Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

RADIUS Client did not complete EAP transaction Clearpass 6.3.1

Jump to Best Answer
  • 1.  RADIUS Client did not complete EAP transaction Clearpass 6.3.1

    Posted May 15, 2014 01:22 PM

    We have Clearpass 6.3.1 and Aruba 7210 with 6.4 on it. We are starting to see these Timeouts more frequently in Clearpass. It is not completely stopping users from connecting, it just interupts their connection for what seems like a random amount of time. 

     

    I saw a previous thread about this where the users were constantly receiving this Alert, but since mine doesn't seem to be happening all the time I am wondering if I have a setting somewhere that I'm missing. It would be helpful if someone could point me in the right direction to at least troubleshooting the issue. 

     

    My first guess is this has to do with our Clearpass server still using the default Aruba cert. I have not had the chance to dig in and find pointers on switching to our GoDaddy cert. 

     

     


    #7210


  • 2.  RE: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

    Posted May 15, 2014 01:24 PM

    Timeouts are often seen for the following reasons:

    • Client moves out of coverage area during EAP transaction
    • Driver issues
    • Certificate trust issues


  • 3.  RE: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

    Posted May 19, 2014 03:49 PM

    We are thinking this is related to the RADIUS Cert not being trusted. 

     

    How would you recomend overcoming trust issues? We have a Self Signed Cert for our RADIUS Cert, which obviously is not trusted everywhere. The majority of hosts that connect are not on our domain, so we cannot make it a Trusted CA by GPO, is there a preferred method for adding that trust quickly and/or without touching Every computer that has the issue?

     

    Would it be best practice to get a certificate issued by GoDaddy (Who we use for our Wildcard Cert) for the fully qualified address of our clearpass server? 

     

    Would changing that cert out make the clients that already connect have to accept the key? Even if it is a Trusted CA by default?



  • 4.  RE: RADIUS Client did not complete EAP transaction Clearpass 6.3.1
    Best Answer

    Posted May 19, 2014 03:53 PM
    The issue is not the certificate, the issue is how the client handles the
    certificate and trust chain . The only solution to use a supplicant
    configuration utility like QuickConnect or XpressConnect or by using Group
    Policy or Profile Manager to configure the clients automatically.


  • 5.  RE: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

    Posted May 19, 2014 05:18 PM
    Also remember that windows does not accept a wildcard cert for .1x


  • 6.  RE: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

    Posted May 20, 2014 06:02 PM

    So we have a self signed Cert on our Clearpass for the Radius cert. I can export this cert and install it on a Windows machine as a Trusted CA, Which works well for accepting the cert without popping up asking if the server is trusted on the client.

     

    However, we are still seeing the same EAP Transaction error from the test clients. It seems to happen about every 10 minutes. This is happening on Win 7/8/8.1

     

    Does Clearpass add the  id-kp-eapOverLAN  extension onto it's self signed certs? Is there a way to add it if not?

     

     



  • 7.  RE: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

    Posted May 21, 2014 12:21 PM

    Sorry to double post but here is an update to the way I notice things happening. Generally if the computer is going to have an issue on this network connection it happens in the first few minutes of connection.

     

    After that, it requires being idle for a longer period of time. Seems to be longer than about 45-50minutes. 

     

    This makes me want to believe it is a client side issue, but I am not sure what I could possibly configure differently to mimimize this issue. 

     

    I want to believe it is related to the self-signed cert.  However, these clients were all connecting fine using the previous self-signed cert. 



  • 8.  RE: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

    Posted May 15, 2014 01:27 PM

    Have you tried the user-debug on the controller for the user that times-out?



  • 9.  RE: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

    Posted May 15, 2014 01:37 PM

    Wow, I was just about to start a thread on this subject when I saw your post!

     

    I am having an issue with onboarded MacBooks authenticating with EAP-TLS to ClearPass 6.3. This issue appears to be isolated to MacBooks running 10.8 and 10.9 - other onboarded devices (iPads, iPhones, Android) have not exhibited this issue.

     

    The MacBooks are frequently failing to authenticate with EAP-TLS after being onboarded. ClearPass shows the authentication request as a timeout, giving the Error Code 9002 and the message "Client did not complete EAP transaction".

     

    Packet capture shows that the initial EAP identity request and respone go through, the AP then sends the EAP-TLS/Start message and the MacBook does not respond with the TLS Client-Hello. Shortly after, the MacBook sends a disassociate frame. The frustrating thing is that often the MacBook will then immediately reassociate and perform a successful EAP-TLS authentication!

     

    This is not the result of the client moving out range - the MacBook I was testing with was stationary and in the same room as the AP it was associated to.

     

    This seems like it could be an issue with Apple's supplicant (would not be the first), but is rather inconsistant. Some MacBooks have the issue, others do not.

     



  • 10.  RE: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

    Posted May 15, 2014 02:01 PM

    xdrewpjx,

    I am having this issue not only with Macbooks but also Windows 8.1 clients. I do not Onboard though. I too noticed the same packet sequence happening though now that I've gotten a few test machines to behave similarly. 

     

    It's possible that the Cert may be the issue because I am using the Aruba Cert that is untrusted. My issue seems to happen when I setup wifi profiles instead of just connecting to the wifi like normal. Or randomly with Mac's. 

     

     

     



  • 11.  RE: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

    Posted May 15, 2014 02:42 PM

    Don't have any Windows 8.1 devices in this environment so I cannot speak to that.  I do know that they require the id-kp-eapOverLAN extension in the RADIUS server cert.  That could be your issue.  

     

    In the case of the MacBooks I have observed, they never get far enough in the EAP process to recieve and validate the RADIUS server cert.  



  • 12.  RE: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

    Posted May 20, 2014 02:53 AM

    Hi xdrewpjx,

     

    I've actually seen a similar issue with a client using OSX. After much troubleshooting we found that it was the combination of having bluetooth connected and trying to associate to ClearPass using EAP-TLS. As soon as we disabled bluetooth on the MacBook Pro the client was able to connect.

     

     

    Regards,


    Chris

     



  • 13.  RE: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

    Posted Sep 23, 2014 03:26 AM

    "Hi xdrewpjx,

     

    I've actually seen a similar issue with a client using OSX. After much troubleshooting we found that it was the combination of having bluetooth connected and trying to associate to ClearPass using EAP-TLS. As soon as we disabled bluetooth on the MacBook Pro the client was able to connect."

     

     

    I have the same problem. But i need the Bluetooth to be enabled.



  • 14.  RE: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

    Posted Jan 29, 2015 09:30 PM

    did anybody figure this out? 

     

    having this problem myself now with Windows 7 client,  Aruba OS and Cisco switches. CPPM 6.4.2

     

    Initial packet fails (timeout on CPPM) but next auth succeeds. 

     

    Scott

     



  • 15.  RE: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

    Posted Jan 30, 2015 02:37 PM

    I cannot speak to Windows 7 issues, however I can provide an update to the issue with Macbooks.  

     

    After working with Apple Support, we found that Mac clients which had been Onboarded (Single SSID onboarding) still had the PEAP credentials for the SSID in their Login keychain and that was causing an issue with the OS X supplicant.  Deleting the 802.1X password (PEAP credentials) from the keychain resolved the issue. 

     

     



  • 16.  RE: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

    Posted Feb 05, 2015 04:34 PM

    we have a different issue then, my problem is with Win 7 and Cisco IP phone doing EAP-TLS. Will keep searching!

     

    Scott



  • 17.  RE: RADIUS Client did not complete EAP transaction Clearpass 6.3.1

    Posted May 15, 2014 03:40 PM