Hi All,
Apologies for opening an old discussion, however this describes our current issue perfectly. We are currently experiencing the exact same symptoms in a cluster of 2x 7210 running 8.7.1.1 code.
I have a TAC case open working on this, but also wondering if anyone else has seen similar?
The controllers will process MSCHAP, MAC, Guest etc RADIUS via ClearPass no problem, but any EAP-TLS traffic will fail with timeouts until the controller is rebooted. The errorlogs are flooded with auth server timeouts and eventually the clearpass source goes into an uptime of 0. Similar to the original poster, the clearpass tracking logs are filled with TIMEOUTS or TLS failures.
Thanks all
------------------------------
Brent Buckley
------------------------------
Original Message:
Sent: Feb 07, 2020 12:09 PM
From: Fred Flippo
Subject: EAP-TLS WiFi clients stop to authenticate on Aruba 7010/7210/7240 on AOS 8.2.1.1 and 8.5.0.3
EAP-TLS WiFi clients stop to authenticate on Aruba 7010/7210/7240 on AOS 8.2.1.1 and 8.5.0.3
We have an enterprise network with approximately 445 sites that all have local Aruba Mobility controllers.
These are either 7010,7210 or 7240 controllers, single or in a cluster configuration of two.
The controllers run 8.2.1.1 and some run 8.5.0.3 as we are in an upgrade proces to this version. The Mobility Master runs the latest version.
We finished installing this environment in Q2 of 2019.
Since oktober 2019 we experience the following problem:
Sometimes (happened on seven sites up until now) In a cluster of two or more controllers, WiFi clients on our EAP-TLS based SSID's stop being able to authenticate.
The problem is fixed when we reload the controller
We see Authentication failed messages in the logs of the Mobility Controllers:
Feb 5 10:10:05 dot1x-proc:1[4414]: <522275> <4414> <WARN> |dot1x-proc:1| User Authentication failed. username=host/username.eu.company.com userip=0.0.0.0 usermac=f0:d5:bf:94:21:3b authmethod=802.1x
servername=clearpass serverip=10.20.30.1 apname=AP-RW01-a8bd27c52 158 bssid=a8:bd:27:d2:15:91
The Clearpass server does not have any problem as authentication takes place successfully on all (445) other sites in our enterprise.
In Clearpass, the failed authentication attempts on the effecrtearrive in the Access Tracker. All effected clients show up as "TIMEOUT"
Has anyone experienced this and wants to share thoughts and possibly how you solved it?