last person joined: 12 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).

KTI Networks / Clearpass RADIUS timeout

  • 1.  KTI Networks / Clearpass RADIUS timeout

    Posted Oct 18, 2018 05:34 AM



    I'm struggling to get "KTI Networks" industrial switches to work with 802.1X and Clearpass as the RADIUS server. 


    I've tried to authenticate clients that have no problem authenticating on ALU and Juniper switches using both EAP-MD5 and EAP-PEAP. Just to be sure, I've adjusted the service configuration so the same services are used for all switches.


    What I see on the supplicant (Windows 10 / EAP-PEAP):

    An EAP  failure from KTI, 0.2 seconds after sending out Client Hello handshake (TLS 1.2)


    What I see on Clearpass

    - Service categorisation and enforcement profiles are correct, but there's both a timeout and reject log in access tracker (Client did not complete EAP transaction).


    Analyzing the tcpdump shows that the client hello is sent from the switch in response to the access-challenge. 1 second later, Clearpass sends out a access-reject.


    A simple freeradius setup worked immediately with the same KTI switch. We only tested EAP-MD5.


    Any ideas please?