Ok - so this wasn't really solved.
It turns out that once I move EAP-Termination over to Clearpass - then External Authentication servers no longer work. I can only get users that are locally registered on the Clearpass server to validate with the EAP-TLS method.
I want to validate AD users via Radius Proxy (MS NPS), and this works as it should when EAP-Termination is on Controller. Testing AAA Test server from the Controller I get sucess so the normal way things works.
I did try some more and this is parts of what I get:
**
[ocsp] --> Response status: successful
This Update: Jun 16 23:32:11 2012 GMT
Next Update: Jun 17 00:32:11 2012 GMT
[oscp] --> Cert status: good
[ocsp] --> Certificate is valid!
** I was thinking that OCSP wasn't working, but this above msg tells me it is.
[tls] TLS_accept: SSLv3 write finished A
[tls] TLS_accept: SSLv3 flush data
[tls] (other): SSL negotiation finished successfully
SSL Connection Established
[tls] eaptls_process returned 13
++[eap] returns handled
**** So the TLS tunnel is establised as it should between Clearpass and the Client
++[eap] returns ok
Login OK: [cpguest] (from client Aruba620_Lab port 0 cli 3451C9ABA806)
# Executing section post-auth from file /etc/raddb/radiusd.conf
+- entering group post-auth {...}
[mdps_generic] expand: ^([^:]*):([^:]+):mdps_generic$ -> ^([^:]*):([^:]+):mdps_generic$
mdps_generic: Does not match: User-Name = cpguest
++[mdps_generic] returns ok
rlm_extautz: In postauth
rlm_extautz: extautz_postauth: time-to-connect: |0.000048|
rlm_extautz: extautz_postauth: content-length-time: |0.000060|
rlm_extautz: extautz_postauth: content-send-time: |0.000251|
rlm_extautz: extautz_postauth: Received response with extautz status: 500 Fail includes|0.008169| action|0.054492| total|0.062661|
rlm_extautz: extautz_postauth: Received response pairs:
rlm_extautz: extautz_postauth: round-trip-time: |0.065613|
rlm_extautz: extautz_postauth: External program failed (1)
++[extautz] returns fail
Using Post-Auth-Type Reject
***** So this part tells me that it's unable to validate the user against any of the authentication servers.
I have an ongoing case with Support so I'll let you know what we find out. If you do have any tips on things to try then please - let me know since the support is slow going, and customer is not so patient ;)