Security

 View Only
Back to discussions
Expand all | Collapse all

Troubelsooting ClearPass

This thread has been viewed 43 times

  • 1.  Troubelsooting ClearPass

    Posted Oct 18, 2022 11:26 AM

    This page highlights the common issues related to ClearPass and their step-by-step troubleshooting.

    1): Aruba ClearPass Workshop video series

    Check out the YouTube video series that demonstrates how to troubleshoot common ClearPass issues.

    https://www.youtube.com/playlist?list=PLsYGHuNuBZcb0xD05v9zdwv7NlUG_8oJS

    2): Basic RADIUS troubleshooting 

    A common ClearPass issue is related to RADIUS authentication failures. The following examples show common RADIUS authentication alerts and why they occur.

    i): Failure condition: NAD device is not added. PAP request does not show up in the access tracker:

    Aruba ClearPass Error – NAD devices not added

     

    ii): Failure condition: The NAD device is added with wrong RADIUS shared secret:

    Aruba ClearPass Error – NAD devices added with wrong RADIUS


    iii): Failure condition: Authentication passed but was denied by policy conditions:

    Aruba ClearPass Error – Authentication failure due to policy conditions


    iv): Failure condition: Machine account for ClearPass was deleted from the domain controller:

    Aruba ClearPass Error – Authentication failure due to machine account being deleted



    v): Failure condition: ClearPass is unable to establish a connection with LDAP. The following message is logged in the event viewer:

    Aruba ClearPass Error – Unable to establish connection with LDAP


    vi): Failure condition: The Connection to AD is fine, but the user entered incorrect credentials:

    Aruba ClearPass Error – Authentication failure due to incorrect credentials


    vii): Failure condition: ClearPass cannot connect to the domain controller to authenticate the user:

    Aruba ClearPass Error – Authentication failure due to no connection with domain controller


    viii): Failure condition: Alert by server. The server does not trust the CA that signed the client certificate:

    Aruba ClearPass Error – Authentication failure due to server not trusting the CA


    ix): Failure condition: Alert by client. The client does not trust the CA that signed the server certificate:

    Aruba ClearPass Error – Authentication failure due to client not trusting the CA
    x): Failure condition: The OCSP server returned the certificate status as UKNOWN:
    Aruba ClearPass Error – Authentication failure due to OCSP server

    xi): Failure condition: Invalid response from OCSP server:
    Aruba ClearPass Error – Authentication failure due to OCSP server error

    3): Common issues with AD over SSL connection

    Another common error with ClearPass is SSL connection issues. The following table describes typical SSL connection issues.

    Error

    Error message

    RADIUS debug log

    Solution

    Hostname mismatch with certificate

    Access Tracker Alert: Bind failed – Can't contact LDAP server

    2020-12-31 00:42:36,684 [Th 27 Req 18 SessId R00000012-11-5fecd124] ERROR RadiusServer.Radius - rlm_ldap: (re)connection attempt failed

     

    2020-12-31 00:42:36,684 [Th 27 Req 18 SessId R00000012-11-5fecd124] ERROR RadiusServer.Radius - rlm_ldap: TLS: hostname does not match CN in peer certificate

    The LDAP authentication source hostname should match with the Active Directory certificate/LDAP certificate CN. Or, the hostname/FQDN should appear in the SAN (Subject Alternative Name) DNS field. 

    AD/LDAP certificate is not present in ClearPass Trust List

    The error message indicates that the required certificates are not included.

    2020-12-31 01:33:13,232 [Th 28 Req 19 SessId R00000013-11-5fecdd01] ERROR RadiusServer.Radius - rlm_ldap: james@clearwave.aruba.com bind to win19-165.clearwave.aruba.com:636 failed: Can't contact LDAP server

    2020-12-31 01:33:13,232 [Th 28 Req 19 SessId R00000013-11-5fecdd01] ERROR RadiusServer.Radius - rlm_ldap: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)

    In the packet capture, we can see ClearPass responds "Unknwon CA" for the Server Hello (certificate) packet.

    When adding an AD certificate in the ClearPass Trust List (Administration > Certificates > Trust List), specify the following usages:

    ·       EAP

    ·       AD/LDAP Servers

    4): Troubleshooting ClearPass profiling 

    If profiling in ClearPass is not working, the main reason is often because DHCP packets are not reaching ClearPass (see Fig below), either because of a firewall or because of a misconfiguration on the switch. Perform the following steps to troubleshoot why profiling is not working. 

    Aruba ClearPass Error – DHCP packet not reaching ClearPass

    4.1): To prove that the problem is not with the ClearPass server, perform a packet capture from within ClearPass. On the ClearPass dashboard, select Administration > Server Manger > Server Configuration > Collect Logs.  

    Aruba ClearPass – Packet Capture Screen

    1. 2. Deselect all checked boxes, then select Capture network packet duration of dump and enter 60 in the secs field as shown below
    Aruba ClearPass – Collect Logs for Packet Capture

    4.3. Enter a password to open the zip file that will get downloaded.

    After you receive the zip file, you can analyse the specific rows for troubleshooting. Watch this video for step-by-step instructions.


    5): Troubleshooting dynamic ACLs 

    If you are using a dynamic access list and the client status on your switch is showing as "rejected no vlan," the problem might be related to the dynamic access list. To troubleshoot this issue, run the following 2 commands:  

    • Debug destination sessions 
    • Debug event

    Watch this video for step-by-step instructions.


    6): Additional Resources

    6.1): Advanced ClearPass best practices and troubleshooting methods

    Learn how to successfully deploy ClearPass and get troubleshooting help from our TAC experts. Hear about some common issues, deployment best practices, and simple things you can do to keep things running smoothly.

    https://www.youtube.com/watch?v=-1Bwm4_ukkU

     

    6.2): Aruba ClearPass Workshop (2021) - Troubleshooting #1 ClearPass Packet Capture

    Watch how to perform a packet capture from the ClearPass appliance and analyze it in Wireshark. In the capture, you can view the flow of a CoA, RADIUS accounting, RADIUS authentication, and the DHCP request for profiling.

    https://www.youtube.com/watch?v=L5lK5b7f9wk

     

    6.3): Aruba ClearPass Workshop - Wired #5 - Troubleshooting Dynamic ACLs

    Learn how to fix the Client Status: rejected no vlan error. In most cases, this is due to an invalid entry in your dynamic access list that is pushed back from ClearPass.

    https://www.youtube.com/watch?v=IayTBrXVznE






Related Content