Security

 View Only
Back to discussions
Expand all | Collapse all

Clearpass doesn't allow GUEST-WIFI MAC-AUTH due to a strange SQL- Issue

This thread has been viewed 9 times

  • 1.  Clearpass doesn't allow GUEST-WIFI MAC-AUTH due to a strange SQL- Issue

    Posted Mar 19, 2026 06:10 AM

    Hey and greets to y'all Airheads ,

    We have set up an open guest SSID located on an on-prem virtual mobility controller L2 Cluster. 

    The SSID's security settings include External Captive Portal (Clearpass) and the two authentication servers I already configured for RADIUS authentication (802.1x EAP-TLS WLAN users) are used. The SSID's AAA profile includes the setting for MAC authentication, as been seen in Herman's Tutorial on YouTube (straight forward).

    When any user connects their device to this SSID, I see an entry in the ClearPass Policy Manager (Access Tracker) with their MAC address. This indicates - so far - that the settings on the mobility controller seem to be correct. However, the settings in the ClearPass Policy Manager appear to be incorrect. The service being used is from the "Guest Authentication with MAC Caching" service template. No further manual settings have been added to this template. The Access Tracker displays the error code "206", which refers to an authentication issue. An SQL error message as seen below shows up as the DENY reason. After searching this forum, deleting two lines related to the guest user directory did not resolve the issue. I am baffled as to how this error occurs when the settings were all and only configured directly through templates on the Clearpass Policy Manager.

    Anyway, we do not get the issue fixed. Neither by manipulating the Service, any Policy, any Rolemapping, nor by set the settings newly and by rolling out a new template.

    Guest Users are connected on the SSID, but the Redirection to the Captive Portal and thus to the registration page on Clearpass is missing. We stuck in action... 

    As below, the Error Message is shown up. This is happening to ALL Guest Clients. The real MAC Address was masqueraded with AABBCCDDEE ;-)


    May anybody here, knows how to gain further and can help?


    Error Code:
    206
    Error Category:
    Authentication failure
    Error Message:
    Access denied by policy
     Alerts for this Request 
    Policy serverFailed to construct filter=SELECT
    CASE WHEN expire_time is null or expire_time > now() THEN 'false'
    ELSE 'true'
    END AS is_expired,
    CASE WHEN enabled = true THEN 'true' ELSE 'false' END as is_enabled
    FROM tips_guest_users
    WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard')).
    Failed to get value for attributes=[AccountEnabled, AccountExpired]
    RADIUS[Endpoints Repository] - localhost: User not found.
    Applied 'Reject' profile


    INFO:
    IP Addresses (changed):
    CPPM Cluster: 10.255.0.123 (Publisher) 10.255.0.124 (Subscriber)
    WLAN Controller Interface IP: 10.255.1.11
    WLAN Controller VRRP IP: 10.255.1.111


    Authentication:ErrorCode0
    Authentication:Full-Usernameaabbccddeeff
    Authentication:Full-Username-Normalizedaabbccddeeff
    Authentication:MacAuthUnknownClient
    Authentication:OuterMethodMAC-AUTH
    Authentication:PostureUnknown
    Authentication:StatusMAB
    Authentication:Usernameaabbccddeeff
    Authorization:Sources[Guest User Repository], [Endpoints Repository], [Time Source]
    Connection:AP-NameAruba-EUR-ACP-003
    Connection:Client-Mac-AddressAABBCCDDEEFF
    Connection:Client-Mac-Address-Colonaa:bb:cc:dd:ee:ff
    Connection:Client-Mac-Address-Dotaabb.ccdd.eeff
    Connection:Client-Mac-Address-Hyphenaa-bb-cc-dd-ee-ff
    Connection:Client-Mac-Address-NoDelimaabbccddeeff
    Connection:Client-Mac-Address-Upper-HyphenAA-BB-CC-DD-EE-FF
    Connection:Dest-IP-Address10.255.0.123
    Connection:Dest-Port1812
    Connection:NAD-IP-Address10.255.1.111 
    Connection:ProtocolRADIUS
    Connection:Src-IP-Address10.255.1.11
    Connection:Src-Port34878
    Connection:SSIDGUEST-WIFI
    Date:Date-Time2026-03-18 14:58:57
    Device:Device TypeAruba WLC


    Relevant Logs:


