Security

Hi, we have two Clearpass 6.9.12.136929 servers and Mobility Conductor and Controllers on 8.6. We had an issue where a large number of users returned to site and seemingly overwhelmed our Clearpass servers with auth requests to the point that RADIUS stopped working completely and all incoming requests were timing out as seen in the access tracker. This occurred with requests per minute being at just under 1000 which would be approx 16 per second which from what I understand is way below the specs of our hardware. Once requests numbers died down the RADIUS service started responding again. We were previously using NPS and then FreeRADIUS in the past with two servers and never experienced any sort of issue with them being overwhelmed with requests with same number of clients. 

We were recommended to move from a VIP setup with single server handling requests to using the controller for load balancing which seems to have improved things but we still noticed some periods of time outs at peak hours which were impacting service. We are now almost back to normal but we still notice lots of chunks of time outs where we see approx 10-30 requests in the access tracker time out in a row then it goes back to normal. The requests are all for different clients at different locations so seemingly unconnected other than they all time out at the exact same time. Is this an issue or is it expected behaviour from Clearpass when timing out requests?

We have also noticed that there seem to be a lot of requests from the same clients over a short period of time and throughout the day even when the client is not roaming or moving and has successfully authenticated recently. Is there some misconfiguration on our Clearpass or controller that could be causing this?

Thanks.

If you can, please open a technical support case so that they can provide guidance.
Your other options would be to pilot turning on 802.11r so that clients do not have to do a full reauth for access points that they have visited in the past.
You should keep a note of specific clients that cause alot of authentications to see if they can update those client drivers or if the client was in an area with sparse coverage.
Lastly, the technical support case could uncover the reason behind the reauthentications and give you an idea of where you should be looking.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Hi, thanks for the reply. We do have a case open through our vendor and an Aruba Clearpass engineer and a Controller engineer both looked and took logs and packet captures. The Clearpass engineer said the request load on the server was too high and that the controllers were the issue and reason for time outs. The controller engineer said Clearpass was the reason for the time outs and that it was not responding to the clients.

We were planning to enable the 802.11 roaming features including r.

Clients were a mixture of managed and unmanaged but even managed devices with up to date drivers were affected and these devices have been working fine with Clearpass for few months up until the increased request load happened. Coverage is fine as again it is in areas that have been used for years without this issue and without changes to the controller config or AP density.
Original Message:
Sent: Sep 29, 2022 07:57 AM
From: Colin Joseph
Subject: Clearpass Timeouts

If you can, please open a technical support case so that they can provide guidance.
Your other options would be to pilot turning on 802.11r so that clients do not have to do a full reauth for access points that they have visited in the past.
You should keep a note of specific clients that cause alot of authentications to see if they can update those client drivers or if the client was in an area with sparse coverage.
Lastly, the technical support case could uncover the reason behind the reauthentications and give you an idea of where you should be looking.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

When having timeout issues its a good moment to start packet capturing.

1. Start a packet-capture on the ClearPass Policy Manager under Administration > Servers > Collect logs
2. At the same time do a packet-capture on your  wlan-controller that handle the user.
3. Do an authentication.
4. Check the radius packet flow in both packet-captures with wireshark
5. Check the logging of the authentication in de access-tracker

All radius-challanges have an unique ID with can be matched in your captures and access-tracker log, and this way you will found "who" is not responder. 

Using load-balancing in the wlan-controller is a good thing. But also find out the reason why some clients have a high amount of authentications.

Did you read the ClearPass Scaling Guide before deployment?  https://support.hpe.com/hpesc/public/docDisplay?docId=a00100074en_us

How big is this network? how many APs and concurrent users?


------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
------------------------------

Original Message:
Sent: Sep 29, 2022 10:09 AM
From: Oliver Grear
Subject: Clearpass Timeouts

Hi, thanks for the reply. We do have a case open through our vendor and an Aruba Clearpass engineer and a Controller engineer both looked and took logs and packet captures. The Clearpass engineer said the request load on the server was too high and that the controllers were the issue and reason for time outs. The controller engineer said Clearpass was the reason for the time outs and that it was not responding to the clients.

We were planning to enable the 802.11 roaming features including r.

Clients were a mixture of managed and unmanaged but even managed devices with up to date drivers were affected and these devices have been working fine with Clearpass for few months up until the increased request load happened. Coverage is fine as again it is in areas that have been used for years without this issue and without changes to the controller config or AP density.

Original Message:
Sent: Sep 29, 2022 07:57 AM
From: Colin Joseph
Subject: Clearpass Timeouts

If you can, please open a technical support case so that they can provide guidance.
Your other options would be to pilot turning on 802.11r so that clients do not have to do a full reauth for access points that they have visited in the past.
You should keep a note of specific clients that cause alot of authentications to see if they can update those client drivers or if the client was in an area with sparse coverage.
Lastly, the technical support case could uncover the reason behind the reauthentications and give you an idea of where you should be looking.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

-------------------------------------------

This is a really old thread and the chance to get an answer from the original poster is quite low.

If you have a similar issue, please make a new post.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Apr 23, 2026 02:54 AM
From: Christian
Subject: Clearpass Timeouts

Hello @kuairhead. 

What was ultimately the cause of this incident, and how was it resolved?

Best regards,
Chris