Security

Windows XP clients with valid machine certificates can't authenticate via 802.1x to Clearpass.  Windows 7 clients with the same configuration (that I can tell) can connect and authenticate via 802.1x to Clearpass.  I do not see any logs on Clearpass when the XP clients try to connect to the SSID and with a wireshark capture I see an EAP Failure with Code #4.  Any thoughts or ideas on why the XP clients can't connect/authenticate in this method?

I would like to add this screenshot from the wireshark capture.  The first group of EAP messages is between the client and the IAP (VPN) and the second is between the same client and our Campus AP.  The campus AP is also WPA2-Enterprise using 802.1x via AD not clearpass.  Looks like there is a key exchange that doesn't happen with the IAP setup.

 

EAP-TLS or PEAP ?
Using a public or private certificate ?
Any errors on the IAP logs?

Hey Victor long time no talk.  This is Chris Shopp from Carestream!

 

This is EAP-TLS using the machine certificate issued by our ICA.  Logs are attached and scrubbed, so the x.x.x.x is an actual IP and the username is an actual username.

 

 

 

Definitely its been a while man , hope all is well.

Is the device setup in RAP mode or Instant mode using IPSec ?

If it is in Instant mode then I would confirm that the pre-shared key matches in both places (IAP and CPPM)

You can check in the Live MOnitoring > Event viewer if thats case.

Do you have this working through the campus APs ?

This is an IAP with IPSEC tunneling to the controller (over the internet)  Pre-shared keys are good to go and Windows 7 machines authenticate with no problem.  We are not using Clearpass to authenticate Campus SSIDs (we are using AD only). 

Can you check if that machine has a the cert provided by your CA ? Or if the CA issued the machine cert
Are you pushing a GPO to configure the wireless profile ?


Sent from Outlook Mobile