Security

Timeouts are often seen for the following reasons:

• Client moves out of coverage area during EAP transaction
• Driver issues
• Certificate trust issues

Have you tried the user-debug on the controller for the user that times-out?

Wow, I was just about to start a thread on this subject when I saw your post!

I am having an issue with onboarded MacBooks authenticating with EAP-TLS to ClearPass 6.3. This issue appears to be isolated to MacBooks running 10.8 and 10.9 - other onboarded devices (iPads, iPhones, Android) have not exhibited this issue.

The MacBooks are frequently failing to authenticate with EAP-TLS after being onboarded. ClearPass shows the authentication request as a timeout, giving the Error Code 9002 and the message "Client did not complete EAP transaction".

Packet capture shows that the initial EAP identity request and respone go through, the AP then sends the EAP-TLS/Start message and the MacBook does not respond with the TLS Client-Hello. Shortly after, the MacBook sends a disassociate frame. The frustrating thing is that often the MacBook will then immediately reassociate and perform a successful EAP-TLS authentication!

This is not the result of the client moving out range - the MacBook I was testing with was stationary and in the same room as the AP it was associated to.

This seems like it could be an issue with Apple's supplicant (would not be the first), but is rather inconsistant. Some MacBooks have the issue, others do not.

xdrewpjx,

I am having this issue not only with Macbooks but also Windows 8.1 clients. I do not Onboard though. I too noticed the same packet sequence happening though now that I've gotten a few test machines to behave similarly. 

It's possible that the Cert may be the issue because I am using the Aruba Cert that is untrusted. My issue seems to happen when I setup wifi profiles instead of just connecting to the wifi like normal. Or randomly with Mac's. 

Don't have any Windows 8.1 devices in this environment so I cannot speak to that.  I do know that they require the id-kp-eapOverLAN extension in the RADIUS server cert.  That could be your issue.  

In the case of the MacBooks I have observed, they never get far enough in the EAP process to recieve and validate the RADIUS server cert.  

Please see the following link:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Onboard-Error-Message-for-Windows-8-1-ClearPass-6-3-1/m-p/152540/highlight/true#M11105

We are thinking this is related to the RADIUS Cert not being trusted. 

How would you recomend overcoming trust issues? We have a Self Signed Cert for our RADIUS Cert, which obviously is not trusted everywhere. The majority of hosts that connect are not on our domain, so we cannot make it a Trusted CA by GPO, is there a preferred method for adding that trust quickly and/or without touching Every computer that has the issue?

Would it be best practice to get a certificate issued by GoDaddy (Who we use for our Wildcard Cert) for the fully qualified address of our clearpass server? 

Would changing that cert out make the clients that already connect have to accept the key? Even if it is a Trusted CA by default?