03-30-2016 04:00 AM
We have a requirement that Apple devices peform 802.1X PEAP authentication against CPPM. Users will authenticate using their AD credentials.
What we have found is that first time users using their Apple iPhone to authenticate against CPPM, they are not able to connect to the WLAN. They either receive a prompt with a mesage saying they can't connect to the WLAN or it keeps attempting to connect but drops off at the end. Under the access tracker is comes up with an error 9002 timeout with the response is EAP failed to complete. Once the user tries a few more times, they are able to complete the authentication and connect to the WLAN.
We confirmed the certificate is installed correctly and the RSSI the client devices are getting is above SNR of 25. We tested this with an Ipad mini running v9.2, Iphone 4S running 7.2, and Andrioid devices but no issues connecting first time. However, we are able to replicate this issue with an iPhone 5 and 6 using an account authenticating against CPPM the first time. Once the client has been authenticated, the issue seems to have gone away for that particular user.
Any advice on what this issue could be? We have a TAC case opened and confirmed so far that issue is not related to time taken to perform AD lookups. We have seen in some occaisions that an AD access-challenge is sent but no reply is sent back from the client. Would like to see what the wider audience think about this issue.
03-30-2016 02:48 PM
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
03-30-2016 06:40 PM
If ClearPass did not receive a response for the access challenge for ~50sec, it will log the message as 'Client did not complete EAP transaction' and will move on to process the next request.
Packet capture on ClearPass and on the NAS(at the same time) along with auth trace-buff debug log during the problem period may help to isolate the issue.
03-30-2016 07:04 PM
Thanks, that echoes what was mentioned by TAC. It looks like an access-challenge response is not sent back by the client which is resulting in the EAP transaction not being completed. The verdict is that it could be a client behaviour based issue as we weren't able to replicate this across the entire fleet of Apple devices for users authenticating against CPPM the first time.
04-24-2016 02:46 AM
I have seen this error 'Cannot connect to the network' multiple times on my iOS devices when running IOS 9.2 on my iPad mini; I did not take to effort to investigate, however after upgrading the device to IOS 9.3, that behavior of error on first connect magically resolved.
So if you still have this issue, and the IOS devices are running older IOS versions, you may try upgrading the device.
I think your question is from the time that IOS 9.3 was not yet released, so I decided to post my experience for people seeing the same issue.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).