I need to confirm if windows 8.1 onboard is supported now or still ?
Thanks a lot for the confirmation.
Are you aware of any reported issue with 802.1x AES TLS with them ? My customer is having and issue and in the Access Tracker it keeps showing timeout and in the alerts showing "client didn't complete eap" or something like that.
it was working fine but when they upgraded to 8.1 it started showing timeouts and not connecting, only 8.1 showing this issue right now.
They don't have 802.1x configured on the wired side so can't test that... will try to play around with the controller (HP) and see if i can do anything.
Will update you, thanks for the help :)
It has an issue using EAP-TLS tested in several sites :(
I have opened a TAC but they said nothing wrong with the Clearpass it is from the wireless or the Windows Machines, Multiple sites having this issue running Cisco WLC and HP, i have 1 Aruba Wireless site runnign 22.214.171.124 and it works fine so i'm confused.
I'm onboarding with TLS settings and "validate server certificate" is off. self signed certificate from Clearpass
Only windows 8.1 having the issue... windows 8 works perfectly fine
The envirenment is Actually multiple schools with different laptop models all having the issue with windows 8.1 only, I have my own laptop tested on Cisco and HP shows timeout on clearpass, while in Aruba it works but it actualy take long time to get authenticated.
The Auth ACL allowing full access to clearpass which is the OCSP, no firewall on the WLC nor HP controller nor on the client machine all disabled.
The post mentioned on microsoft website is acutally mine :) and this is what is confusing me, it works with Aruba so how come the bug is not showing with Aruba Wireless ?!
Thanks for the help and your replies, i want to understand this to at least convense the customer that it is a windows bug since it works fine with Aruba :(
I would suggest you open a post in the education forum and see any of the other universities have ran into the same issue and what they did to fix it.I do know that Cisco has a latency requirement and if the tls transaction doesn't complete in a certain time period it will time out.
Happy new year for you guys.
Is there any update ragarding this issue?
I facing the same problem as well, but my environment is using Aruba controller.
Only windows 8.1 having authentication issue.
If I check in the access tracker the Windows 8.1 is having a timeout status.
Thank you for your fast response.
So I might need to generate a new server certificate and do re-onboard all the end devices to make it work?
The work around is quite tedious.
Is there any confirmation from Aruba team regarding this solution for Windows 8.1?
OK will try the work around.
I know this might be an easy fix but just remember you are putting a band-aid on a problem. You not actually fixing the issue.
I would keep an eye on Ciscos and windows forums. It just seems odd that it works fine on Aruba wireless but not on Cisco... I have 3 different devices that I have tested in my lab with Windows 8.1 (standard and enterprise) with Aruba with no issues.
Thank you for your reply.
Just want to clarify, I'm facing the onboarding issue on Windows 8.1 in the Aruba controller environment not with Cisco or other vendor.
Ok think you. I would open a TAC case then. I have no issues here in my lab but you might have a setting that just needs to be changed.
Can you post a screen shot of your controller roles for when the client first connects.
The timeout status at the ClearPass access tracker is asiggning post onboard user role, which is provisioning of the wireless profile authentication with ArubaQuickConnect application is already done.
Any way please find attached the screen capture from my controller.
The issue is showing with all vendors even with Aruba Wireless, i have logged a new case and got a bug ID for this aswell, seems that there is a bug in Clearpass.
The workaround works perfectly for me with no issues in multiple sites, using a server certificate with SHA-1 1024 key is not a big issue for those sites they just need to get access and it works now :)
did you try the workaround or not yet ?
the issue that i have found is that when the server certificate key is generated using 2048 key it shows this issue, but when i change it to 1024 and create a new server certificate it works perfectly, not sure it is from the 2048 key or just creating a new server certificate solves the issue !!
and it is confusing why this bug is only triggered with windows 8.1 !!!
Do you want the bug ID ?
Support will call me to explain the whole thing this week.
I have a temporary workaround from Aruba TAC engineer for this issue beside to change the server certificate using 1024 bit encryption.
You will need to modify the network settings configuration inside the Onboard Workspace and Manually configure certificate trust settings and then uncheck Validate the server certificate option.
Hope the Aruba back end engineering team would have fixed this on an upcoming CPPM patch release.
Thank you for the update.I'm not sure there is a lot that engineering can do if un-checking the validate server cert is what fixed it. That means the client isn't trusting the cert that CPPM is presenting so the issue seems to lie on the client side. I will talk with engineering and post an update.
Just a quick update.....
Engineering is investigating it and if you are running into this issue please contact TAC for a work around and I will post an update later this week.
Any updates on this one as I'm running into the same issue ?
Many thanks in adavnce,
If you are using a CPPM that is running any version before 6.3 you will need to make sure the Root CA you choose supports OID to the certificate (id-kp-eapOverLAN) for the CPPM server cert.
In 6.3 the radius cert can be signed by CPGuest and the OID support is built in.
Windows decided to change the certificate requirements as of 8.1.
Many thanks for the quick reply !
Here is what I got back from the support team:
"After onboarding a windows 8.1 device, it silently failing to connect SSID using (EAP-MSCHAPV2). We also replicated the issue in house and found the same. When configuring the client manually with certificate trust settings, client able to connect to SSID. When we remove the option do not validate server certificate (network settings in Onboarding), the windows 8.1 client is able to connect.
This defect is resolved in 6.3.1, which is expected to be available by 03/14/14 (tentative)."
Is there any update with this?
I've generated a CSR for 2048 SHA-1 and signed it with OnBoard.
I'm still getting Windows 8.1 timeouts in CPPM 6.3.3.x. Any thoughts on this?
Thanks Troy - i'll contact TAC. Do you know of a way to double check that the SSL cert I generated has the id-kp-eapOverLAN extended key usage?
Troy - I do NOT get the warning about extended key usage so my cert should be good. The devices is Win 8.1 Pro.
In working with TAC, they had me uncheck "valid server certificate" under the manual trust settings in OnBoard. This did not help and I still get EAP timeouts.
My cert is 2048 sha1 signed by OnBoard. Could you share the cert type you used in your working lab?
BTW - Windows 8.0 onboards and connects just fine. I know that doesn't really help.
We are running cleapass version 6.4.0, and still have this problem with windows 8.1 clients.
The only solution we have found so far is to patch the clients with windows 8.1 update 1 from windows update. After the patch is installed the wifi connection suddenly works perfect.
We have not been able to find the root cause of the problem. Anyone else?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.