Question - Why does Dell d10d Wyse thin clients fail EAP-PEAP authentication against clearpass 6.4 whereas it works fine against earlier versions.
Environment- Client: Dell d10d Wyse thin client
Information Clearpass version: 6.4.x
Authentication method: EAP-PEAP
Symptoms- Dell d10d Wyse thin clients are not able to connect to network when authentication is done against Clearpass version 6.4.x. The alert message in access tracker is "Client did not complete EAP transaction". An over the air packet capture would show an EAP Request going to the client but no response from the client. The supplicant logs show that "SSL connection could not be established"
If we point the authentication to Clearpass 6.3.x or earlier, the authentication works fine. Packet captures in this case shows that the client is responding to EAP-Requests
Cause- PEAP has multiple flavours like PEAP version 0,1 and 2. As per RFC, the authentication server should send the highest supported version of the authentication method in the EAP-Request. The supplicant is supposed to respond back with the version that it supports. Clearpass 6.4 onwards implemented support for PEAP version2 and hence the EAP-Request packet contains PEAP version as 2.
The Dell d10d Wyse supplicant has an issue where it does not participate in EAP negotiation when the EAP Request has PEAP version 2. The supplicant thinks this is an invalid EAP request and stops responding
Resolution - There are multiple solutions to recover from this situation:
1. Use clearpass 6.3.x until other solutions are available
2. Clearpass 6.5.x would soon have a feature enhancement which would allow an admin user to select the PEAP version in Clearpass RADIUS configuration.
3. Upgrade the supplicant firmware to one that handles EAP negotiations in a better and RFC compliant way.