Wireless Access

Reply
Frequent Contributor I

windows 10 via won't connect

Hey all -

 

Having issues with Windows 10 VIA not connecting to our VPN.

Windows 10 64 bit

VIA 2.3.2

Clearpass server 6.4.7.74559

Aruba Controller - 6.4.3.6

 

Windows 7 clients connect fine - but have to use via version 2.1.1.5

 

Not sure why it won't connect. From the client end - VIA just keeps prompting for the cert

 

the Diagnostics tab shows

via.PNG

 

Clearpass log shows:


Request log details for session: R00016e66-01-57111a10
Time     Message
2016-04-15 10:42:56,531     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 232:130:67.41.123.46
2016-04-15 10:42:56,531     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - The attribute x.x.x.x does not contain MAC Address
2016-04-15 10:42:56,535     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - Service Categorization time = 4 ms
2016-04-15 10:42:56,535     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "VIAVpn-TLS"
2016-04-15 10:42:56,535     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_ldap: searching for user gurban in AD:rpco-dc04.rpcorp.local
2016-04-15 10:42:56,535     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201617 h=79 r=R00016e66-01-57111a10] INFO Core.ServiceReqHandler - Service classification result = VIAVpn-TLS
2016-04-15 10:42:56,537     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_ldap: found user gurban in AD:rpco-dc04.rpcorp.local
2016-04-15 10:42:56,537     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - LDAP/AD User lookup time = 2 ms
2016-04-15 10:42:56,537     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_ldap: authenticating "username"
2016-04-15 10:42:56,540     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_ldap: user username authenticated succesfully
2016-04-15 10:42:56,541     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
2016-04-15 10:42:56,541     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - The attribute x.x.x.x does not contain MAC Address
2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] WARN Common.MacAddrAttrProvider - HostMac missing, not populating different mac representations
2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] INFO TAT.TagAttrTableUtil - buildTagAttrTableInput: Connection:Client-Mac-Address is not found
2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3001 entity id = 29
2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=3001
2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3001|entityId=29
2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3001|entity=Device
2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
2016-04-15 10:42:56,544     [RequestHandler-1-0x7f4b009e0700 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
2016-04-15 10:42:56,544     [RequestHandler-1-0x7f4b009e0700 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskAuthSourceRestriction **
2016-04-15 10:42:56,544     [RequestHandler-1-0x7f4b009e0700 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskRoleMapping **
2016-04-15 10:42:56,544     [RequestHandler-1-0x7f4b009e0700 h=1635816 c=R00016e66-01-57111a10] WARN REC.EvaluatorCtx - Prerequisites set is empty, not populating the Request Map
2016-04-15 10:42:56,545     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **
2016-04-15 10:42:56,546     [AuthReqThreadPool-8-0x7f4b11639700 r=R00016e66-01-57111a10 h=25] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(sAMAccountName=%{Host:Name}$)(objectClass=computer)), error=No values for param=Host:Name
2016-04-15 10:42:56,546     [AuthReqThreadPool-8-0x7f4b11639700 r=R00016e66-01-57111a10 h=25] WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(sAMAccountName=%{Host:Name}$)(objectClass=computer))
2016-04-15 10:42:56,546     [AuthReqThreadPool-8-0x7f4b11639700 r=R00016e66-01-57111a10 h=25] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(sAMAccountName=%{Onboard:Owner})(objectClass=user)), error=No values for param=Onboard:Owner
2016-04-15 10:42:56,546     [AuthReqThreadPool-8-0x7f4b11639700 r=R00016e66-01-57111a10 h=25] WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(sAMAccountName=%{Onboard:Owner})(objectClass=user))
2016-04-15 10:42:56,546     [AuthReqThreadPool-8-0x7f4b11639700 r=R00016e66-01-57111a10 h=25] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{Onboard memberOf}), error=No values for param=Onboard memberOf
2016-04-15 10:42:56,546     [AuthReqThreadPool-8-0x7f4b11639700 r=R00016e66-01-57111a10 h=25] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{Onboard memberOf})
2016-04-15 10:42:56,546     [AuthReqThreadPool-8-0x7f4b11639700 r=R00016e66-01-57111a10 h=25] WARN Ldap.LdapQuery - Failed to get value for attributes=HostName, OSServicePack, Onboard Groups, OperatingSystem]
2016-04-15 10:42:56,547     [RequestHandler-1-0x7f4b009e0700 h=1635817 c=R00016e66-01-57111a10] INFO Core.PETaskRoleMapping - Roles: User Authenticated]
2016-04-15 10:42:56,548     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskRoleMapping **
2016-04-15 10:42:56,548     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskPolicyResult **
2016-04-15 10:42:56,548     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskPolicyResult **
2016-04-15 10:42:56,548     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskEnforcement **
2016-04-15 10:42:56,549     [RequestHandler-1-0x7f4b009e0700 h=1635820 c=R00016e66-01-57111a10] INFO Core.PETaskEnforcement - EnfProfiles: Allow Access Profile]
2016-04-15 10:42:56,549     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskEnforcement **
2016-04-15 10:42:56,549     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskRadiusEnfProfileBuilder **
2016-04-15 10:42:56,549     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskRadiusCoAEnfProfileBuilder **
2016-04-15 10:42:56,549     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskAppEnfProfileBuilder **
2016-04-15 10:42:56,549     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskPostAuthEnfProfileBuilder **
2016-04-15 10:42:56,550     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskGenericEnfProfileBuilder **
2016-04-15 10:42:56,550     [RequestHandler-1-0x7f4b009e0700 h=1635825 c=R00016e66-01-57111a10] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device
2016-04-15 10:42:56,550     [RequestHandler-1-0x7f4b009e0700 h=1635824 c=R00016e66-01-57111a10] WARN Core.PETaskPostAuthEnfProfileBuilder - No client macaddress found in the request
2016-04-15 10:42:56,550     [RequestHandler-1-0x7f4b009e0700 h=1635824 c=R00016e66-01-57111a10] WARN Core.PETaskPostAuthEnfProfileBuilder - startHandler: Failed to fetch NAutz attributes
2016-04-15 10:42:56,550     [RequestHandler-1-0x7f4b009e0700 h=1635822 c=R00016e66-01-57111a10] WARN Core.PETaskRadiusCoAEnfProfileBuilder - No client key found for session lookup
2016-04-15 10:42:56,550     [RequestHandler-1-0x7f4b009e0700 h=1635822 c=R00016e66-01-57111a10] WARN Core.PETaskRadiusCoAEnfProfileBuilder - startHandler: Failed to fetch NAutz attributes
2016-04-15 10:42:56,551     [RequestHandler-1-0x7f4b009e0700 h=1635821 c=R00016e66-01-57111a10] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
2016-04-15 10:42:56,551     [RequestHandler-1-0x7f4b009e0700 h=1635821 c=R00016e66-01-57111a10] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Allow Access Profile]
2016-04-15 10:42:56,551     [RequestHandler-1-0x7f4b009e0700 h=1635821 c=R00016e66-01-57111a10] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 0
2016-04-15 10:42:56,551     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskGenericEnfProfileBuilder **
2016-04-15 10:42:56,551     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskPostAuthEnfProfileBuilder **
2016-04-15 10:42:56,552     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskAppEnfProfileBuilder **
2016-04-15 10:42:56,552     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskCliEnforcement **
2016-04-15 10:42:56,552     [RequestHandler-1-0x7f4b009e0700 h=1635826 c=R00016e66-01-57111a10] INFO Core.PETaskCliEnforcement - startHandler: No commands for CLI enforcement
2016-04-15 10:42:56,552     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskRadiusCoAEnfProfileBuilder **
2016-04-15 10:42:56,552     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskRadiusEnfProfileBuilder **
2016-04-15 10:42:56,552     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskAuthStatusInfo **
2016-04-15 10:42:56,552     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskOutputPolicyRes **
2016-04-15 10:42:56,552     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskSessionLog **
2016-04-15 10:42:56,555     [RequestHandler-1-0x7f4b009e0700 h=1635828 c=R00016e66-01-57111a10] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
2016-04-15 10:42:56,555     [RequestHandler-1-0x7f4b009e0700 h=1635828 c=R00016e66-01-57111a10] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2016-04-15 10:42:56,555     [RequestHandler-1-0x7f4b009e0700 h=1635827 c=R00016e66-01-57111a10] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2016-04-15 10:42:56,556     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - Policy Evaluation time = 15 ms
2016-04-15 10:42:56,556     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_policy: Received Accept Enforcement Profile
2016-04-15 10:42:56,556     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_policy: Added Class attribute with value Class = 0xf65c0316a22d463186d437b695b78a11bd0b0000000000005230303031366536362d30312d35373131316131300000000000000000000000
2016-04-15 10:42:56,556     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response
2016-04-15 10:42:56,556     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - Request processing time = 25 ms
2016-04-15 10:42:56,556     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskCliEnforcement **
2016-04-15 10:42:56,556     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskSessionLog **
2016-04-15 10:42:56,556     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskOutputPolicyRes **
2016-04-15 10:42:56,556     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskAuthStatusInfo **
2016-04-15 10:42:56,556     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***

