Security

I'm working on an odd problem with an F5 (virtual edition) where Tacacs auths via the GUI fail, but I don't see the ID in Access Tracker. If I delete the default gateway on the F5 (I've tried a few for the attached vlans), the management port's used as the gateway and auths work fine. Otherwise, they fail. I've taken Wireshark captures of working and non-working attempts and see where the Tacacs server and the F5 chat just fine (TCP SYN, ACK, etc) up until the F5 sends the TACACS+ request upon which the Tacacs server responds with a reset. Is there some other place I can look in Clearpass to see where the request came in and possibly why the reset was sent?

the only other place is "Event Viewer" where you could see if there are any error.
Also if you have a clearpass cluster, you need to select all the nodes in the access tracker to see all the incoming auth req.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Nov 21, 2022 05:33 PM
From: Alan Brzozowski
Subject: Clearpass TACACS - Failed user login not showing up in Access Tracker

I'm working on an odd problem with an F5 (virtual edition) where Tacacs auths via the GUI fail, but I don't see the ID in Access Tracker. If I delete the default gateway on the F5 (I've tried a few for the attached vlans), the management port's used as the gateway and auths work fine. Otherwise, they fail. I've taken Wireshark captures of working and non-working attempts and see where the Tacacs server and the F5 chat just fine (TCP SYN, ACK, etc) up until the F5 sends the TACACS+ request upon which the Tacacs server responds with a reset. Is there some other place I can look in Clearpass to see where the request came in and possibly why the reset was sent?

Management port... is that on the F5 or on ClearPass?

I would not recommend using the data port on ClearPass. Single port ClearPass servers are much easier to deploy, maintain and troubleshoot. If the TACACS traffic is routed, you could check based on the sending MAC address on which port a request arrives on ClearPass, as that is the MAC of the router/L3 device.

From the past, I know that you should configure management routing on F5 as well, but it's too long ago to remember the details.

Your Aruba partner, or Aruba Support may be able to assist better with a network diagram and having access to the packet captures.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Nov 21, 2022 05:33 PM
From: Alan Brzozowski
Subject: Clearpass TACACS - Failed user login not showing up in Access Tracker

I'm working on an odd problem with an F5 (virtual edition) where Tacacs auths via the GUI fail, but I don't see the ID in Access Tracker. If I delete the default gateway on the F5 (I've tried a few for the attached vlans), the management port's used as the gateway and auths work fine. Otherwise, they fail. I've taken Wireshark captures of working and non-working attempts and see where the Tacacs server and the F5 chat just fine (TCP SYN, ACK, etc) up until the F5 sends the TACACS+ request upon which the Tacacs server responds with a reset. Is there some other place I can look in Clearpass to see where the request came in and possibly why the reset was sent?