Security

Reply
Occasional Contributor II

Hard-Wired client connections to RAP 5s/155s not responding to EAP from Server

I have a master/local setup managing about 200 RAPs which all use the same exact profile from our controller.  We recently upgraded from Cisco ACS to Clearpass for Authentication and I realized that all our hard wired connections were still pointing to ACS (Wireless is working fine).  So we built the services and enforcement policies through CPPM and tested it out successfully.  Last night I repointed the authentication for the hard wired connections from ACS to CPPM and saw it was accepting requests as it should.  This morning however, users started logging on and I noticed several timouts and on the user end, they are recieving the error unauthenticated network.  When I checked the indivicual users on the local controller, they repeatedly stated that the controller was reaching out to the client (the windows computer) for an EAP request with no response back.  This happened with 30-40% of the connections out there even though they all have the same configuration. 

 

It sounds like when I made the change, something broke on the client end, but I don't know what it is.

 

Any thoughts? I was thinking to reboot all of the RAPs along with both of the controllers this evening.  Right now any users have been just switching to wireless as a workaround and if the reboot doesn't work tonight, I'm going to point it back to ACS.

Guru Elite

Re: Hard-Wired client connections to RAP 5s/155s not responding to EAP from Server

Were the client supplicants reconfigured for the new radius server? (CA if signed by a different one and trusted server names)

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Hard-Wired client connections to RAP 5s/155s not responding to EAP from Server

Can you please clarify?  (meaning probably not)

Guru Elite

Re: Hard-Wired client connections to RAP 5s/155s not responding to EAP from Server

Did you export the RADIUS certificate from ACS or does ClearPass have a new one?

If it's a new one, is it signed by the same CA.?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Hard-Wired client connections to RAP 5s/155s not responding to EAP from Server

Our ACS was set up to not require certificates at the time.  I know CPPM does require certificates for our Wireless and VPN connections, but the wired connection was set up by Aruba support, so I don't know.  How do I check those settings?

Guru Elite

Re: Hard-Wired client connections to RAP 5s/155s not responding to EAP from Server

What EAP method are you using for wired?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Hard-Wired client connections to RAP 5s/155s not responding to EAP from Server

EAP-PEAP MSCHAPv2

Guru Elite

Re: Hard-Wired client connections to RAP 5s/155s not responding to EAP from Server

PEAP requires a server certificate.

How are the client's supplicants being configured? Manually or via group policy?

Do you have access to a client to look at the supplicant configuration?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Hard-Wired client connections to RAP 5s/155s not responding to EAP from Server

We manage them through Group Policy.  All client machines on the network are configured to not require a cert because they didn't under ACS.

Occasional Contributor II

Re: Hard-Wired client connections to RAP 5s/155s not responding to EAP from Server

I just noticed that all of my successfuly authentications are only going through MSCHAPv2.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: