Troubleshooting Steps for Aruba Clearpass

If you are having issues connecting to your network using an Aruba Clearpass setup to handle authentication/authorizations, please follow the below steps to troubleshoot.

First check Clearpass for authentication failures in Monitoring > Live Monitoring > Access Tracker.

Check if you can see the authentication requests in the Access Tracker with either the username or MAC address based on the type of authentication.

 

If there is no request in the access tracker for the MAC or username, navigate to Monitoring > Event Viewer and check if there are any events with the category Authentication. If there are, open the error and you will see one of two possible errors:

  1. Request from Unknown NAD

    For this error, Navigate to Configuration > Network > Devices and check if the IP address/Subnet or IP range for the AP’s is added and the vendor selected as “CISCO”

  2. Shared secret is incorrect

    For this error, the shared secret could have been configured wrong either on the AP or the Server, and you will need to check and configure the same shared secret on both.

 

If there is no event seen in the event viewer, please check the reachability from the AP to the Radius server.

If we see the request in the Access Tracker but the “Login Status” says “Reject”, open the request and navigate to the “Alerts” tab to see the reject reason.

The possible reasons for a reject are:

  1. Service categorization failed – The incoming request on the Clearpass is not categorized under any service that is configured for the SSID which the user is trying to connect to.  Please check and make necessary corrections in the service rules under Configuration>Services>Select the configured service.

  2. User not found – Unable to find the user in the configured Authentication Source in the service.  Please check and confirm if appropriate source (Static Host lists, Local User Repository, Guest User Repository, Endpoints Repository, Active Directory) is added in the service.

  3. Cannot select appropriate authentication method – This error appears when a wrong authentication method is added in the service.  For MAC authentication the method should be either [MAC AUTH] or [ALLOW ALL MAC AUTH]. For dot1x it should be [EAP PEAP], [MSCHAPv2] when username and password is used, [TLS] when certificate based authentication is required, and [PAP] when guest authentication is being performed. Also check the supplicant profile on the client device for dot1x authentications and make sure it is configured for the correct Authentication method and Authentication mode.

  4. Cannot send request to policy server – This error appears if the Policy service is not running on the server. The status of the services could be verified from the CLI using the command “service status all”
  5. Logon failure – The password provided by the user is wrong on a dot1x authentication.
  6. Reading windbind reply failed – This error can be due to two different reasons:

    1. Clearpass is not added to the AD Domain.  Check to see if it is added from the UI of Clearpass by navigating to Administration > Server Manager > Server Configuration > Select the server.  You can also verify this using the CLI command “show domain”
    2. There is a delay in the response from the AD. This can be verified by clicking the show logs button on the access tracker request. The delay should be less than 500 ms. Check on the AD side to see why there is a delay in sending the response.