That error looks like it’s coming from a RADIUS server. Does that system have some logging as to what’s going on? A network trace when this is reproducible would give you some clear evidence on what’s going on.
Thanks, Brian From: [email protected] [mailto:[email protected]] On Behalf Of Charles F Sullivan Sent: Thursday, August 27, 2015 8:34 AM To: [email protected] Subject: RE: [NTSysADM] AD LDAP Policies 2012 R2 A few months ago we started implementing ClearPass as a network registration/authentication solution. For years we had a home-grown solution that actually worked quite well, but it did not rely on AD, where ClearPass does. There have been some outages where the app throws errors such as “No free connections available.\n[Local User Repository] - localhost: User not found.\nMSCHAP: Authentication failed\nEAP-MSCHAPv2: User authentication failure”. This is something that is run by a different department than the Windows System Admins group that I belong to, so I don’t know a lot about it, but the vendor insisted on blaming it on our AD and they wanted us to check on the MaxConnections, which is when I noticed the apparent inconsistencies, but…. I checked on my test Windows 2012 R2 domain, which definitely has all of the default LDAP policies and it’s exactly the same as what I saw here in production. Reading a bit more about LDAP in Windows 2012 AD, I saw phrases like “LDAP enhancements” and “LDAP gets an overhaul”, so that may explain why it’s different than even 2008 R2 AD. Nobody here (including the other department) actually believes the problem is with AD, as we just don’t see anything abnormal when the problem happens. This includes having LDAP logging set to debug mode. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Christopher Bodnar Sent: Thursday, August 27, 2015 9:12 AM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] AD LDAP Policies 2012 R2 Just curious. Are you experiencing any issues related to this? Or did you do an audit and are trying to see why the values seem to be skewed? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Charles F Sullivan Sent: Wednesday, August 26, 2015 5:38 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] AD LDAP Policies 2012 R2 Thanks, that’s good to hear. If either of those are true, I think it would be acceptable. I would lean toward default rather than hard limits, only because I doubt anyone here ever changed the values. (Just because I doubt it doesn’t mean it didn’t happen!) From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Brian Desmond Sent: Wednesday, August 26, 2015 2:39 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] AD LDAP Policies 2012 R2 I would need to double check but I expect that either a) when it’s zero it honors the default or b) when it’s zero it falls back to the hard max limit. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Charles F Sullivan Sent: Wednesday, August 26, 2015 10:58 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] AD LDAP Policies 2012 R2 We have a single domain/forest at Windows 2012 R2 functional level. This began 14 years ago as a Windows 2000 domain. (Actually it was originally migrated from NT 4, but I don’t think that would be a factor.) In checking the LDAP policies using ntdsutil, I see at least 5 settings that are non-default. An example is MaxValRange = 0. The default is 1500. Is there anyone else out there running a Windows 2012 R2 domain who is aware of these settings in their own environment, or who would be willing to check? Particularly helpful may be someone whose domain started out as Windows 2000. Does anyone know if this is expected or normal? Thanks for any help with this. Charlie Sullivan Sr. Windows Systems Administrator ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
