Hi All,
i'm wondering if someone could clarify / confirm the expected behaviour in ClearPass (6.3) when an AD authentication server fails.
i've got a couple of scenarios in mind:
1) LDAP Connection failed / terminated during authentication - ClearPass appears to retry to connect to original source and then if this fails goes to the Backup 1 server after the 10 second timeout? (see below edited log output.)
Time Message
2014-11-22 19:07:50,049 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 208:76:CID
2014-11-22 19:07:50,053 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "AD-Auth-Service"
2014-11-22 19:07:50,054 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_ldap: searching for user DOMAIN\User in AD:DC06.mycompany.com
2014-11-22 19:07:55,060 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] ERROR RadiusServer.Radius - rlm_ldap: <SERVICE ACCOUNT> bind to DC06.mycompany.com:636 failed: Can't contact LDAP server
2014-11-22 19:07:55,060 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] ERROR RadiusServer.Radius - rlm_ldap: (re)connection attempt failed
2014-11-22 19:07:55,060 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_ldap: searching for user DOMAIN\User in AD:DC07.mycompany.com
2014-11-22 19:07:55,061 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_ldap: found user DOMAIN\User in AD:DC07.mycompany.com
2014-11-22 19:07:55,061 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_ldap: authenticating "DOMAIN\User"
2014-11-22 19:07:55,139 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_ldap: user DOMAIN\User authenticated succesfully
2014-11-22 19:07:55,139 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
2014-11-22 19:08:05,256 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_policy: Received Accept Enforcement Profile
2014-11-22 19:08:05,256 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_policy: Added Class attribute with value Class = 0x4062592904944b83b38ec2d2be05bb97180c0000000000005230303230346365362d31382d35343730343435360000000000000000000000
2014-11-22 19:08:05,256 [Th 347 Req 2116838 SessId R00204ce6-18-54704456] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response
In this instance, will all future authentication requests be then processed by the backup AD server immediately or after the 10 second server timeout? if so what is the process for pre-emption or failback to the original server if it comes back into service.
2) Second scenario is simple timeout (i.e. Primary server doesn't respond at all), i assume the 10 seconds applies and then the secondary backup server is selected for all future auth? When does it deviced to try the original server again / fail back?