Troubleshooting ClearPass Issues
This section describes general troubleshooting tips when dealing with ClearPass issues with Policy Enforcer. For detailed information on troubleshooting ClearPass and ClearPass logs, see your ClearPass documentation.
Viewing Logs Files
Policy Enforcer writes third-party plug-in log information to /srv/3rd-party-adapter/logs/plugin_server.log using the following format:
[<date><time>:<line number>:<function name>:<level>]<detailed message>
Three types of information are recorded in the logs:
Application initialization information.
Heart-beat with Policy Enforcer—communication status between Policy Enforcer and the third-party plug-in.
Application operations—for troubleshooting third-party plug-in functionality.
The default logging level is set to DEBUG.
The following is an example of a heart-beat message log:
[07/20/2017 04:21:59 PM:_internal.py:87:_log():INFO ] 10.92.82.125 - - [20/Jul/2017 16:21:59] "GET /api/v1/adaptor/heartbeat HTTP/1.1" 200 - [07/20/2017 04:22:29 PM:produces.py:117:wrapper():DEBUG ] Jsonifing http://10.92.82.125:8082/api/v1/adaptor/heartbeat [07/20/2017 04:22:29 PM:parameter.py:90:wrapper():DEBUG ] Function Arguments: []
The following is an example of an application operation log:
[07/20/2017 05:45:52 PM:default_controller.py:228:adaptor_threats_post():DEBUG ] Incoming threat POST request: {u'action': u'block', u'threatType': u'InfectedHost', u'endpoint': {u'macAddress': u'unknown', u'ip': u'192.168.140.20', u'name': u'', u'tags': []}}
[07/20/2017 05:45:52 PM:track_endpoint.py:27:__init__():INFO ] Creating new infected host tracking DB.
[07/20/2017 05:45:52 PM:clearpass_agent.py:66:getApiAuthenticationToken():DEBUG ] Get Oauth2 access token for API client
[07/20/2017 05:45:52 PM:connectionpool.py:805:_new_conn():INFO ] Starting new HTTPS connection (1): 10.92.81.112
[07/20/2017 05:45:52 PM:connectionpool.py:401:_make_request():DEBUG ] "POST /api/oauth HTTP/1.1" 200 116
[07/20/2017 05:45:52 PM:clearpass_agent.py:73:getApiAuthenticationToken():INFO ] Successful get Oauth2 access token
[07/20/2017 05:45:52 PM:thirdparty_controller.py:84:infectedHostNotif():DEBUG ] Validating endpoint [192.168.140.20] against Clearpass Endpoint DB
[07/20/2017 05:45:52 PM:clearpass_agent.py:80:getEndpointDataByIp():DEBUG ] Getting Endpoint detail by IP Address [192.168.140.20]
...You can also access logs within ClearPass Policy Manager and ClearPass Guest to assist in troubleshooting.
Checking session logs
The Access Tracker window displays information of per-session access activity. To view this activity, select Monitoring > Access Tracker within ClearPass Policy Monitor. See Figure 1.
Figure 1: Checking Session Logs 
Click a session in the table to display the Request Details window with details about that session. Click Show Logs to view the log details. Change your log level to view more or less session information.
Errors reported by ClearPass
To view events and messages generated by the ClearPass application, select Administration > Support > Application Log within ClearPass Guest. See Figure 2.
Figure 2: Viewing ClearPass Errors 
Click an event to view details, such as possible causes for that error or a pointer for where to look for more information.
Configuration Issues
The following are mandatory ClearPass information that must be passed to the Policy Enforcer third-party plug-in to ensure proper communication:
ClearPass IP address and port number.
Client ID (clientId) for the API to access (configured with ClearPass Guest module).
Client secret key, used together with clientId to obtain the access token for performing REST API calls to the ClearPass server.
If you see a 404 error with “ClearPass configuration is missing” in the log file, then ClearPass is not configured for Policy Enforcer. See ClearPass Configuration for Third-Party Plug-in for information on configuring ClearPass with Policy Enforcer.
Another method for checking whether ClearPass is configured for Policy Enforcer is to look for the /srv/3rd-party-adapter/configuration.yaml file. If this file exists, then the configuration step has been performed.
Error Code 500
If you receive an error code 500 with the log message There are no sessions to display. You should enable Insight on at least one node in Policy Manager: Administration > Server Manager > Server Configuration then the configured ClearPass server does not have Insight enabled. ClearPass Insight is used by ClearPass Policy Manager for in-depth reporting and enhanced analytics.
To enable ClearPass Insight, select Administration > Server Manager > Server Configuration from ClearPass Policy Manager. Click the ClearPass server and enable Insight. See Figure 3.
Unable to Block Infected Endpoint
If you are unable to block an infected endpoint, perform the following tasks:
Validate the IP address using ClearPass API Explorer: Insight API, Endpoint service, then issue GET /insight/endpoint/ip/{ip}
Validate the corresponding active session using ClearPass API Explorer: GuestManager API, ActiveSession service, then issue GET /session with corresponding “framedipaddress” equals to the infected endpoint’s IP address, and sorted by “accstarttime” in order to ensure that the most recent active sessions associated with the IP are displayed first. If there is no current active session returned, the IP address passed down to the plug-in to block is invalid or does not existed.
If the IP address is valid, confirm that the custom attribute sdsnEpStatus has been set accordingly to the value ‘blocked’, using ClearPass API Explorer’s Endpoint API, Managed Endpoint services by issuing the API GET /endpoint/mac-address/{mac-address} ,with {mac-address} of the endpoint obtained from the output of the active session query issued earlier.
Custom attribute sdsnEpStatus can also be verified looking into the corresponding session in ClearPass Policy Manager’s Access Tracker, in Input tab, “Compute Attributes” section.
Unable to Quarantine Infected Endpoint
If you are unable to quarantine an infected endpoint, first validate the IP address of the infected host following the same procedure as in the Unable to Block Infected Endpoint topic above. Next, verify that the value of the custom attribute sdsnEpStatus has been set to quarantine.
Unable to Clear Blocked or Quarantined Endpoint
If you are unable to clear blocked or quarantined endpoints, it’s usually because the passing IP address does not exist in the infected endpoint tracking database maintained by the plug-in. Infected hosts are located in the /srv/3rd-party-adapter/infectedEndpointList file. It is expected that a clear request will come with the same IP address of the endpoint as in the earlier blocked or quarantined endpoint request. If the clear request arrives with a new IP address that is not in the infected endpoint tracking database, the request fails.
Also, check the ClearPass application log for possible internal errors.