Security

last person joined: 10 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

EAP-PEAP: fatal alert by client - access_denied

This thread has been viewed 2 times

  • 1.  EAP-PEAP: fatal alert by client - access_denied

    Posted Feb 03, 2014 10:48 AM

    Hello,

     

    We have started experiencing an issue where some users are not able to log onto the wireless their access is rejected with the following error in the access tracker;

     

    EAP-PEAP: fatal alert by client - access_denied

     

    any ideas regarding what the cause maybe would be appreciated. 

     

    cheers

     

    Andy



  • 2.  RE: EAP-PEAP: fatal alert by client - access_denied

    Posted Feb 03, 2014 11:00 AM

    Are these windows clients?

    If so, you could check the client's Event log in the Security folder to see if you can get any more info. what you are looking for are Audit Failure entries.



  • 3.  RE: EAP-PEAP: fatal alert by client - access_denied

    Posted Feb 03, 2014 11:02 AM

    Hi, 

     

    Can you let us know what version of CPPM you are running, what type of devices and OS version. 

    How many clients are facing this issue and do we have any similarity between them ?

     

     what type of  server certificate you are using and is the ROOTCA is trusted on clients ?



  • 4.  RE: EAP-PEAP: fatal alert by client - access_denied

    Posted Feb 03, 2014 11:18 AM

    hi

     

    the cppm version is 6.1.0.50820 and the clients are all Windows 7.

     

    The server cert is a wildcard cert and signed by Thawte.

     

    Again some stations/users can authenticate but not others. I dont have access to event logs etc at the minute.

     

     



  • 5.  RE: EAP-PEAP: fatal alert by client - access_denied

    EMPLOYEE
    Posted Feb 03, 2014 01:09 PM
    Most likely the device doesn't trust the full chain or I have seen some windows devices do not like wild card certs you will need to search Microsoft's kb.


  • 6.  RE: EAP-PEAP: fatal alert by client - access_denied

    Posted Feb 03, 2014 01:29 PM

    I tried setting the P-EAP setting to not validate the server cert and the behavior was the same.

     

    Also I think all our windows builds are the same, except for the domain they originally logged onto (due to a merger of three separate businesses) but am waiting for confirmation of that.

     

     



  • 7.  RE: EAP-PEAP: fatal alert by client - access_denied

    Posted Feb 03, 2014 01:47 PM

    Saw the below response from a MSFT expert forum, 

     

    http://technet.microsoft.com/en-US/cc730460

    Sam Salhi [MSFT] (Expert):
    Q:     is it possible for me to use a 3rd party certificate with EAP server? Can I use wildcard certificates?
    A: However, Wildcard certificates are not allowed



  • 8.  RE: EAP-PEAP: fatal alert by client - access_denied

    Posted Feb 03, 2014 01:51 PM

    thanks for that;

     

    back to the drawing board...

     



  • 9.  RE: EAP-PEAP: fatal alert by client - access_denied

    Posted Jul 22, 2014 05:10 PM

    I don't think that's completely accurate.  I'm testing a new CPPM deployment right now, and I get this error when authenticating to an HP access point/controller.  Using the very same laptop to authenticate to an Aruba AP and controller works fine.  I am using a wildcard cert.