Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Timeouts on Reject only.

This thread has been viewed 3 times

  • 1.  Timeouts on Reject only.

    Posted Jan 14, 2014 07:36 PM

    On my Clearpass 6.3 server

    I am getting timeouts: "RADIUS Client did not complete EAP transaction"

    when a user fails radius auth, with wrong username/pass.  However with the correct username/password  he recives the ACCEPT message fine.   Why would a REJECT time out and a ACCEPT make it ?



  • 2.  RE: Timeouts on Reject only.

    EMPLOYEE
    Posted Jan 14, 2014 07:38 PM

    Timeouts generally occur when a user waits too long before entering their credentials or when a device has disassociated before authentication can complete.

     

    Sometimes when bad credentials are entered, the supplicant will bounce back and ask for credentials again. Many times this will timeout.

     

    I notice this behavior mostly on Mac OS X when bad credentials are entered, the OS just spins its wheels sometimes and ClearPass shows a TIMEOUT.



  • 3.  RE: Timeouts on Reject only.

    EMPLOYEE
    Posted Jan 14, 2014 07:50 PM
    What version of cppm is this?


  • 4.  RE: Timeouts on Reject only.

    Posted Jan 15, 2014 11:43 AM

    I most often see timeouts when the client does not trust the certificate that CPPM sends.  This may be the case if the cert chain is not present on the client. 



  • 5.  RE: Timeouts on Reject only.

    Posted Jan 15, 2014 12:10 PM

    These are request being proxied to our campus via Eduroam.  Not sure  what they use for the radius server,  (freeRadius is my guess). Let me know if there is any other info that would be helpful.



  • 6.  RE: Timeouts on Reject only.

    Posted Jan 15, 2014 12:49 PM

    NVM!  Wasn't thinking when I responded... :)



  • 7.  RE: Timeouts on Reject only.

    Posted Jan 15, 2014 01:02 PM
    Logs if this helps...