    2026-03-18 14:58:57,852[Th 38 Req 633895 SessId R0001127a-01-69baafa1] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 1:203:AABBCCDDEEFF
    2026-03-18 14:58:57,858[Th 38 Req 633895 SessId R0001127a-01-69baafa1] INFO RadiusServer.Radius - Service Categorization time = 6 ms
    2026-03-18 14:58:57,858[Th 38 Req 633895 SessId R0001127a-01-69baafa1] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "GUEST-WIFI MAC Authentication"
    2026-03-18 14:58:57,858[Th 38 Req 633895 SessId R0001127a-01-69baafa1] INFO RadiusServer.Radius - rlm_sql: searching for user aabbccddeeff in Local:localhost
    2026-03-18 14:58:57,858[RequestHandler-1-0x7fb8d29f7700 r=psauto-1770373248-143018 h=223 r=R0001127a-01-69baafa1] INFO Core.ServiceReqHandler - Service classification result = GUEST-WIFI MAC Authentication
    2026-03-18 14:58:57,859[Th 38 Req 633895 SessId R0001127a-01-69baafa1] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.


    2026-03-18 14:58:57,865[AuthReqThreadPool-10-0x7fb9d63f7700 r=R0001127a-01-69baafa1 h=74] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =SELECT
    2026-03-18 14:58:57,865[AuthReqThreadPool-10-0x7fb9d63f7700 r=R0001127a-01-69baafa1 h=74] ERROR ExtDB.DBQuery - execute: Failed to construct filter=SELECT
    2026-03-18 14:58:57,865[AuthReqThreadPool-10-0x7fb9d63f7700 r=R0001127a-01-69baafa1 h=74] ERROR ExtDB.DBQuery - Failed to get value for attributes=AccountEnabled, AccountExpired]


    2026-03-18 14:58:57,869[RequestHandler-1-0x7fb8d29f7700 r=R0001127a-01-69baafa1 h=1274361 c=R0001127a-01-69baafa1] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=
    2026-03-18 14:58:57,869[RequestHandler-1-0x7fb8d29f7700 r=R0001127a-01-69baafa1 h=1274361 c=R0001127a-01-69baafa1] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device
    2026-03-18 14:58:57,869[RequestHandler-1-0x7fb8d29f7700 r=R0001127a-01-69baafa1 h=1274358 c=R0001127a-01-69baafa1] WARN Core.PETaskRadiusCoAEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=


    2026-03-18 14:58:57,872[RequestHandler-1-0x7fb8d29f7700 h=1274365 c=R0001127a-01-69baafa1] WARN Core.RadiusEnfProfileHelper - getSessionTimeoutInSecs: SessionTimeout attribute missing in output


    2026-03-18 14:58:57,873[RequestHandler-1-0x7fb8d29f7700 r=R0001127a-01-69baafa1 h=1274368] ERROR Core.MacAuthSessionQueryEventHandler - Failed to get MacAuth session info for aabbccddeeff
    2026-03-18 14:58:57,873[RequestHandler-1-0x7fb8d29f7700 h=1274365 c=R0001127a-01-69baafa1] WARN Core.PETaskMacAuthResetHandler - handleMacAuthSessionResponseEv: Error reading MacAuth session info. Error=Failed to get MacAuth session info for aabbccddeeff 


    -------------------------------------------


  • 2.  RE: Clearpass doesn't allow GUEST-WIFI MAC-AUTH due to a strange SQL- Issue

    Posted Mar 19, 2026 06:49 AM

    In the captive portal process a new device will get a reject by ClearPass the first time it connects to the SSID. It's by design.

    When the client is rejected by ClearPass the controller will put the client in the logon role. In this role you have to have logon control and captive portal policies.

    Also remember that the controllers must have a IP address on the same VLAN as the guests. Configure an IP for each controller if you don't have this already. Otherwise the redirect will not work.

    From the guest device, also make sure you get IP address, can access ClearPass by IP and by name to verify correct DNS function. DNS is essential for captive portal function.

    If you can't access ClearPass by IP, make sure to have opened port 443 from the guest VLAN to ClearPass in the logon role.

    For the posting of the credentials during login for the guest, the controller must have a captive portal certificate and in the ClearPass guest registration page you must point to the same name as in the certificate. This name doesn't need to have DNS record. The controller will handle this request



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Clearpass doesn't allow GUEST-WIFI MAC-AUTH due to a strange SQL- Issue

    Posted Mar 24, 2026 06:00 AM

    Please check/verify the role that the client is in after the REJECT; it may need 'L2 fallback' enabled on the SSID.

    If you don't like the REJECTs in your logs, you may consider the [Allow All MAC Auth] and return a specific logon role with the redirect for unknown clients. While there is no functional difference, it looks better to see ACCEPTs.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


Related Content