Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Windows 8.1 Onboard Support

Jump to Best Answer

tarnoldOct 20, 2013 02:31 AMBest Answer

  • 1.  Windows 8.1 Onboard Support

    Posted Oct 20, 2013 01:44 AM

    Hello,

     

    I need to confirm if windows 8.1 onboard is supported now or still ?

     

    Thank you.



  • 2.  RE: Windows 8.1 Onboard Support
    Best Answer

    Posted Oct 20, 2013 02:31 AM
    Yes it's supported. It's just been RT that was not


  • 3.  RE: Windows 8.1 Onboard Support

    Posted Oct 20, 2013 02:33 AM

    Thanks a lot for the confirmation.

     

    Are you aware of any reported issue with 802.1x AES TLS with them ? My customer is having and issue and in the Access Tracker it keeps showing timeout and in the alerts showing "client didn't complete eap" or something like that.

     

    Thanks again

     

    Regards,

    Islam



  • 4.  RE: Windows 8.1 Onboard Support

    Posted Oct 20, 2013 02:40 AM
    I'm running 8.1 in my lab with no issues.

    I would double check the settings on the controller. Typically when I see a timeout issue its on the wireless side where the client isn't responding to the challenge.

    Can you try the same unit on the wired side or is it a tablet?


  • 5.  RE: Windows 8.1 Onboard Support

    Posted Oct 20, 2013 02:58 AM

    it was working fine but when they upgraded to 8.1 it started showing timeouts and not connecting, only 8.1 showing this issue right now.

     

    They don't have 802.1x configured on the wired side so can't test that... will try to play around with the controller (HP) and see if i can do anything.

     

    Will update you, thanks for the help :)

     

    Regards,

    Islam



  • 6.  RE: Windows 8.1 Onboard Support

    Posted Oct 20, 2013 03:00 AM
    I would have them double check the driver on the pc. It might have issues with 8.1.


  • 7.  RE: Windows 8.1 Onboard Support

    Posted Nov 26, 2013 05:11 AM

    It has an issue using EAP-TLS  tested in several sites :( 



  • 8.  RE: Windows 8.1 Onboard Support

    Posted Nov 26, 2013 05:24 AM
    Make sure you have a TAC case open on those items you are having issues on. I've test about 9 different windows 8 and 8.1 with no issues.


  • 9.  RE: Windows 8.1 Onboard Support

    Posted Nov 26, 2013 05:34 AM

    I have opened a TAC but they said nothing wrong with the Clearpass it is from the wireless or the Windows Machines, Multiple sites having this issue running Cisco WLC and HP, i have 1 Aruba Wireless site runnign 6.3.1.1 and it works fine so i'm confused.

     

    I'm onboarding with TLS settings and "validate server certificate" is off. self signed certificate from Clearpass



  • 10.  RE: Windows 8.1 Onboard Support

    Posted Nov 26, 2013 05:37 AM

    Only windows 8.1 having the issue... windows 8 works perfectly fine



  • 11.  RE: Windows 8.1 Onboard Support

    Posted Nov 26, 2013 05:43 AM
    There are a lot of post online if you google it saying its a known issue with Microsoft and I would check to see if the have a fix coming soon.

    Here is one of many out there

    http://social.technet.microsoft.com/Forums/windows/en-US/884bd094-de2d-49a0-80bd-e2e0e8741a50/windows-81-and-eaptls-issue-not-working-after-upgrade?forum=w8itpronetworking


  • 12.  RE: Windows 8.1 Onboard Support

    Posted Nov 26, 2013 05:40 AM
    You cant say that it doesn't work on all devices If it works fine on aruba equipment.

    1st I would test those same models on the aruba wifi and see if you have the same issue.

    I would suggest you work with the other vendors support to troubleshoot their equipment. Usually it comes down to the auth acls that you are using and make sure you have OCSP allowed in the firewall.


  • 13.  RE: Windows 8.1 Onboard Support

    Posted Nov 26, 2013 05:46 AM

    The envirenment is Actually multiple schools with different laptop models all having the issue with windows 8.1 only, I have my own laptop tested on Cisco and HP shows timeout on clearpass, while in Aruba it works but it actualy take long time to get authenticated.

     

    The Auth ACL allowing full access to clearpass which is the OCSP, no firewall on the WLC nor HP controller nor on the client machine all disabled.

     

    The post mentioned on microsoft website is acutally mine :) and this is what is confusing me, it works with Aruba so how come the bug is not showing with Aruba Wireless ?! 

     

    Thanks for the help and your replies, i want to understand this to at least convense the customer that it is a windows bug since it works fine with Aruba :(



  • 14.  RE: Windows 8.1 Onboard Support

    Posted Nov 26, 2013 05:50 AM

    I would suggest you open a post in the education forum and see any of the other universities have ran into the same issue and what they did to fix it.