    Time Message

    2014-01-14 15:54:52,331[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80007 h=127 r=R006be078-05-52d5ce4c] INFO Core.ServiceReqHandler - Service classification result = EDUROAM ROAMING USERS
    2014-01-14 15:55:42,115[main SessId R006be078-05-52d5ce4c] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R006be078-05-52d5ce4c, state - 0x0046008b004b00dfdc45ad02b7232c88963502f8df832067c88ae3da
    2014-01-14 15:55:42,115[main SessId R006be078-05-52d5ce4c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 213:139:110:70-6F-6C-69-73-68 recv 1389743692.312669 - resp 1389743693.505437
    2014-01-14 15:55:42,115[main SessId R006be078-05-52d5ce4c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 214:156:76:70-6F-6C-69-73-68 recv 1389743693.625021 - resp 1389743694.794394
    2014-01-14 15:55:42,115[main SessId R006be078-05-52d5ce4c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 215:251:1112:70-6F-6C-69-73-68 recv 1389743694.879621 - resp 1389743696.120393
    2014-01-14 15:55:42,115[main SessId R006be078-05-52d5ce4c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 216:156:1108:70-6F-6C-69-73-68 recv 1389743696.205641 - resp 1389743697.443419
    2014-01-14 15:55:42,116[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80080 h=135 r=R006be078-05-52d5ce4c] INFO Common.EndpointTable - Returning NULL (EndpointPtr) for macAddr 706f6c697368
    2014-01-14 15:55:42,116[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80080 h=135 r=R006be078-05-52d5ce4c] INFO Common.TagDefinitionCacheTable - No TagDefCacheMap could be found for instance id = 1 entity id = 29
    2014-01-14 15:55:42,116[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80080 h=135 r=R006be078-05-52d5ce4c] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=1
    2014-01-14 15:55:42,116[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80080 h=135 r=R006be078-05-52d5ce4c] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=1|entityId=29
    2014-01-14 15:55:42,116[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80080 h=135 r=R006be078-05-52d5ce4c] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=1|entity=Device
    2014-01-14 15:55:42,116[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80080 h=135 r=R006be078-05-52d5ce4c] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
    2014-01-14 15:55:42,116[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80080 h=135 r=R006be078-05-52d5ce4c] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
    2014-01-14 15:55:42,116[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80080 h=135 r=R006be078-05-52d5ce4c] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
    2014-01-14 15:55:42,116[RequestHandler-1-0x7fe1ce7f3700 r=psauto-1389650139-80080 h=135 r=R006be078-05-52d5ce4c] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
    2014-01-14 15:55:42,117[RequestHandler-1-0x7fe1ce7f3700 h=726652 c=R006be078-05-52d5ce4c] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
    2014-01-14 15:55:42,117[RequestHandler-1-0x7fe1ce7f3700 h=726654 c=R006be078-05-52d5ce4c] INFO Core.PETaskRoleMapping - Roles:
    2014-01-14 15:55:42,117[RequestHandler-1-0x7fe1ce7f3700 h=726657 c=R006be078-05-52d5ce4c] INFO Core.PETaskEnforcement - EnfProfiles: Deny Access Profile]
    2014-01-14 15:55:42,118[RequestHandler-1-0x7fe1ce7f3700 h=726662 c=R006be078-05-52d5ce4c] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device
    2014-01-14 15:55:42,118[RequestHandler-1-0x7fe1ce7f3700 h=726658 c=R006be078-05-52d5ce4c] WARN Core.SessionInfoOperations - Skip SessionInfoOperations::persistSessionInfo because of NULL NAD or NAD IP matching localhost
    2014-01-14 15:55:42,118[RequestHandler-1-0x7fe1ce7f3700 h=726658 c=R006be078-05-52d5ce4c] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=DENY
    2014-01-14 15:55:42,118[RequestHandler-1-0x7fe1ce7f3700 h=726658 c=R006be078-05-52d5ce4c] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Deny Access Profile]
    2014-01-14 15:55:42,118[RequestHandler-1-0x7fe1ce7f3700 h=726658 c=R006be078-05-52d5ce4c] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 0
    2014-01-14 15:55:42,118[RequestHandler-1-0x7fe1ce7f3700 h=726663 c=R006be078-05-52d5ce4c] INFO Core.PETaskCliEnforcement - startHandler: Request rejected. Skip CLI enforcement
    2014-01-14 15:55:42,118[RequestHandler-1-0x7fe1ce7f3700 r=R006be078-05-52d5ce4c h=726661 c=R006be078-05-52d5ce4c] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=
    2014-01-14 15:55:42,118[RequestHandler-1-0x7fe1ce7f3700 r=R006be078-05-52d5ce4c h=726661 c=R006be078-05-52d5ce4c] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device
    2014-01-14 15:55:42,119[RequestHandler-1-0x7fe1ce7f3700 r=R006be078-05-52d5ce4c h=726659 c=R006be078-05-52d5ce4c] WARN Core.PETaskRadiusCoAEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=
    2014-01-14 15:55:42,121[RequestHandler-1-0x7fe1ce7f3700 h=726665 c=R006be078-05-52d5ce4c] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
    2014-01-14 15:55:42,121[RequestHandler-1-0x7fe1ce7f3700 h=726665 c=R006be078-05-52d5ce4c] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
    2014-01-14 15:55:42,121[RequestHandler-1-0x7fe1ce7f3700 h=726664 c=R006be078-05-52d5ce4c] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
    2014-01-14 15:55:42,121[RequestHandler-1-0x7fe1ce7f3700 r=R006be078-05-52d5ce4c h=726652 c=R006be078-05-52d5ce4c] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***


  • 8.  RE: Timeouts on Reject only.

    Posted Jan 16, 2014 07:30 PM

    So after further testing, we have narrowed the scope of the issue.  The  timeouts only occur when doing a LDAP lookup for a username that does not exist in ActiveDirectory.  Bad passwords are properly rejected, also if internal DB is used for user management that also will properly Reject users.   So it is tied to the LDAP lookup,  I noticed from the logs that  even after receiving a "user not found" message  it continued to retry the AD server 5 more times!   I am not sure if there is a knob to turn this off, and if it is truly based on attempts OR just a countdown timer.     



  • 9.  RE: Timeouts on Reject only.

    Posted Jan 16, 2014 07:45 PM

    Did you enable "fail through" in your server group for that AAA profile? 



  • 10.  RE: Timeouts on Reject only.

    Posted Jan 17, 2014 11:46 AM

    this particular request does not come from a mobility controller, it comes directly from EDUROAM, which is proxing request from other Universities. So the only piece that is used is Clearpass 6.3 on our side.  Is there is an option for failthru on Clearpass directly?

     

     

    Thanks

    Matt



  • 11.  RE: Timeouts on Reject only.

    Posted Jan 17, 2014 11:57 AM

    You can list multiple authentication sources in your service.  If the authentication fails (bad password, expired account, etc), it stops processing the request at that authentication source.  If the user is not found, than the next authentication source is attempted, and so on.