Security

Reply
Occasional Contributor II
Posts: 11
Registered: ‎10-16-2015

802.1X auth fail first time authentiation against CPPM with Apple devices

Hi all,

 

We have a requirement that Apple devices peform 802.1X PEAP authentication against CPPM. Users will authenticate using their AD credentials.

 

What we have found is that first time users using their Apple iPhone to authenticate against CPPM, they are not able to connect to the WLAN. They either receive a prompt with a mesage saying they can't connect to the WLAN or it keeps attempting to connect but drops off at the end. Under the access tracker is comes up with an error 9002 timeout with the response is EAP failed to complete. Once the user tries a few more times, they are able to complete the authentication and connect to the WLAN.

 

We confirmed the certificate is installed correctly and the RSSI the client devices are getting is above SNR of 25. We tested this with an Ipad mini running v9.2, Iphone 4S running 7.2, and Andrioid devices but no issues connecting first time. However, we are able to replicate this issue with an iPhone 5 and 6 using an account authenticating against CPPM the first time. Once the client has been authenticated, the issue seems to have gone away for that particular user. 

 

Any advice on what this issue could be? We have a TAC case opened and confirmed so far that issue is not related to time taken to perform AD lookups. We have seen in some occaisions that an AD access-challenge is sent but no reply is sent back from the client. Would like to see what the wider audience think about this issue.

Guru Elite
Posts: 7,828
Registered: ‎09-08-2010

Re: 802.1X auth fail first time authentiation against CPPM with Apple devices

What version of ClearPass?

Sent from Nine<>

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 11
Registered: ‎10-16-2015

Re: 802.1X auth fail first time authentiation against CPPM with Apple devices

Using version 6.5.5.

Guru Elite
Posts: 19,949
Registered: ‎03-29-2007

Re: 802.1X auth fail first time authentiation against CPPM with Apple devices

That error is typically seen when the user does not or does not immediately trust the server certificate after authenticating. If you switched to a new server certificate, this is expected. That may not be your situation, but that is one way that situation occurs. The permanent solution is to have a public radius server certificate that Mac osx clients trust. I am not sure if certificate authorities still distribute 30-day temporary certificates, but it might be worth a try to see if that solves your problem.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Aruba Employee
Posts: 10
Registered: ‎04-28-2009

Re: 802.1X auth fail first time authentiation against CPPM with Apple devices

If ClearPass did not receive a response for the access challenge for ~50sec, it will log the message as 'Client did not complete EAP transaction' and will move on to process the next request.

 

Packet capture on ClearPass and on the NAS(at the same time) along with auth trace-buff debug log during the problem period may help to isolate the issue. 

Occasional Contributor II
Posts: 11
Registered: ‎10-16-2015

Re: 802.1X auth fail first time authentiation against CPPM with Apple devices

Thanks, that echoes what was mentioned by TAC. It looks like an access-challenge response is not sent back by the client which is resulting in the EAP transaction not being completed. The verdict is that it could be a client behaviour based issue as we weren't able to replicate this across the entire fleet of Apple devices for users authenticating against CPPM the first time.

Aruba Employee
Posts: 365
Registered: ‎11-04-2011

Re: 802.1X auth fail first time authentiation against CPPM with Apple devices

I have seen this error 'Cannot connect to the network' multiple times on my iOS devices when running IOS 9.2 on my iPad mini; I did not take to effort to investigate, however after upgrading the device to IOS 9.3, that behavior of error on first connect magically resolved.

So if you still have this issue, and the IOS devices are running older IOS versions, you may try upgrading the device.

 

I think your question is from the time that IOS 9.3 was not yet released, so I decided to post my experience for people seeing the same issue.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Occasional Contributor II
Posts: 11
Registered: ‎10-16-2015

Re: 802.1X auth fail first time authentiation against CPPM with Apple devices

Thank you for the feedback, much appreciated. I will test this out when I get a chance this week.

 

Cheers!

Search Airheads
Showing results for 
Search instead for 
Did you mean: