Troubleshoot Your Integration with Aruba ClearPass
SUMMARY Troubleshoot issues using Aruba ClearPass to handle authentication/authorizations for your network.
This topic provides some tips for troubleshooting in ClearPass. For up-to-date information about ClearPass, see the ClearPass support site.
Access Tracker
In Aruba ClearPass, go to Monitoring > Access Tracker and check for authentication failures. Look for authentication requests by using either the username or MAC address, based on the type of authentication that you're using.
If there's no request in the Access Tracker for the MAC Address or username, go to the Event Viewer. See the Event Viewer: NAD and Shared Secret Errors section of this topic.
If the MAC Address or username is in the Access Tracker but the Login Status is REJECT, open the request and navigate to the Alerts tab to see the reject reason.
For help with various reject reasons, see the Reject Reasons section of this topic.
Reject Reasons
The possible reasons for a reject are:
Service categorization failed—The incoming request on the ClearPass is not categorized under any service that is configured for the SSID that the user is trying to connect to. Make necessary corrections in the service rules under Configuration > Services > Select the configured service.
-
User not found—This error means that the user is not listed in the configured Authentication Source in the service. See if the appropriate source (Static Host lists, Local User Repository, Guest User Repository, Endpoints Repository, or Active Directory) is added in the service.
-
Cannot select appropriate authentication method—This error appears when the wrong authentication method is added in the service. For MAC authentication, the method should be either [MAC AUTH] or [ALLOW ALL MAC AUTH]. For dot1x, it should be [EAP PEAP], [MSCHAPv2] when username and password are used, [TLS] when certificate based authentication is required, and [PAP] when guest authentication is being performed. Also check the supplicant profile on the client device for dot1x authentications and make sure that it is configured for the correct authentication method and authentication mode.
Cannot send request to policy server—This error appears if the policy service is not running on the server. To check the status, go to the CLI and enter the command
service status all
.Logon failure—This error means that the user provided an incorrect password.
Reading winbind reply failed.
This error can be due to two different reasons:
-
ClearPass is not added to the AD Domain. Go to Administration > Server Manager > Server Configuration, and then select the server.
-
-
There is a delay in the response from the AD. This can be verified by clicking the Show Logs button on the Access Tracker request. The delay should be less than 500 ms. Check on the AD side to see why there is a delay in sending the response.
Event Viewer: NAD and Shared Secret Errors
If there is no request in the Access Tracker for the MAC or username, navigate to the Event Viewer and look for any events in the Authentication category. If so, open the errors and investigate further.
-
Request from Unknown NAD—For this error, navigate to Configuration > Network > Devices and check if the IP address/subnet or IP range for the APs is added and the correct vendor is selected. Make corrections as needed.
-
Shared secret is incorrect—Make sure that the correct shared secret is configured on both the AP and the server.
If there are no events in the Event Viewer, check the reachability from the AP to the RADIUS server.