Aruba Clearpass - authentication error - No logon Servers by Ulises Cázares

Yesterday a client called me because he was having Wireless authentication issues using Aruba Clearpass.

The escenario was the following:

  • Aruba Clearpass Cluster (4 servers)
  • Primary DNS  was unstable (sometines it replied and sometimes it didn't)
  • The error in the access tracker was

 

 

After trying a few things like: changing the primary DNS, Creating another Authentication Source, restarting the DNS server, related with this message I got it working configuring Password Servers for that domain in all the cluster members. The path to do this is in: Configuration, Server Manager, Server Configuration, click  in the server, go to edit the domain password servers and write one en each line.

 

When the DNS was failing, even after rebooting, Clearpass didn't authenticate users showing the same error. Must likely the DNS was returning domain controllers(DCs) that weren't accesible to Clearpass or didn't exist anymore.  Once we "force" Clearpass to use the DCs that we knew were working fine all the authentications started working again.


I've been working with Clearpass for a few years now and not one time i've seen it to fail when everything else is working fine. When the authentication fails is due to some external factor like the DNS in this case


Hope this helps to someone in the future


Regards

Comments

Post a Comment

Popular posts from this blog

Aruba Clearpass - How to configure the Cisco WLC for Guest and MAC Caching by Ulises Cázares

Image
 Hi this is a step by step on how to configure an SSID in a functional Cisco WLC (8.10)  for Guest Authentication and MAC Caching using Aruba Clearpass General Steps (this guide assumes you have correctly configured the Clearpass side) Create an Authentication Server (The secret is the same as the one configured in Clearpass) Create an Accounting Server (The secret is the same as the one configured in Clearpass) Configure the WebAuth login Page (use the configured guets login page in Clearpass) Make sure the Web Auth Certificate points to the virtual IP in the WLC Create the FlexConnect Access List (or IPV4) Make sure WebAuth SecureWeb is enable Configure the SSID with the appropiate settings   1.- Create an Authentication Server 2.- Create an Accounting Server  3.- Configure the WebAuth login Page (in this example is; guest.demo-clearpass.net/cisco_login.php)  Note.- In order to avoid the security warnings in the conencting devices, install the appropiate certificate in Clearpass wit
Read more

Using API in ArubaOS Switches with Postman by Ulises Cázares

Image
 Hi, today I'm gonna show how to interact with the Aruba OS version 16.10 switches API using postman. My intention is that you know how to construct the request using headers, parameters and the body of the request. The first things to start working with the switch API are: to have administrative access to the device and to make sure of the switch version so you can look for the appropiate document. Remember, APIs can change form version to version.  You can use the command: show version. In my case is 16.10 Then you can make a quick search in google like "Aruba switch 16.10 API" to get the document and find out what are the option provided in the API. In the document you will find examples using curl and that's why i'm writting this in postman, so you have options. Now, let's do 4 thing so you can use the API: Make sure the REST interface is enable or enable it Login to the device API Construct a GET request Construct a POST request  Make sure the REST inter
Read more

WiFi - How to know supported channels by a wireless client by Ulises Cázares

Image
 Hi, in this post I would tell you how to be sure which WiFi channels are supported by a wireless client so we can configure wireless solutions that will work with the endpoints in the environment. I normally approach this topic in 2 ways 1. Directly in the wireless client This one is the obvious option but, in my experience, the majority of wireless clients don't show that in any part of the configuration. Because wireless clients are very different and their configurations menus too there's no way to show a "common" path to see the supported channels(if the wireless client shows them)   2.- Use a wireless adapter in monitor mode and wireshark to see an Association Request paquet from the client. In the following images we'll see where in the association request we can see that information.    The fastest way to do it is to follow these steps: Put the wireless adapatar in monitor mode in the AP channel we'are going to connect the wireless client Open wireshar
Read more