Dell d 10 d Wyse thin clients failing EAP PEAP

Aruba Employee
Aruba Employee

Question - Why does Dell d10d Wyse thin clients fail EAP-PEAP authentication against clearpass 6.4 whereas it works fine against earlier versions.

 

Environment- Client: Dell d10d Wyse thin client

Information    Clearpass version: 6.4.x
                       Authentication method: EAP-PEAP

 

Symptoms- Dell d10d Wyse thin clients are not able to connect to network when authentication is done against                    Clearpass version 6.4.x. The alert message in access tracker is "Client did not complete EAP transaction". An over the air packet capture would show an EAP Request going to the client but no response from the client. The supplicant logs show that "SSL connection could not be established"

If we point the authentication to Clearpass 6.3.x or earlier, the authentication works fine. Packet captures in this case shows that the client is responding to EAP-Requests

 

Cause- PEAP has multiple flavours like PEAP version 0,1 and 2. As per RFC, the authentication server should              send the highest supported version of the authentication method in the EAP-Request. The supplicant is supposed to respond back with the version that it supports. Clearpass 6.4 onwards implemented support for PEAP version2 and hence the EAP-Request packet contains PEAP version as 2.

 

The Dell d10d Wyse supplicant has an issue where it does not participate in EAP negotiation when the EAP Request has PEAP version 2. The supplicant thinks this is an invalid EAP request and stops responding

 

Resolution - There are multiple solutions to recover from this situation:

                    1. Use clearpass 6.3.x until other solutions are available
                    2. Clearpass 6.5.x would soon have a feature enhancement which would allow an admin user to                       select the PEAP version in Clearpass RADIUS configuration.
                    3. Upgrade the supplicant firmware to one that handles EAP negotiations in a better and RFC                           compliant way.

 

 

 

Version history
Revision #:
1 of 1
Last update:
‎04-07-2015 10:51 AM
Updated by:
 
Labels (1)
Contributors
Comments
jlebrun123456

 Does anyone have experience with CPPM and WYSE terminals over wifi configuration?  

Clearpass version is 6.6

 

# Main config file for Wyse D10DP

# Network
Device=Ethernet Speed="Auto"

# Wyse Device MGMT Server
wdmserver=xx.xx.xx.xx
WDMService=yes

# Wireless Settings

# xxxxxx Wireless Network
Device=Wireless Mode=Infrastructure SSID=xxxxxx RoamSensitive=medium
IEEE8021X=yes network=wireless Profile=xxxxxx access=WPA2-PSK eap=no eaptype=None wpa2pskpwdEnc=PCDGOBDDPPDJPHAAMNAHMGAGOKDMPFDBPKDL encryption=CCMP

# xxxxxx Wireless Network
Device=Wireless Mode=Infrastructure SSID=xxxxxx Priority=xxxxxx,xxxxxx
IEEE8021X=yes network=wireless Profile=xxxxxx access=WPA-PSK wpapskpwdEnc=PHBLOMCBOLCKOKAGNABJNNBGNH encryption=tkip

# VMware View Connection Broker
VDIBroker=VMWare
ConnectionBroker=VMware ConnectionType=PCoIP
OneSignServer=https://xxxxxxxxxxxxxxxxx

 

Wireless:

Name:

Aruba Operating System Software.

Model:

Aruba7220-US

Version:

6.4.3.9

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: