I can see lot of timeouts in clearpass server in my environment. Similar timeouts are visible on your access tracker logs. Please let me know what is the cause behind it.
Timeouts can have different causes. In wireless you are expected to see a few, which are caused by clients that are at the edge of the wireless coverage area and start authentication but have a too weak signal to complete. If you see many timeouts it can be an MTU issue between your AP and ClearPass, make sure Jumbo frames are enabled in the full path including on the vSwitch in case if you run ClearPass in VMWare. Modern clients also stop the negotiations halfway if they find a certificate issue. If you see a lot, check the MTU sizes and if Jumbo is enabled end-to-end; for the other issues it may be good to see if these are on specific types of clients, or specific locations, or specific users. Then if you can't find a solution work with your partner or Aruba support to do further analysis.
Hello Hernan, if we have to AD servers with the same users (domain) on both, in Clearpass I only need to create one Authentication source and the other server as a Backup of it, or I have to create 2 authentication sources for the 2 servers. ALso I think that the joining process would be with only one of them right ?
If both servers are part of the same domain, you need to join just one (and only if you want to do MSCHAPv2 authentication which is deprecated). The join is needed to create a computer account for ClearPass in your domain, which then is synchronized to the other domain controllers similar as you need to create a user account only on one domain controller. In the authentication source, you can indeed have one source with a primary and backup AD server which are both of your servers.
Good question, you cannot see the client, but it is an Apple iOS device (iPad) and I do mention that it is prompting for the certificate; which cannot be seen in the video. In summary, on the iPad, the device shows the server certificate and prompts if that cert could be trusted. On the Windows client it does not prompt, it rather just aborts the authentication. Bottom line: make sure you have your certificates setup properly.
Hello sir, How Can we limit number of connected device using 802.1X wireless authentication? Example: One user can connect only one device or one session at a time.
There are examples on how to configure that on the Airheads Community, like in this post: community.arubanetworks.com/t5/Security/limit-concurrent-802-1x-sessions-based-on-user-role/td-p/246359
You are completely right. That step was done in the second video in the series (community.arubanetworks.com/t5/Security/Aruba-ClearPass-Workshop-Video-series/td-p/291597) the Getting Started #2. I regret not having mentioned it again in this video as a reminder, that would have been better. Thanks for pointing this out. So the ClearPass appliances in the video are all joined to the domain.
Thanks for your sharing.
Thanks for the response @Herman Robers
I can see lot of timeouts in clearpass server in my environment. Similar timeouts are visible on your access tracker logs. Please let me know what is the cause behind it.
Timeouts can have different causes. In wireless you are expected to see a few, which are caused by clients that are at the edge of the wireless coverage area and start authentication but have a too weak signal to complete. If you see many timeouts it can be an MTU issue between your AP and ClearPass, make sure Jumbo frames are enabled in the full path including on the vSwitch in case if you run ClearPass in VMWare. Modern clients also stop the negotiations halfway if they find a certificate issue. If you see a lot, check the MTU sizes and if Jumbo is enabled end-to-end; for the other issues it may be good to see if these are on specific types of clients, or specific locations, or specific users. Then if you can't find a solution work with your partner or Aruba support to do further analysis.
Hello Hernan, if we have to AD servers with the same users (domain) on both, in Clearpass I only need to create one Authentication source and the other server as a Backup of it, or I have to create 2 authentication sources for the 2 servers. ALso I think that the joining process would be with only one of them right ?
If both servers are part of the same domain, you need to join just one (and only if you want to do MSCHAPv2 authentication which is deprecated). The join is needed to create a computer account for ClearPass in your domain, which then is synchronized to the other domain controllers similar as you need to create a user account only on one domain controller. In the authentication source, you can indeed have one source with a primary and backup AD server which are both of your servers.
If Clearpass rejeted VM windows 10 because of certificates then, why the first computer showed in minute 8:32 join the network without problems.
Good question, you cannot see the client, but it is an Apple iOS device (iPad) and I do mention that it is prompting for the certificate; which cannot be seen in the video. In summary, on the iPad, the device shows the server certificate and prompts if that cert could be trusted. On the Windows client it does not prompt, it rather just aborts the authentication. Bottom line: make sure you have your certificates setup properly.
Hello sir, How Can we limit number of connected device using 802.1X wireless authentication? Example: One user can connect only one device or one session at a time.
There are examples on how to configure that on the Airheads Community, like in this post: community.arubanetworks.com/t5/Security/limit-concurrent-802-1x-sessions-based-on-user-role/td-p/246359
Super!
hi, correct me if i am wrong, but to authenticate users with PEAP-MSCHAPv2 doesn't clearpass need to join the domain first?
You are completely right. That step was done in the second video in the series (community.arubanetworks.com/t5/Security/Aruba-ClearPass-Workshop-Video-series/td-p/291597) the Getting Started #2.
I regret not having mentioned it again in this video as a reminder, that would have been better. Thanks for pointing this out.
So the ClearPass appliances in the video are all joined to the domain.
ABC Networking ahh, thanks, that happens when you don't watch the videos in order :) thanks for your answer.