Security

Reply
Regular Contributor I
Posts: 195
Registered: ‎02-10-2014

RADIUS Client did not complete EAP transaction Clearpass 6.3.1

We have Clearpass 6.3.1 and Aruba 7210 with 6.4 on it. We are starting to see these Timeouts more frequently in Clearpass. It is not completely stopping users from connecting, it just interupts their connection for what seems like a random amount of time. 

 

I saw a previous thread about this where the users were constantly receiving this Alert, but since mine doesn't seem to be happening all the time I am wondering if I have a setting somewhere that I'm missing. It would be helpful if someone could point me in the right direction to at least troubleshooting the issue. 

 

My first guess is this has to do with our Clearpass server still using the default Aruba cert. I have not had the chance to dig in and find pointers on switching to our GoDaddy cert. 

 

 

Guru Elite
Posts: 8,770
Registered: ‎09-08-2010

Re: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

Timeouts are often seen for the following reasons:

  • Client moves out of coverage area during EAP transaction
  • Driver issues
  • Certificate trust issues

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 48
Registered: ‎05-14-2012

Re: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

Have you tried the user-debug on the controller for the user that times-out?

Frequent Contributor I
Posts: 83
Registered: ‎06-27-2007

Re: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

Wow, I was just about to start a thread on this subject when I saw your post!

 

I am having an issue with onboarded MacBooks authenticating with EAP-TLS to ClearPass 6.3. This issue appears to be isolated to MacBooks running 10.8 and 10.9 - other onboarded devices (iPads, iPhones, Android) have not exhibited this issue.

 

The MacBooks are frequently failing to authenticate with EAP-TLS after being onboarded. ClearPass shows the authentication request as a timeout, giving the Error Code 9002 and the message "Client did not complete EAP transaction".

 

Packet capture shows that the initial EAP identity request and respone go through, the AP then sends the EAP-TLS/Start message and the MacBook does not respond with the TLS Client-Hello. Shortly after, the MacBook sends a disassociate frame. The frustrating thing is that often the MacBook will then immediately reassociate and perform a successful EAP-TLS authentication!

 

This is not the result of the client moving out range - the MacBook I was testing with was stationary and in the same room as the AP it was associated to.

 

This seems like it could be an issue with Apple's supplicant (would not be the first), but is rather inconsistant. Some MacBooks have the issue, others do not.

 

Regular Contributor I
Posts: 195
Registered: ‎02-10-2014

Re: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

xdrewpjx,

I am having this issue not only with Macbooks but also Windows 8.1 clients. I do not Onboard though. I too noticed the same packet sequence happening though now that I've gotten a few test machines to behave similarly. 

 

It's possible that the Cert may be the issue because I am using the Aruba Cert that is untrusted. My issue seems to happen when I setup wifi profiles instead of just connecting to the wifi like normal. Or randomly with Mac's. 

 

 

 

Frequent Contributor I
Posts: 83
Registered: ‎06-27-2007

Re: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

Don't have any Windows 8.1 devices in this environment so I cannot speak to that.  I do know that they require the id-kp-eapOverLAN extension in the RADIUS server cert.  That could be your issue.  

 

In the case of the MacBooks I have observed, they never get far enough in the EAP process to recieve and validate the RADIUS server cert.  

Contributor II
Posts: 48
Registered: ‎05-14-2012

Re: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

Regular Contributor I
Posts: 195
Registered: ‎02-10-2014

Re: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

We are thinking this is related to the RADIUS Cert not being trusted. 

 

How would you recomend overcoming trust issues? We have a Self Signed Cert for our RADIUS Cert, which obviously is not trusted everywhere. The majority of hosts that connect are not on our domain, so we cannot make it a Trusted CA by GPO, is there a preferred method for adding that trust quickly and/or without touching Every computer that has the issue?

 

Would it be best practice to get a certificate issued by GoDaddy (Who we use for our Wildcard Cert) for the fully qualified address of our clearpass server? 

 

Would changing that cert out make the clients that already connect have to accept the key? Even if it is a Trusted CA by default?

Guru Elite
Posts: 8,770
Registered: ‎09-08-2010

Re: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

The issue is not the certificate, the issue is how the client handles the
certificate and trust chain . The only solution to use a supplicant
configuration utility like QuickConnect or XpressConnect or by using Group
Policy or Profile Manager to configure the clients automatically.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

Also remember that windows does not accept a wildcard cert for .1x
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: