Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Troubleshooting ClearPass Issues


This section describes general troubleshooting tips when dealing with ClearPass issues with Policy Enforcer. For detailed information on troubleshooting ClearPass and ClearPass logs, see your ClearPass documentation.

Viewing Logs Files

Policy Enforcer writes third-party plug-in log information to /srv/3rd-party-adapter/logs/plugin_server.log using the following format:

Three types of information are recorded in the logs:

  • Application initialization information.

  • Heart-beat with Policy Enforcer—communication status between Policy Enforcer and the third-party plug-in.

  • Application operations—for troubleshooting third-party plug-in functionality.

The default logging level is set to DEBUG.

The following is an example of a heart-beat message log:

The following is an example of an application operation log:

You can also access logs within ClearPass Policy Manager and ClearPass Guest to assist in troubleshooting.

  • Checking session logs

    The Access Tracker window displays information of per-session access activity. To view this activity, select Monitoring > Access Tracker within ClearPass Policy Monitor. Click a session in the table to display the Request Details window with details about that session. Click Show Logs to view the log details. See Figure 1. Change your log level to view more or less session information.

    Figure 1: Checking Session Logs
    Checking Session Logs
  • Errors reported by ClearPass

    To view events and messages generated by the ClearPass application, select Administration > Support > Application Log within ClearPass Guest. See Figure 2.

    Figure 2: Viewing ClearPass Errors
    Viewing ClearPass Errors

    Click an event to view details, such as possible causes for that error or a pointer for where to look for more information.

Configuration Issues

The following are mandatory ClearPass information that must be passed to the Policy Enforcer third-party plug-in to ensure proper communication:

  • ClearPass IP address and port number.

  • Client ID (clientId) for the API to access (configured with ClearPass Guest module).

  • Client secret key, used together with clientId to obtain the access token for performing REST API calls to the ClearPass server.

If you see a 404 error with “ClearPass configuration is missing” in the log file, then ClearPass is not configured for Policy Enforcer. See ClearPass Configuration for Third-Party Plug-in for information on configuring ClearPass with Policy Enforcer.

Another method for checking whether ClearPass is configured for Policy Enforcer is to look for the /srv/3rd-party-adapter/configuration.yaml file. If this file exists, then the configuration step has been performed.

Error Code 500

If you receive an error code 500 with the log message There are no sessions to display. You should enable Insight on at least one node in Policy Manager: Administration > Server Manager > Server Configuration then the configured ClearPass server does not have Insight enabled. ClearPass Insight is used by ClearPass Policy Manager for in-depth reporting and enhanced analytics.

To enable ClearPass Insight, select Administration > Server Manager > Server Configuration from ClearPass Policy Manager. Click the ClearPass server and enable Insight. See Figure 3.

Figure 3: Enabling ClearPass Insight
Enabling ClearPass Insight

Unable to Block Infected Endpoint

If you are unable to block an infected endpoint and are using an SRX Series device, make sure the SRX Series device can talk to the Internet. Sky ATP requires that both your Routing Engine (control plane) and Packet Forwarding Engine (data plane) can connect to the Internet but the “to-cloud” connection should not go through the management interface, for example, fxp0. You do not need to open any ports on the SRX Series device to communicate with the cloud server. However, if you have a device in the middle, such as a firewall, then that device must have ports 8080 and 443 open.

Use the show services advanced-anti-malware status CLI command to verify that connection is made to the cloud server from the SRX Series device. Your output will look similar to the following.

For more information, see the Sky ATP Administration Guide.

If you are able to connect to the Internet, and are still unable to block infected endpoints, perform the following tasks:

  • Validate the IP address using ClearPass API Explorer.

    1. Select the Insight API, endpoint service.
    2. Use the GET /insight/endpoint/ip/{ip} method.
  • Validate the corresponding active session using ClearPass API Explorer.

    1. Select the GuestManager API, ActiveSession service.
    2. Use the GET /session method with framedipaddress equal to the infected endpoint’s IP address.
    3. Sort by accstarttime to view the most recent active sessions associated with the IP first.

    If there no current active session is returned, the IP address passed down to the plug-in to block is invalid or does not existed.

  • If the IP address is valid, confirm that the custom attribute sdsnEpStatus has been set toblocked. Use the ClearPass API Explorer’s Endpoint API, Managed Endpoint services by issuing the API GET /endpoint/mac-address/{mac-address} ,with {mac-address} of the endpoint obtained from the output of the active session query issued earlier.

  • The sdsnEpStatus custom attribute can also be verified using ClearPass Policy Manager’s Access Tracker.

    1. Click the session in the Access Tracker table to display the Request Details window with details about that session.
    2. Click the Input tab to show protocol-specific attributes that Policy Manager received in a transaction request.
    3. Scroll to view the Endpoint:sdsnEpStatus attribute. It’s value should be blocked.

      If it is not blocked, view the plug-in log for possible reasons. The plug-in log is located at /srv/3rd-party-adapter/logs/plugin_server.log.

Unable to Quarantine Infected Endpoint

If you are unable to quarantine an infected endpoint, first validate the IP address of the infected host following the same procedure as in Unable to Block Infected Endpoint. Verify that the value of the custom attribute sdsnEpStatus has been set to quarantine.

Unable to Clear Blocked or Quarantined Endpoint

If you are unable to clear blocked or quarantined endpoints, it’s usually because the passing IP address does not exist in the infected endpoint tracking database maintained by the plug-in. Infected hosts are located in the /srv/3rd-party-adapter/infectedEndpointList file. It is expected that a clear request will come with the same IP address of the endpoint as in the earlier blocked or quarantined endpoint request. If the clear request arrives with a new IP address that is not in the infected endpoint tracking database, the request fails.

Check the ClearPass application log for possible internal errors.