Security

Reply
Highlighted
New Contributor

Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

Hoping someone can assist as I'm striking out with TAC on this issue.

We have Win10 machines with full credential guard enabled so we have to naturally use EAP-TLS for these workstations to authenticate properly.

Currently I have about 20 machines on the network in this fashion so far and when one of these machines "LEAVE THE NETWORK" for approx 48 hrs when they come back and authenticate there is a VERY good chance they will TIMEOUT and fail to logon correctly.

 

Access Tracker details Include :


Login Status : TIMEOUT
Alerts Tab : Client did not complete EAP Transaction
Error code : 9002

 

Some information of our enviroment :

 

- We have an internal certificate authority and I have confirmed we have imported the Root, Intermediate, and server certificates for both issuers to our CPPM.
- I have confirmed in the trust list both servers are added and "enabled"
- The CN is also added to the trust list and also "enabled"

We have catured wireshark captures on the CPPM as well as debug logs, in addition to the switch uplink port wireshark captures. following the trace on the packets it appears the server stops asking and the switch stops providing although no outright error to go off.

 

We have attempted to resolve with the following changes :

 

1. For our EAP-TLS Method we REMOVED "Authorization Required", Session Resumption is still 'enabled'
2. disabled the switch server dead time
3. Adjusted "aaa authentication num-attempts 1" instead of 2
4. Adjusted the MTU size for EAP-TLS packets on CPPM to 1374 instead of default 1024
5. Confirmed our workstations have the Computer Cert required, and is indeed provided by the right issuer (via GPO) and no duplicates exist.

 
CPPM and Switch firmware version :

 

Currently running Clearpass version : 6.6.9.102777
HP 3800 Switch on version : KA.16.04.0009
HP 5406 switch on version : K.16.02.0022m

 

Any help or suggestions on what else to try would be greatly appreciated.

Thanks!

Guru Elite

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

Drivers up to date?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

Issue has occured on HP Laptops as well as Microsoft Surface tablets (all wired).  We have confirmed the latest HP drivers are up to date, I will need to confirm on the surface tablet though.

 

Is there a possability that a clearpass upgrade to 6.7 would also help although TAC has not suggested that either?

 

I should also add, once the workstation has authenticated properly (sometimes a few restarts, sometimes a port disable / enable on the switch) it works correctly every single day until it leaves the network for 48 hrs or so approx.

 

In some cases, just leaving the effected machine connected to the network it will correct itself after 2 or 3 hours later that day.  And again, work fine going forward until a interuption occurs like taking the machine home on the weekend etc.

Guru Elite

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

Do you have a packet capture from the device when it's occuring?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

Yes, the latest capture includes CPPM in debug mode, packet capture, as well as a pcap on the switch.  

Do you have access to the TAC case # for the pcaps supplied and/or technition i've been working with?  My decision to post here is obviously due to your knowledge on the product and recommendation from Dennis Boas when I was at HP discover.

 

Current captures are for ticket #5331977160 but I can resend if needed, (2) files roughly 180 meg in size each.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: