controller and on ClearPass. A redirect to https://<private IP address>/xxx will give issues rather sooner than later. I have seen many places with similar weird issues, and when the proper certificates are installed it suddenly works without issue. Untrusted/self-signed certificates don't work (unfortunately).

     

    Then the scary-looking error under Policy Manager. That probably can be considered 'normal' as for unknown and new clients, the fields you mention have not been set, and the query probably is used in the role-mapping policy or the enforcement policy and if there is such a failure processing will continue. This assumption is confirmed with the '[Endpoints Repository] - localhost: User not found.' message. And ClearPass hit the end of your Enforcement policy and returned the default 'Reject'.

     

    Please make sure that you have the certificates fixed, if you still have issues after that it is needed to further investigate your service, rolemapping, enforcement, and Access Tracker information. Aruba Support can assist in that as well, and interactive troubleshooting is probably providing results much faster than a forum in this case.