Wyse D10D thin clients associated to Dot1x SSID unable to authenticate against the CPPM server running 6.4 version.

Aruba Employee

Environment Information- Master-Local 
Code: 6.3.1.13
Wireless Clients: Wyse D10D thin clients

Symptoms- Wyse D10D thin clients associated to Dot1x SSID unable to authenticate against the CPPM server running 6.4 version.

All other clients are able to associate without any issues.
The same thin client is able to authenticate when the Radius server is pointed to the CPPM server running 5.x version.
When the termination is enabled on the controller we could see successful EAP/Radius handshake however when the termination is on the 6.4 CPPM server there is no response from the Thin client for the EAP request sent by the AP.

 
Jan 28 12:50:47  station-down           *  00:0e:8e:4f:6e:37  00:24:6c:7f:ec:71                -   -   
Jan 28 12:50:47  station-up             *  00:0e:8e:4f:6e:37  00:24:6c:7f:ec:61                -   -    wpa2 aes
Jan 28 12:50:47  eap-id-req            <-  00:0e:8e:4f:6e:37  00:24:6c:7f:ec:61                1   5   
Jan 28 12:50:47  eap-id-resp           ->  00:0e:8e:4f:6e:37  00:24:6c:7f:ec:61                1   11   x1494
Jan 28 12:50:47  rad-req               ->  00:0e:8e:4f:6e:37  00:24:6c:7f:ec:61                39  197 
Jan 28 12:50:47  rad-resp              <-  00:0e:8e:4f:6e:37  00:24:6c:7f:ec:61/a-1-clearpass  39  76  
Jan 28 12:50:47  eap-req               <-  00:0e:8e:4f:6e:37  00:24:6c:7f:ec:61                2   6   
Jan 28 12:50:47  station-down           *  00:0e:8e:4f:6e:37  00:24:6c:7f:ec:61                -   -  

Cause- From the packet capture found that there is no client hello from the Thin client for the EAP-request sent by the AP.
The TLS version used by the 6.4 CPPM server was TLS version 2. However the thin client uses TLS version 1 and the negotiation fails.

The PEAP server proposes the highest version that it supports within the initial PEAP packet, and the PEAP peer replies with a PEAP response indicating the version that it is configured to use. After this point, the Ver field in the PEAP packets reflects the version that was selected. These semantics ensure that all implementations of PEAP can communicate and enable both peers and servers to participate in version selection for the conversation. If version negotiation fails, the use of PEAP is not possible.”

Non-working pcap:

rtaImage (1).jpg

Working pcap:

rtaImage (2).jpg

 

Resolution- 

There are two options to fix this issue. 

  1. Clearpass 6.3.6 or lower will send PEAP version 1 similar to 5.X. Hence we can use that instead of 6.4.x

  2. As a future request we can modify 6.4.X and later versions to set PEAP version to 1 based on some service parameter. 

Answer- 

There are two options to fix this issue. 

  1. Clearpass 6.3.6 or lower will send PEAP version 1 similar to 5.X. Hence we can use that instead of 6.4.x

  2. As a future request we can modify 6.4.X and later versions to set PEAP version to 1 based on some service parameter. 

Version history
Revision #:
1 of 1
Last update:
‎04-05-2015 01:17 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: