Security

Installed the cumulative patch 1 for 6.3 today and since then the TACACS for login to the clerpass is showing the error below. Nothing else has changed as far as I know. Does the "Internal error in performing authentication" point to an issue with policy manager?

 

 

Request Details Summary -
 Session ID: T0000000a-04-53396f5c
 Date and Time: Mar 31, 2014 14:36:28 BST
 Username: username
 Status: AUTHEN_STATUS_FAIL
 Request Type: TACACS_AUTHENTICATION
 Authorizations: 0
 Client IP Address/Port: 127.0.0.1:
 Remote IP Address: 10.10.10.10

Policies Used -
 Service: Policy Manager
 Authentication Source:
 Roles:
 Enforcement Profiles:

Authentication Request Messages -
 Error Category: Internal error
 Error Code: Internal error in performing authentication
 Alerts for this Request -
   Tacacs server: Failed to authenticate user=username

I have not seen that issue.

 

You can try restarting the sevices and see if the issue continues.

 

Please open a TAC case.

It appears that restarting the "System auxiliary services" is the fix for this. Cant take credit for finding this solution - it was passed on to me by an Aruba employee.

Hi team,

I have similar error noticed on the ClearPass.

TACACS authentication is set up with two Active Directory (AD) servers configured as separate IP-based authentication sources: Primary and Secondary. When the Primary AD server is powered down, TACACS authentication fails for all tested devices, including Palo Alto Firewalls, Cisco switches, and F5 Load Balancers. Authentication resumes immediately once the Primary AD server is brought back online.

Current version is 6.11.11

Cluster of 4 nodes

Request Details Summary -
 Session ID: T0004669f-29-697e240a
 Date and Time: Jan 31, 2026 23:X:52 
 Username: username
 Status: AUTHEN_STATUS_FAIL
 Request Type: TACACS_AUTHENTICATION
 Authorizations: 0
 Client IP Address/Port: 10.X.X.X:unknown
 Remote IP Address: 

Policies Used -
 Service: TACACS F5 Login services
 Authentication Source: 
 Roles: 
 Enforcement Profiles: 

Authentication Request Messages -
 Error Category: Internal error
 Error Code: Internal error in performing authentication
 Alerts for this Request -
   Tacacs server: Session failed for Host=http://127.0.0.1:8080/networkservices/webauthservice/BasicAuthentication, Reason=[post::<easy_perform>, (error=28) Timeout was reached].\nFailed to authenticate user="username"

Authorization Request Messages -

Authorizations -

Could you please confirm if restart the service "System auxiliary services" will fix the issue?

Do we need to do it on the downtime and will there be any impact.

Regards

Aravind

-------------------------------------------

Original Message:
Sent: Apr 01, 2014 03:13 AM
From: MattF
Subject: clearpass tacacs login error

It appears that restarting the "System auxiliary services" is the fix for this. Cant take credit for finding this solution - it was passed on to me by an Aruba employee.

As you responded to a decade old conversation, what you see is probably something else.

In my opinion, restarting the System Auxiliary Servers would create a short interruption, if any. You could also consider rebooting the appliances and use the redundancy that you hopefully have in your cluster take care of the availability.

If I see this error, my first guess would be that one of the authorization sources (or the authentication source) in your service is not responding and causing a timeout. Unless you find the root cause yourself, it may be good to work with TAC on this for further analysis.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Mar 03, 2026 10:47 PM
From: U Aravind
Subject: clearpass tacacs login error

Hi team,

I have similar error noticed on the ClearPass.

TACACS authentication is set up with two Active Directory (AD) servers configured as separate IP-based authentication sources: Primary and Secondary. When the Primary AD server is powered down, TACACS authentication fails for all tested devices, including Palo Alto Firewalls, Cisco switches, and F5 Load Balancers. Authentication resumes immediately once the Primary AD server is brought back online.

Current version is 6.11.11

Cluster of 4 nodes

Request Details Summary -
 Session ID: T0004669f-29-697e240a
 Date and Time: Jan 31, 2026 23:X:52 
 Username: username
 Status: AUTHEN_STATUS_FAIL
 Request Type: TACACS_AUTHENTICATION
 Authorizations: 0
 Client IP Address/Port: 10.X.X.X:unknown
 Remote IP Address: 

Policies Used -
 Service: TACACS F5 Login services
 Authentication Source: 
 Roles: 
 Enforcement Profiles: 

Authentication Request Messages -
 Error Category: Internal error
 Error Code: Internal error in performing authentication
 Alerts for this Request -
   Tacacs server: Session failed for Host=http://127.0.0.1:8080/networkservices/webauthservice/BasicAuthentication, Reason=[post::<easy_perform>, (error=28) Timeout was reached].\nFailed to authenticate user="username"

Authorization Request Messages -

Authorizations -

Could you please confirm if restart the service "System auxiliary services" will fix the issue?

Do we need to do it on the downtime and will there be any impact.

Regards

Aravind

Original Message:
Sent: Apr 01, 2014 03:13 AM
From: MattF
Subject: clearpass tacacs login error

It appears that restarting the "System auxiliary services" is the fix for this. Cant take credit for finding this solution - it was passed on to me by an Aruba employee.