Security

Reply
New Contributor
Posts: 9
Registered: ‎08-13-2015

802.1X with Windows XP and Clearpass via Remote IAP (VPN)

Windows XP clients with valid machine certificates can't authenticate via 802.1x to Clearpass.  Windows 7 clients with the same configuration (that I can tell) can connect and authenticate via 802.1x to Clearpass.  I do not see any logs on Clearpass when the XP clients try to connect to the SSID and with a wireshark capture I see an EAP Failure with Code #4.  Any thoughts or ideas on why the XP clients can't connect/authenticate in this method?

New Contributor
Posts: 9
Registered: ‎08-13-2015

Re: 802.1X with Windows XP and Clearpass via Remote IAP (VPN)

I would like to add this screenshot from the wireshark capture.  The first group of EAP messages is between the client and the IAP (VPN) and the second is between the same client and our Campus AP.  The campus AP is also WPA2-Enterprise using 802.1x via AD not clearpass.  Looks like there is a key exchange that doesn't happen with the IAP setup.

 

IAP_Cap.png

MVP
Posts: 4,168
Registered: ‎07-20-2011

Re: 802.1X with Windows XP and Clearpass via Remote IAP (VPN)

EAP-TLS or PEAP ?
Using a public or private certificate ?
Any errors on the IAP logs?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
New Contributor
Posts: 9
Registered: ‎08-13-2015

Re: 802.1X with Windows XP and Clearpass via Remote IAP (VPN)

Hey Victor long time no talk.  This is Chris Shopp from Carestream!

 

This is EAP-TLS using the machine certificate issued by our ICA.  Logs are attached and scrubbed, so the x.x.x.x is an actual IP and the username is an actual username.

 

 

 

MVP
Posts: 4,168
Registered: ‎07-20-2011

Re: 802.1X with Windows XP and Clearpass via Remote IAP (VPN)

Definitely its been a while man , hope all is well.

Is the device setup in RAP mode or Instant mode using IPSec ?

If it is in Instant mode then I would confirm that the pre-shared key matches in both places (IAP and CPPM)

You can check in the Live MOnitoring > Event viewer if thats case.

Do you have this working through the campus APs ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
New Contributor
Posts: 9
Registered: ‎08-13-2015

Re: 802.1X with Windows XP and Clearpass via Remote IAP (VPN)

This is an IAP with IPSEC tunneling to the controller (over the internet)  Pre-shared keys are good to go and Windows 7 machines authenticate with no problem.  We are not using Clearpass to authenticate Campus SSIDs (we are using AD only). 

MVP
Posts: 4,168
Registered: ‎07-20-2011

Re: 802.1X with Windows XP and Clearpass via Remote IAP (VPN)

Can you check if that machine has a the cert provided by your CA ? Or if the CA issued the machine cert
Are you pushing a GPO to configure the wireless profile ?


Sent from Outlook Mobile
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: