Security

Reply
Occasional Contributor I
Posts: 9
Registered: ‎09-29-2016

Certificate authentication issues - Clearpass 802.1x - Windows Client

I have Clearpass version 6.6.2.86786 (Clearpass 5k) and I am trying to get Certificate authentication working using a Windows 10 Laptop. This is wired 802.1x authentication using a Juniper switch. 
 
I have a service setup for EAP-TLS with the following settings:
 
clearpass-eap-tls.png
 
We have a PKI infrastructure here using OpenCA. I have a certificate setup on the Clearpass server that was issued by the CA. On the Windows 10 laptop, I have the x509 cert installed. The Windows 10 Laptop is setup for Smart Card or other Certificate. Verify the identity of the validating certificate is checked and the Root Cert for our PKI is checked. I have tried that with and without the checks marks. I have also checked "Certificate Issuer" and selected the root certficate. I have also tried that disabled. 
 
I keep getting the following error in the Access Tracker on Clearpass:
 
Client did not complete EAP transaction
 
On the windows side I get the following errors:
 
Wired 802.1X Authentication failed.
 
Network Adapter: Intel(R) Ethernet Connection (3) I218-LM
Interface GUID: {cc5c0465-62ed-42b4-ac10-11b21a475b58}
Peer Address: 648788A46088
Local Address: 68F7288D6039
Connection ID: 0xe
Identity: NULL
User:XXXXX
Domain: AD
Reason: 0x50005
Reason Text: Network authentication failed\nThe user certificate required for the network can't be found on this computer.
 
Error Code: 0x80420014
 
or 
 
Wired 802.1X Authentication failed.
 
Network Adapter: Intel(R) Ethernet Connection (3) I218-LM
Interface GUID: {cc5c0465-62ed-42b4-ac10-11b21a475b58}
Peer Address: 648788A46088
Local Address: 68F7288D6039
Connection ID: 0x5
Identity: host/XXXXX
User: -
Domain: -
Reason: 0x50005
Reason Text: Network authentication failed due to a problem with the user account
 
Error Code: 0x40420110
 
I am going to try setting up wpa_supplicant on a linux system and seeing if I can successfully test that service that way, but I configured this Windows system thinking this would be easy. Any ideas on what I can do to troubleshoot this and get this working?
 
 
Aruba Employee
Posts: 10
Registered: ‎04-28-2009

Re: Certificate authentication issues - Clearpass 802.1x - Windows Client

From the Windows error logs, it appears that Client did not present its certificate as a result of which the EAP authentication timedout in ClearPass. If this is a user certificate, please make sure the client has its certificate installed under Personal folder in the certmgr.msc. We can try the same certificate on any other client to isolate the problem.

 

So understand this further, enable debug for RADIUS service(Administration --> Server Manager --> Log configuration --> Select RADIUS service and set the log level to DEBUG). Attempt again with different clients and attach the access tracker logs.

 

 

Occasional Contributor I
Posts: 9
Registered: ‎09-29-2016

Re: Certificate authentication issues - Clearpass 802.1x - Windows Client

I use the same certificate to access certain internal sites and it is in the Personal folder. I'll test it from another Windows system and I'll try a co-worker's system to test with their certificate. I tried from an Ubuntu VM last night but had a lot of issues. 

 

Thank you for the directions to turn on the debug for the radius server. I attached the logs. 

 

Guru Elite
Posts: 8,036
Registered: ‎09-08-2010

Re: Certificate authentication issues - Clearpass 802.1x - Windows Client

Is the Windows supplicant configured for User, Computer or User+Computer authentication?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor I
Posts: 9
Registered: ‎09-29-2016

Re: Certificate authentication issues - Clearpass 802.1x - Windows Client

I have tried all three, but most of the time when I test, it is "user or computer authentication". 

Guru Elite
Posts: 8,036
Registered: ‎09-08-2010

Re: Certificate authentication issues - Clearpass 802.1x - Windows Client

Is there a user certificate in the user store and a machine certificate in the computer store?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor I
Posts: 9
Registered: ‎09-29-2016

Re: Certificate authentication issues - Clearpass 802.1x - Windows Client

There is a user cert in the user store from the same CA that Clearpass's certificate is using. There is a machine cert in the local computer store, but it is a self signed cert it looks like since the "issued by" is the same name as the machine. Do I need a machine cert from the same CA as well? I thought I could get by with just the user cert. 

Guru Elite
Posts: 8,036
Registered: ‎09-08-2010

Re: Certificate authentication issues - Clearpass 802.1x - Windows Client

Are you using ADCS?

If you want to authenticate the machine, you'll need a machine cert in the computer store.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor I
Posts: 9
Registered: ‎09-29-2016

Re: Certificate authentication issues - Clearpass 802.1x - Windows Client

No. Using OpenCA and the certs are manually added. We currently use the user cert to connect via WiFi directly onto the Aruba Controller. Eventually we want to move wireless to Clearpass as well.  I am starting with Wired NAC first. 

Guru Elite
Posts: 8,036
Registered: ‎09-08-2010

Re: Certificate authentication issues - Clearpass 802.1x - Windows Client

Can you try setting the supplicant to user only and then manually configuring the supplicant for EAP-TLS including the cert selection options to reference the CA?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: