Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Troubleshoot Your Integration with Aruba Clearpass

SUMMARY Troubleshoot issues using Aruba Clearpass to handle authentication/authorizations for your network.

Note:

This topic provides some tips for troubleshooting in Clearpass. For up-to-date information about Clearpass, see the Clearpass support site.

Access Tracker

In Aruba Clearpass, go to Monitoring > Access Tracker and check for authentication failures. Look for authentication requests by using either the username or MAC address, based on the type of authentication that you're using.

  • If there's no request in the Access Tracker for the MAC Address or username, go to the Event Viewer. See the Event Viewer: NAD and Shared Secret Errors section of this topic.

  • If the the MAC Address or username is in the Access Tracker but the Login Status is REJECT, open the request and navigate to the Alerts tab to see the reject reason.

    Clearpass Access Tracker

    For help with various reject reasons, see the Reject Reasons section of this topic.

Reject Reasons

The possible reasons for a reject are:

  • Service categorization failed—The incoming request on the Clearpass is not categorized under any service that is configured for the SSID that the user is trying to connect to. Make necessary corrections in the service rules under Configuration > Services > Select the configured service.

    Clearpass Request Details - Service Categorization Failed
  • User not found—This error means that the user is not listed in the configured Authentication Source in the service. See if the appropriate source (Static Host lists, Local User Repository, Guest User Repository, Endpoints Repository, Active Directory) is added in the service.

    Clearpass Request Details - User Not Found

    Clearpass Authentication Details

  • Cannot select appropriate authentication method—This error appears when the wrong authentication method is added in the service. For MAC authentication, the method should be either [MAC AUTH] or [ALLOW ALL MAC AUTH]. For dot1x, it should be [EAP PEAP], [MSCHAPv2] when username and password is used, [TLS] when certificate based authentication is required, and [PAP] when guest authentication is being performed. Also check the supplicant profile on the client device for dot1x authentications and make sure that it is configured for the correct authentication method and authentication mode.

    Clearpass Request Details - Authentication Method

    Clearpass Authentication Method Options

  • Cannot send request to policy server—This error appears if the policy service is not running on the server. To check the status, go to the CLI and enter the command service status all.

    Clearpass CLI - Service Status All Command
  • Logon failure—This error means that the user provided an incorrect password.

    Clearpass - AD Logon Failure
  • Reading winbind reply failed

    Clearpass Alerts - Reading Windbind Reply Failed

    This error can be due to two different reasons:

    • Clearpass is not added to the AD Domain. Go to Administration > Server Manager > Server Configuration, and then select the server.

      Clearpass Server Configuration
  • There is a delay in the response from the AD. This can be verified by clicking the Show Logs button on the Access Tracker request. The delay should be less than 500 ms. Check on the AD side to see why there is a delay in sending the response.

Event Viewer: NAD and Shared Secret Errors

If there is no request in the Access Tracker for the MAC or username, navigate to the Event Viewer and look for any events in the Authentication category. If so, open the errors and investigate further.

  • Request from Unknown NAD—For this error, navigate to Configuration > Network > Devices and check if the IP address/subnet or IP range for the APs is added and at the correct vendor is selected. Make corrections as needed.

    Clearpass NAD Error

    Clearpass Device Details

  • Shared secret is incorrect—Make sure that the correct shared secret is configured on both the AP and the server.

    Example: Shared Secret Error in Clearpass

If there are no events in the Event Viewer, check the reachability from the AP to the RADIUS server.