Security

Reply
Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

windows 8 client eap-tls

hello,

when i connect a eap-tls user with windows 8 client the client wont connect but the radius logs shows that the user has be authenticated.

with peap it works fine only with tls it dosent.

on windows 7 / xp and other clients all works fine.

is there something specific to windows 8 that i need to be aware of ?

thanks.

 

Guru Elite
Posts: 21,525
Registered: ‎03-29-2007

Re: windows 8 client eap-tls

There are many reasons why this could happen.

 

On the commandline of the Aruba Controller, type "show auth-tracebuf mac <mac address of client>" to see the radius exchanges between the client and the radius server.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: windows 8 client eap-tls

ok i will check but is there something know about EAP-TLS?

Guru Elite
Posts: 21,525
Registered: ‎03-29-2007

Re: windows 8 client eap-tls

It should work.  Has it ever worked?  How do you distribute the certificate to the client?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: windows 8 client eap-tls

i workes with windows 7, same user same certificate in the same local store, only diffrence is the windows version.

both are in the domain.

 

Guru Elite
Posts: 21,525
Registered: ‎03-29-2007

Re: windows 8 client eap-tls

If the radius server accepts it, you should type "show auth-tracebuf mac <mac address of client>" on the commandline of the controller to see why it is possibly not working.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: windows 8 client eap-tls

[ Edited ]

same result as in the clearpass - radius accept.

very strange.

Feb  4 13:08:26  eap-id-req            <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            3   5
Feb  4 13:08:26  eap-id-resp           ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            3   29    bllalala@blllaaa.com
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            92  226
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  92  76
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            4   6
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            4   109
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  93  336
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  93  1112
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            5   1034
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            5   6
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  94  233
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  94  1108
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            6   1030
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            6   6
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  96  233
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  96  1108
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            7   1030
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            7   6
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  97  233
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  97  538
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            8   466
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            8   1492
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  95  1729
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  95  76
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            9   6
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            9   584
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  98  815
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  98  1112
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            10  1034
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            10  6
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  99  233
Feb  4 13:08:26  rad-accept            <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  99  265
Feb  4 13:08:26  eap-success           <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            10  4
Feb  4 13:08:26  wpa2-key1             <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            -   117
Feb  4 13:08:27  wpa2-key1             <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            -   117
Feb  4 13:08:28  wpa2-key1             <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            -   117
Feb  4 13:08:29  station-down           *  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            -   -

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: windows 8 client eap-tls

After successful 802.1X authentication, the client will initiate its DHCP request.   Since you say it works with Windows 7, it sounds as though you have your VLANs and DHCP working.   Any chance that Windows 8 client has a static IP set on its wireless NIC?  

 

Two things to try/troubleshoot:

1) Try connecting this Windows 8 system using PEAP-MSCHAPv2 and see if it can get in that way.    

2) Connect it to another network (Open or PSK).   When you see the client in the user table, select it and choose "debug".  While debugging, have the client connect to the 802.1X network using EAP-TLS and post the resulting logs.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: windows 8 client eap-tls

1) Try connecting this Windows 8 system using PEAP-MSCHAPv2 and see if it can get in that way.    -->working fine using ad credentials only.

2) Connect it to another network (Open or PSK).   -->working fine with our guest network i will see about the logs.

Guru Elite
Posts: 21,525
Registered: ‎03-29-2007

Re: windows 8 client eap-tls


shpapy wrote:

same result as in the clearpass - radius accept.

very strange.

Feb  4 13:08:26  eap-id-req            <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            3   5
Feb  4 13:08:26  eap-id-resp           ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            3   29    bllalala@blllaaa.com
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            92  226
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  92  76
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            4   6
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            4   109
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  93  336
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  93  1112
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            5   1034
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            5   6
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  94  233
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  94  1108
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            6   1030
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            6   6
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  96  233
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  96  1108
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            7   1030
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            7   6
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  97  233
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  97  538
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            8   466
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            8   1492
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  95  1729
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  95  76
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            9   6
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            9   584
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  98  815
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  98  1112
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            10  1034
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            10  6
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  99  233
Feb  4 13:08:26  rad-accept            <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  99  265
Feb  4 13:08:26  eap-success           <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            10  4
Feb  4 13:08:26  wpa2-key1             <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            -   117
Feb  4 13:08:27  wpa2-key1             <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            -   117
Feb  4 13:08:28  wpa2-key1             <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            -   117
Feb  4 13:08:29  station-down           *  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            -   -


For some reason, your client is not completing the key exchange.  The last 4 lines of the conversation should look like this:

 

May 12 00:56:22 wpa2-key1 <- 00:15:00:da:be:ef 00:0b:86:da:ca:fe - 117
May 12 00:56:22 wpa2-key2 -> 00:15:00:da:be:ef 00:0b:86:da:ca:fe - 135
May 12 00:56:22 wpa2-key3 <- 00:15:00:da:be:ef 00:0b:86:da:ca:fe - 151
May 12 00:56:22 wpa2-key4 -> 00:15:00:da:be:ef 00:0b:86:da:ca:fe - 95

 

What is the wireless adapter and driver of your card?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: