Hi
How many domain controllers do you have?
Are they placed on different IP subnets?
As you are using MSchapv2 ClearPass will try to find the closest domain controller with a DNS request, for this to work the subnet(s) where your ClearPass servers are placed must be added to a site in Active Directory Sites and Services.
Ports must also be opened to allow traffic from to the domain controllers on all the RPC ports.
I ha e seen a similar error where ClearPass tried to communicate with a remote domain controller where port ope ings where missing.
Also add the domain controllers under Password Servers setting under the domain join.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: May 28, 2024 10:00 PM
From: Georhem
Subject: MSCHAP: AD status:{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)
Hi Herman,
What is this service? WLAN? Wired? Admin access? - this service is WLAN
What is the client? Configured security? Users Laptop
Does this happen for all of your clients? yes it happens to all the clients.
If you rejoin ClearPass to your domain does it work initially (you mention error is back after a few minutes)? yes after we rejoin the AD to ClearPass it is working properly but after a few minutes and try to reconnect the client, it REJECT and the ALERTS shows that AD status {Device Timeout}
So should I remove the PEAP-MSCHAPv2 then?
Kindly see screenshots below for reference.
connected time: 15:25
Disconnected Time with the ALERTS AD status {Device Timeout}:15:58
Original Message:
Sent: May 28, 2024 11:20 AM
From: Herman Robers
Subject: MSCHAP: AD status:{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)
What is this service? WLAN? Wired? Admin access?
What is the client? Configured security?
Does this happen for all of your clients?
If you rejoin ClearPass to your domain does it work initially (you mention error is back after a few minutes)?
It may be from this information that you use PEAP-MSCHAPv2. Be informed that there are know security issues with MSCHAPv2 and the protocol should not be used anymore. Migration to EAP-TLS or TEAP would be recommended. This does not answer your question, but think it's important that you are aware.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: May 27, 2024 04:24 AM
From: Georhem
Subject: MSCHAP: AD status:{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. (0xc00000b5)
Hi
We're facing some issue regarding to our AD, it said that AD status {Device Timeout}
We tried to re-join the AD to our ClearPass and it works but after several minutes the the Error 216 is back.
Can someone explain to us why our AD is like this?
Thank you.