 

Really at a loss here as to why windows 10 won't connect - any thoughts?

 

Thank you!

 

Gerri

Guru Elite

Re: windows 10 via won't connect

It is very hard to say what could be happening here.  The latest version of Via should be working on both Windows platforms.  Without seeing the service, the VIA VPN configuration on the controller and logs between devices, it is tough to say what could be happening here.  You should open a case in parallel, so that they can sort it out...

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: windows 10 via won't connect

I figured - just thought I would ask the community first - sometimes it's been solved and there is no need to open TAC - thank you! I'll do that.

 

 

Guru Elite

Re: windows 10 via won't connect

You can leave it out here for more comment, but open up a TAC case in parallel.  In my mind, more information is needed.  In other people's mind who might have gone through this, they have an answer and can post.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: windows 10 via won't connect

OK - I'll add as I have more information.

 

Thanks!

New Contributor

Re: windows 10 via won't connect

Hi Gerri.Urban, Can I ask if you ever got a resolution to this? We're experiencing the same issues with Windows 10!

Frequent Contributor I

Re: windows 10 via won't connect

Funny you should ask - we just got this resolved (yes really) We finally setup a full test system and spent a day with a tac engineer testing all kinds of things, pulling logs etc,  but the final result had to do with the IKE policies in the VPN Services - I had to add a new policy at priority 1

version: v2

priority: 1

encryption: aes128

hash:sha

authentication: rsa

prf: prf-hmac-sha1

group: group 2

 

As always it's best to reach out to tac and work with them to make sure this is the correct solution for your environment - this fixed it for us - but we also had to deal with the fact that we could only connect with version 2.1.1.5 VIA and that version won't run on windows 10. 

 

Once we get the 3.0 clients we will also be able to enable tls 1.2 on the Clearpass server also. 

 

I'm happy to say we can now upgrade all clients (mac and pc) to the latest, the old clients still work and every things is good

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: