Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Troubleshoot Your Integration with Aruba ClearPass

Troubleshoot issues using Aruba ClearPass to handle authentication/authorizations for your network.

Note:

This topic provides some tips for troubleshooting in ClearPass. For up-to-date information about ClearPass, see the ClearPass support site.

Access Tracker

In Aruba ClearPass, go to Monitoring > Access Tracker and check for authentication failures. Look for authentication requests by using either the username or MAC address, based on the type of authentication that you're using.

If there's no request in the Access Tracker for the MAC Address or username, go to the Event Viewer. See the Event Viewer: NAD and Shared Secret Errors section of this topic.

If the MAC Address or username is in the Access Tracker but the Login Status is REJECT, open the request and navigate to the Alerts tab to see the reject reason.

Access Tracker section of a network monitoring tool displaying authentication requests with details like server IP, protocol, username, service, login status, and timestamp.

For help with various reject reasons, see the Reject Reasons section of this topic.

Reject Reasons

The possible reasons for a reject are:

  • Service categorization failed—The incoming request on the ClearPass is not categorized under any service that is configured for the SSID that the user is trying to connect to. Make necessary corrections in the service rules under Configuration > Services > Select the configured service.

    Request Details window with Alerts tab selected. Error Code 204 Authentication failure. Message: Failed to classify request to service. Alerts: RADIUS Service Categorization failed. Navigation controls and buttons: Show Configuration Export Show Logs Close.

  • User not found—This error means that the user is not listed in the configured Authentication Source in the service. See if the appropriate source (Static Host lists, Local User Repository, Guest User Repository, Endpoints Repository, or Active Directory) is added in the service.

    Request Details interface showing authentication failure. Error Code 201; Error Category: Authentication failure; Error Message: User not found.

    Configuration interface for authentication settings with tabs Summary, Service, Authentication, Authorization, Roles, and Enforcement. Features Allow All MAC AUTH method and local SQL DB sources like Guest Device Repository and Endpoints Repository.

  • Cannot select appropriate authentication method—This error appears when the wrong authentication method is added in the service. For MAC authentication, the method should be either [MAC AUTH] or [ALLOW ALL MAC AUTH]. For dot1x, it should be [EAP PEAP], [MSCHAPv2] when username and password are used, [TLS] when certificate based authentication is required, and [PAP] when guest authentication is being performed. Also check the supplicant profile on the client device for dot1x authentications and make sure that it is configured for the correct authentication method and authentication mode.

    Request Details window showing authentication failure alert. Error Code 201: User not found. Alerts tab selected. Options: Show Configuration, Export, Show Logs, Close.

    Authentication methods configuration interface with EAP PEAP, EAP FAST, EAP TLS, and EAP MSCHAPv2. Options to manage methods.

  • Cannot send request to policy server—This error appears if the policy service is not running on the server. To check the status, go to the CLI and enter the command service status all.

    Terminal window showing `service status all` command output. All listed services are running, including Policy server, TACACS server, Radius server, Async DB write service, DB replication service, DB change notification service, System monitor service, System auxiliary service, Admin server, Async net service, Multi-master cache, Domain server, AirGroup notification service, Micros Fidelio FIAS server, and ClearPass Virtual IP service. User logged in as appadmin on cplab.clearpassdemo.com.

  • Logon failure—This error means that the user provided an incorrect password.

    Request Details window showing authentication failure with Error Code 216. Issues include RADIUS MSCHAP AD status logon failure 0xc000006d and EAP-MSCHAPv2 user authentication failure.

  • Reading winbind reply failed.

    Network authentication system error details with error code 216, authentication failure message, and alerts highlighting RADIUS MSCHAP and EAP-MSCHAPv2 issues.

    This error can be due to two different reasons:

    • ClearPass is not added to the AD Domain. Go to Administration > Server Manager > Server Configuration, and then select the server.

      Aruba ClearPass Policy Manager interface showing server configuration settings, including server hostname, policy manager zone, management port, DNS settings, and AD domain options.

  • There is a delay in the response from the AD. This can be verified by clicking the Show Logs button on the Access Tracker request. The delay should be less than 500 ms. Check on the AD side to see why there is a delay in sending the response.

Event Viewer: NAD and Shared Secret Errors

If there is no request in the Access Tracker for the MAC or username, navigate to the Event Viewer and look for any events in the Authentication category. If so, open the errors and investigate further.

  • Request from Unknown NAD—For this error, navigate to Configuration > Network > Devices and check if the IP address/subnet or IP range for the APs is added and the correct vendor is selected. Make corrections as needed.

    RADIUS authentication error: Source RADIUS; Level ERROR; Category Authentication; Timestamp Mar 06 2019 15:59:18 PST; Description RADIUS authentication attempt from unknown NAD.

    Screenshot of Aruba ClearPass interface for configuring network devices showing fields for device name, IP address, RADIUS and TACACS+ shared secrets, vendor name, and options for RADIUS dynamic authorization. Includes tabs for additional settings and buttons for Copy, Save, and Cancel. Navigation menu on the left displays sections like Dashboard, Monitoring, and Configuration.

  • Shared secret is incorrect—Make sure that the correct shared secret is configured on both the AP and the server.

    Event Viewer screenshot showing RADIUS authentication error from IP 10.8.10.100 due to incorrect shared secret on May 09, 2013 at 23:29:31 UTC.

If there are no events in the Event Viewer, check the reachability from the AP to the RADIUS server.