Wireless Access

Hi All Deploying a new clearpass with EAP-TLS authentication. I a have very limited knowledge on Certificates and EAP-TLS.

 

Would like to know what all the basic things need to checked with regards to Certificates.

 

Below are things done by me that no issues with regards to configuration .

 

Added Root CA and Intermediate CA to the trustlist of the Clearpass.

Imported the Signed Certificate by the CA into Clear pass as Radius Certificate.

Installed the Root CA and Intermediate CA on a client PC (Windows 10) under Trusted Root CA.

Tested EAP-PEAP by selecting only the Installed Certificates on the Client under Validate Certificate.

 

Everying went fine till now and i hope thats only way i thought to test the Server Certificate.

 

Now we downloaded the Cert for User and installed the Certificate into Personal Certificates.

 

When we tried to authenticate by changing the Service Authentication type EAP-TLS  intially we got User not found in authentication source.

 

Found domain was associated with the username so modified the service to strip the domain. No the username goes as the same as the username which was successsful in EAP-PEAP but we see  timeout in access tracker. Alert as Client did not complete EAP transaction. Tried couple of clients.

 

So i doubt the intial negotiation of certificates is failing. So would like to know what all the things need to be checked on the certificates to ensure authentication is successful.

 

or Any other suggestions to help successful authentication.

 

Clear pass on 6.6.2 , CA server Windows 2012 Client Win 10 .

 

Thanks in advance

 

The default EAP-TLS authentication method requires authorization of the username to AD, which is an addition restriction.  You should copy that authentication method and uncheck Authorization Required.  You should then use that copy of the EAP-TLS authentication method WITHOUT "authorization reqired" in your service:

 

i did try this now Still the same result timeout.

 

in the auth-tracebuf after rad-req  i see dot1x-timeout (and last coulmn first row says server timeout and next row says Sation timeout) and access tracker the same time timeout.

Whenever we try eap tls I see dropping radius pAcket log on controller but not for eap peap and ms chap v2 . Any suggestions pls

Who issued the client certificate?

Thanks Colin.

 

The issue is. Resolved.

Root cause is PAL ALTO firewall which was the gateway for the users was dropping the fragmented packets and there was a way to go around to allow the Fragmented packets to pass through the firewall. Once allowed everything is working fine.