Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Switch managment with clearpass as a radius server

This thread has been viewed 21 times

  • 1.  Switch managment with clearpass as a radius server

    Posted Mar 25, 2023 10:48 AM

    Hello Im getting this message on the clearpass suddenly 

    Eap transaction did not complete whenever an admin wants to log in a switch, now noone can manage the switches through ssh or web

    The only change that was done recently i bealive was that the CA was the clearpass before for the 802.1x users and now is the Windows CA, so now the clearpass has the 802.1x certificate that the Windows CA signed but thats all.

    I actually did not configured the  radius server for the clearpass and the switches integration but as far i know you  dont  need a certificate for this, or do you? at least on the manuals i read i never saw you needed one.

    It also has a really old ssl certificate which i can replace with a self signed cert i guess but i dont think thats the issue, because it expited like 2 years ago.

    Any ideas?



  • 2.  RE: Switch managment with clearpass as a radius server

    Posted Mar 25, 2023 12:03 PM
    Hi,

    So you mean u use radius for admin logins ?

    Because for tacacs authc i never see any alerts showing client did not complete eap transaction error message.

    So what type of EAP are you using here ? eap-peap, eap-tls, eap-ttls, or ?



    Original Message


  • 3.  RE: Switch managment with clearpass as a radius server

    Posted Mar 25, 2023 12:56 PM

    We want to change it to tacacs later but for now it will be like this

    on the switch i see this configured

    aaa authentication ssh login peap-mschapv2 local
    aaa authentication ssh enable peap-mschapv2 local


    Original Message


  • 4.  RE: Switch managment with clearpass as a radius server

    Posted Mar 25, 2023 01:29 PM
    Hi,

    If u Show Logs from one of the timedout request from access tracker, what do you see ?
    You'd better truncate all the sensitive info..
    Want to see where it stops.

    I believe this is a timedout request at the first place.




    Original Message


  • 5.  RE: Switch managment with clearpass as a radius server

    Posted Mar 25, 2023 02:32 PM

    Here is some info: i changed all client info and also Seeid info and other things but i guess you will get the idea without that

    2023-03-25 12:27:48,723    [Th 631 Req 1813531 Sess2eb-01-64 RadiusServer.Radius - rlm_service: Starting Service Categorization - 77:112:192.168.62.22
    2023-03-25 12:27:48,723    [Th 631 Req 1813531 SessId R000102eb-01 RadiusServer.Radius - The attribute 10.10.10.10 does not contain valid MAC Address
    2023-03-25 12:27:48,730    [RequestHandler-1-0x7f190f7fb700 r=psauto-167728h=223 r=R001-641f2f14] INFO Core.ServiceReqHandler - Service classification result =  Switches Management
    2023-03-25 12:27:48,732    [Th 631 Req 1813531 SessId R00-641f RadiusServer.Radius - Service Categorization time = 8 ms
    2023-03-25 12:27:48,732    [Th 631 Req 1813531 SessId 02eb-01-641f2f RadiusServer.Radius - rlm_service: The request has been categorized into service "Switches Management"
    2023-03-25 12:27:48,732    [Th 631 Req 1813531 SessId R000101-64 RadiusServer.Radius - rlm_ldap: searching for user user in AD:client.local
    2023-03-25 12:27:48,733    [Th 631 Req 1813531 SessId R000b-0141 RadiusServer.Radius - rlm_ldap: found user user in AD:client.local
    2023-03-25 12:27:48,733    [Th 631 Req 1813531 SessId R000102eb-01 RadiusServer.Radius - LDAP/AD User lookup time = 1 ms
    2023-03-25 12:27:48,734    [Th 631 Req 1813531 SessId R000102eb-01-642f1 RadiusServer.Radius - rlm_eap_peap: Initiate
    2023-03-25 12:27:48,734    [Th 631 Req 1813531 SessId R000102eb-01-641f2f14] RadiusServer.Radius - reqst_update_state: Access-Challenge 77:88:192.168.62.22:APcA7gBLAKcbrBsAOJGagtiGz8bCX
    2023-03-25 12:27:48,741    [Th 636 Req 1813532 SessId R00010eb-01-64f14]  RadiusServer.Radius - rlm_service: The request was categorized into service Switches  Management" - 78:321:192.168.62.22
    2023-03-25 12:27:48,744    [Th 636 Req 1813532 SessId R000102eb41f2f RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A
    2023-03-25 12:27:48,744    [Th 636 Req 1813532 SessId R000102eb-01 RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A
    2023-03-25 12:27:48,745    [Th 636 Req 1813532 SessId R000102eb-01- RadiusServer.Radius - reqst_update_state: Access-Challenge 78:1124:192.168.62.22:ACwAMAD8AJUcrBsAWeJtKUL/PA/JZZ4Q0G2rhg==
    2023-03-25 12:27:48,747    [Th 635 Req 1813533 SessId R000102eb-01-64O RadiusServer.Radius - rlm_service: The request was categorized into service " Switches  Management" - 79:148:10.10.10.10


    Original Message


  • 6.  RE: Switch managment with clearpass as a radius server

    Posted Mar 25, 2023 02:35 PM

    And yes its a time out

    Alerts -
     Error Code: 9002
     Error Category: RADIUS protocol
     Error Message: Request timed out
     Alerts for this Request -
       RADIUS: Client did not complete EAP transaction


    Original Message


  • 7.  RE: Switch managment with clearpass as a radius server

    EMPLOYEE
    Posted Mar 28, 2023 07:57 AM

    Is that an ArubaOS Switch? Or AOS-CX? Or other?

    For PEAP, the client, in this case the switch would need to trust the RootCA that issued the EAP certificate for your ClearPass server.

    If you changed the RootCA for the ClearPass RADIUS EAP certificate, there are good chances that you would need to add that root as a Trusted CA or Trust Anchor (not sure which) to your switch. PEAP clients should abort the authentication if they don't trust the server certificate (through it's root).

    I never tried peap-mschapv2 for switch admin, but can imagine the result based on this.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 8.  RE: Switch managment with clearpass as a radius server

    Posted Mar 28, 2023 09:14 AM

    Its a aruba OS switch, they had a certificate of the  CA  of the clearpass for the users, and it was changed for the CA of the AD. 

    We did that change and they could still log in the switches, the clear pass did the request of the 802.1x cert for to the windows CA it signed it and thats was it 

    The change was done the users could sign in the network and the switches too.

    Now the root certificate of the clearpass expired last week, so it could be that, but why the switches didnt start bothering the same day that i changed that cert *in the clearpass, that is what i dont understant?

    We changed that cert many weeks ago


    Original Message