05-15-2014 10:22 AM
We have Clearpass 6.3.1 and Aruba 7210 with 6.4 on it. We are starting to see these Timeouts more frequently in Clearpass. It is not completely stopping users from connecting, it just interupts their connection for what seems like a random amount of time.
I saw a previous thread about this where the users were constantly receiving this Alert, but since mine doesn't seem to be happening all the time I am wondering if I have a setting somewhere that I'm missing. It would be helpful if someone could point me in the right direction to at least troubleshooting the issue.
My first guess is this has to do with our Clearpass server still using the default Aruba cert. I have not had the chance to dig in and find pointers on switching to our GoDaddy cert.
Solved! Go to Solution.
05-15-2014 10:24 AM
05-15-2014 10:37 AM
Wow, I was just about to start a thread on this subject when I saw your post!
I am having an issue with onboarded MacBooks authenticating with EAP-TLS to ClearPass 6.3. This issue appears to be isolated to MacBooks running 10.8 and 10.9 - other onboarded devices (iPads, iPhones, Android) have not exhibited this issue.
The MacBooks are frequently failing to authenticate with EAP-TLS after being onboarded. ClearPass shows the authentication request as a timeout, giving the Error Code 9002 and the message "Client did not complete EAP transaction".
Packet capture shows that the initial EAP identity request and respone go through, the AP then sends the EAP-TLS/Start message and the MacBook does not respond with the TLS Client-Hello. Shortly after, the MacBook sends a disassociate frame. The frustrating thing is that often the MacBook will then immediately reassociate and perform a successful EAP-TLS authentication!
This is not the result of the client moving out range - the MacBook I was testing with was stationary and in the same room as the AP it was associated to.
This seems like it could be an issue with Apple's supplicant (would not be the first), but is rather inconsistant. Some MacBooks have the issue, others do not.
05-15-2014 11:00 AM
I am having this issue not only with Macbooks but also Windows 8.1 clients. I do not Onboard though. I too noticed the same packet sequence happening though now that I've gotten a few test machines to behave similarly.
It's possible that the Cert may be the issue because I am using the Aruba Cert that is untrusted. My issue seems to happen when I setup wifi profiles instead of just connecting to the wifi like normal. Or randomly with Mac's.
05-15-2014 11:41 AM
Don't have any Windows 8.1 devices in this environment so I cannot speak to that. I do know that they require the id-kp-eapOverLAN extension in the RADIUS server cert. That could be your issue.
In the case of the MacBooks I have observed, they never get far enough in the EAP process to recieve and validate the RADIUS server cert.
05-15-2014 12:39 PM
05-19-2014 12:49 PM
We are thinking this is related to the RADIUS Cert not being trusted.
How would you recomend overcoming trust issues? We have a Self Signed Cert for our RADIUS Cert, which obviously is not trusted everywhere. The majority of hosts that connect are not on our domain, so we cannot make it a Trusted CA by GPO, is there a preferred method for adding that trust quickly and/or without touching Every computer that has the issue?
Would it be best practice to get a certificate issued by GoDaddy (Who we use for our Wildcard Cert) for the fully qualified address of our clearpass server?
Would changing that cert out make the clients that already connect have to accept the key? Even if it is a Trusted CA by default?
05-19-2014 12:53 PM
certificate and trust chain . The only solution to use a supplicant
configuration utility like QuickConnect or XpressConnect or by using Group
Policy or Profile Manager to configure the clients automatically.
05-19-2014 02:18 PM
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.