Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

dot1x : Client did not complete eap transaction

This thread has been viewed 15 times

  • 1.  dot1x : Client did not complete eap transaction

    Posted Jul 25, 2017 01:09 AM

    Hi all,

     

    Recently I have integrate HP Unified 850 controller with Clearpass. I have configured dot1x service for Mobile users and authentication is working fine as well.

     

    Problem : I can see continous authentication "Accept" logs in Access Tracker for most users, users also reconnecting automatically even they are online.

     

    Someusers are getting Time-out, 



  • 2.  RE: dot1x : Client did not complete eap transaction

    EMPLOYEE
    Posted Jul 25, 2017 06:40 AM

    If it is a client timeout, typically it is because you introduced a new server certificate with the same SSID, and phones are reconnecting, but the user is not accepting the new certificate.  The new user might not see the new certificate dialog to accept on their device.

     

    There could be many reasons for the continuous accepts, like roaming.  We would need to know what type of device it is and the state of that device to even guess.



  • 3.  RE: dot1x : Client did not complete eap transaction

    Posted Jul 25, 2017 11:40 AM

    #Yes, I have introduced new certificate with the same old SSID, but clients are getting notified to accept the new certificate.

    #as you said when client get roamed clearpass receiving a Time-out message.

    #but some users keep authenticating even they accept the new certificate, all are mobile users(Apple, Samsung)

    # I have checked with my Mobile(Apple) and it is working fine



  • 4.  RE: dot1x : Client did not complete eap transaction

    EMPLOYEE
    Posted Jul 25, 2017 01:36 PM

    If a user did not click accept for the new certificate, there will be a client timeout.  The user could have the phone in his/her pocket and the phone stays on mobile data, but registers a timeout until the user notices and clicks on accept.

     

    You should get a phone in hand that has this issue and troubleshoot.



  • 5.  RE: dot1x : Client did not complete eap transaction

    Posted Jul 30, 2017 01:29 AM

    Hi,

     

    Advice me the best way to replace existing radius server with clearpass.

    Above mentioned solutions was running with NPS server

     

    Thanks



  • 6.  RE: dot1x : Client did not complete eap transaction

    EMPLOYEE
    Posted Jul 30, 2017 07:23 AM

    I am not sure there is a best way.  On Windows clients you can push out the trust settings for the new certificate, but for all other platforms, you just have to wait for a human to click on accept.  It is probably best to assign a ceritifcate with a long expiry like 10 years to avoid it...



  • 7.  RE: dot1x : Client did not complete eap transaction

    EMPLOYEE
    Posted Jul 30, 2017 10:07 AM

    Please work with your Aruba ClearPass partner. There are many things to consider.



  • 8.  RE: dot1x : Client did not complete eap transaction

    Posted Aug 29, 2017 01:43 AM

    Hi,

    I am working to a partner, and new to clearpass

    even client accept the new certificate, they are getting timeout

     



  • 9.  RE: dot1x : Client did not complete eap transaction
    Best Answer

    Posted Apr 24, 2018 04:24 AM

    Finally found the solution

     

    It's because of the VRRP, I have two controllers acting Master and Standby. previuosly i have added only VIP as Radius client, after adding both Physical IP's as a Radius Client to the NPS/Clearpass its working fine