Security

Hi all,

 

We have a requirement that Apple devices peform 802.1X PEAP authentication against CPPM. Users will authenticate using their AD credentials.

 

What we have found is that first time users using their Apple iPhone to authenticate against CPPM, they are not able to connect to the WLAN. They either receive a prompt with a mesage saying they can't connect to the WLAN or it keeps attempting to connect but drops off at the end. Under the access tracker is comes up with an error 9002 timeout with the response is EAP failed to complete. Once the user tries a few more times, they are able to complete the authentication and connect to the WLAN.

 

We confirmed the certificate is installed correctly and the RSSI the client devices are getting is above SNR of 25. We tested this with an Ipad mini running v9.2, Iphone 4S running 7.2, and Andrioid devices but no issues connecting first time. However, we are able to replicate this issue with an iPhone 5 and 6 using an account authenticating against CPPM the first time. Once the client has been authenticated, the issue seems to have gone away for that particular user. 

 

Any advice on what this issue could be? We have a TAC case opened and confirmed so far that issue is not related to time taken to perform AD lookups. We have seen in some occaisions that an AD access-challenge is sent but no reply is sent back from the client. Would like to see what the wider audience think about this issue.

What version of ClearPass?

Sent from Nine<>

Using version 6.5.5.

That error is typically seen when the user does not or does not immediately trust the server certificate after authenticating. If you switched to a new server certificate, this is expected. That may not be your situation, but that is one way that situation occurs. The permanent solution is to have a public radius server certificate that Mac osx clients trust. I am not sure if certificate authorities still distribute 30-day temporary certificates, but it might be worth a try to see if that solves your problem.

If ClearPass did not receive a response for the access challenge for ~50sec, it will log the message as 'Client did not complete EAP transaction' and will move on to process the next request.

 

Packet capture on ClearPass and on the NAS(at the same time) along with auth trace-buff debug log during the problem period may help to isolate the issue. 

Thanks, that echoes what was mentioned by TAC. It looks like an access-challenge response is not sent back by the client which is resulting in the EAP transaction not being completed. The verdict is that it could be a client behaviour based issue as we weren't able to replicate this across the entire fleet of Apple devices for users authenticating against CPPM the first time.

I have seen this error 'Cannot connect to the network' multiple times on my iOS devices when running IOS 9.2 on my iPad mini; I did not take to effort to investigate, however after upgrading the device to IOS 9.3, that behavior of error on first connect magically resolved.

So if you still have this issue, and the IOS devices are running older IOS versions, you may try upgrading the device.

 

I think your question is from the time that IOS 9.3 was not yet released, so I decided to post my experience for people seeing the same issue.

Thank you for the feedback, much appreciated. I will test this out when I get a chance this week.

 

Cheers!