Security

Hello,

a year ago we implemented new attributes in the authentication sources to filter for nested groups as Clearpass can't do this by default. It worked for the last year without problems but recently I get the following error:

ERROR AuthSource.AuthAttributesInfo - Can't get ordered filters for attributes;  error in getting filter for attribute SubGroupMember

We haven't changed anything regarding the sources or filters and the last update to CPPM 6.12.4 happened a few months ago.

There hasn't been changes to the groupstructures according to our AD-Admin and now I am a little lost as to why it suddenly stopped working. 

Source Attributes we added 

What confuses me the most is that in the Access Tracker under Input -> Authorization Attributes every Attribute is shown, including all of the nested groups.

I am getting some mixed signals here and don't know where to look for the root of the problem.

I would be thankful for a little nudge in the right direction.

Hello Fohdsnischdel,

This kind of issue can occur after a ClearPass upgrade due to changes in how LDAP queries or nested group attributes are processed-even if your configuration hasn't changed. It's possible a backend update or increased strictness on LDAP filters is causing the error you're seeing.

To troubleshoot:

• First, restart the ClearPass Policy Manager and flush the authentication source cache. This often resolves attribute sync issues after upgrades.

• Next, double-check your LDAP authentication source and test the group filter using the "search base dn" feature in ClearPass under the authentication source settings..

• If the nested group queries are timing out or failing, you may need to simplify the filter or work with your AD team to check for recent changes or issues with group memberships.

If you continue to see the error, I recommend opening a case with Aruba TAC, as they can review backend logs and advise if any specific hotfix or patch is required for your ClearPass version.

Best regards,

Vigan

You may have a look at this post/video, that describes a different method for retrieving nested groups.

There may be a 'race condition' that the MainGroup filter is executed before the Group filter, in which case the SubGroupMember attribute is not available yet; but strange that this worked for a year then broke. I may also be something with an update on the AD side, but as I have not seen your method of getting subgroups for nested account, the other approach may work for you.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Hello,

sorry for the late response.

I have tried both methods from your video but both do not work.

The method with using tokenGroups filter breaks the whole ad-connection with following error for every query:

Session failed for Host="DC.domain.tld", Reason=[, (error=34) Invalid DN syntax ServerMsg=0000208F: LdapErr: DSID-0C090CD0, comment: Error processing name, data 0, v4563]

the other method results in a query taking longer than 10 seconds and resulting in the errors:

Policy server	Session failed for Host="DC.domain.tld", Reason=[bind, (error=-1) Can't contact LDAP server]
RADIUS	254_DSS_Auth - "DC":636: svc_clearpass@domain.tld bind failed - Can't contact LDAP server

when I check the Base DN via "search Base DN" in the Authentication Source it works.

-------------------------------------------

Original Message:
Sent: Jul 09, 2025 03:20 AM
From: Herman Robers
Subject: Nested Group filter stopped working after a year

You may have a look at this post/video, that describes a different method for retrieving nested groups.

There may be a 'race condition' that the MainGroup filter is executed before the Group filter, in which case the SubGroupMember attribute is not available yet; but strange that this worked for a year then broke. I may also be something with an update on the AD side, but as I have not seen your method of getting subgroups for nested account, the other approach may work for you.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------