    I do know that Cisco has a latency requirement and if the tls transaction doesn't complete in a certain time period it will time out.



  • 15.  RE: Windows 8.1 Onboard Support

    Posted Jan 02, 2014 07:07 AM

    Hi All,

     

    Happy new year for you guys.

     

    Is there any update ragarding this issue?

    I facing the same problem as well, but my environment is using Aruba controller.

    Only windows 8.1 having authentication issue.

    If I check in the access tracker the Windows 8.1 is having a timeout status.

     



  • 16.  RE: Windows 8.1 Onboard Support

    Posted Jan 02, 2014 07:09 AM
    Hi,

    I found a workaround and works perfectly, generate a new server certificate and make sure the SHA 1 key is set to 1024 only. it should work fine after that


  • 17.  RE: Windows 8.1 Onboard Support

    Posted Jan 02, 2014 07:24 AM

    Hi Soliman,

     

    Thank you for your fast response.

     

    So I might need to generate a new server certificate and do re-onboard all the end devices to make it work?

    The work around is quite tedious.

    Is there any confirmation from Aruba team regarding this solution for Windows 8.1?

     

    Warmest regards,

    Erik

     

     



  • 18.  RE: Windows 8.1 Onboard Support

    Posted Jan 02, 2014 07:26 AM
    no need to re onboard any device since the CA and the client certificates are not changing. only new server certificate from the onboard CA.


  • 19.  RE: Windows 8.1 Onboard Support

    Posted Jan 02, 2014 07:33 AM

    OK will try the work around.

    Thank you.



  • 20.  RE: Windows 8.1 Onboard Support

    Posted Jan 02, 2014 11:01 PM

    I know this might be an easy fix but just remember you are putting a band-aid on a problem. You not actually fixing the issue.

     

    I would keep an eye on Ciscos and windows forums. It just seems odd that it works fine on Aruba wireless but not on Cisco... I have 3 different devices that I have tested in my lab with Windows 8.1 (standard and enterprise) with Aruba with no issues. 



  • 21.  RE: Windows 8.1 Onboard Support

    Posted Jan 03, 2014 12:13 AM

    Hi Troy,

     

    Thank you for your reply.

    Just want to clarify, I'm facing the onboarding issue on Windows 8.1 in the Aruba controller environment not with Cisco or other vendor.

     

    Thank you.

     

     



  • 22.  RE: Windows 8.1 Onboard Support

    Posted Jan 03, 2014 12:20 AM

    Ok think you. I would open a TAC case then. I have no issues here in my lab but you might have a setting that just needs to be changed. 

     

    Can you post a screen shot of your controller roles for when the client first connects. 

     

    screenshot_01 Jan. 02 23.07.gif

    screenshot_02 Jan. 02 23.07.gif

     

    screenshot_03 Jan. 02 23.08.gif

     



  • 23.  RE: Windows 8.1 Onboard Support

    Posted Jan 03, 2014 12:47 AM

    The timeout status at the ClearPass access tracker is asiggning post onboard user role, which is provisioning of the wireless profile authentication with ArubaQuickConnect application is already done.

     

    Any way please find attached the screen capture from my controller.

     

    Thank you

     



  • 24.  RE: Windows 8.1 Onboard Support

    Posted Jan 05, 2014 03:31 AM

    Hi Troy,

     

    The issue is showing with all vendors even with Aruba Wireless, i have logged a new case and got a bug ID for this aswell, seems that there is a bug in Clearpass.

     

    The workaround works perfectly for me with no issues in multiple sites, using a server certificate with SHA-1 1024 key is not a big issue for those sites they just need to get access and it works now :)

     

    Hi Erik,

     

    did you try the workaround or not yet ?



  • 25.  RE: Windows 8.1 Onboard Support

    Posted Jan 05, 2014 03:41 AM
    That's odd since I have it working fine in my lab. Is it all 8.1 clients or just a few?

    I will get with engineering and look at the test reports and logs.


  • 26.  RE: Windows 8.1 Onboard Support

    Posted Jan 05, 2014 03:44 AM

    Hi Troy,

     

    the issue that i have found is that when the server certificate key is generated using 2048 key it shows this issue, but when i change it to 1024 and create a new server certificate it works perfectly, not sure it is from the 2048 key or just creating a new server certificate solves the issue !!

     

    and it is confusing why this bug is only triggered with windows 8.1 !!!

     

    Do you want the bug ID ?

     

    Support will call me to explain the whole thing this week.



  • 27.  RE: Windows 8.1 Onboard Support

    Posted Jan 06, 2014 03:53 AM

    Hi All,

     

    I have a temporary workaround from Aruba TAC engineer for this issue beside to change the server certificate using 1024 bit encryption.

    You will need to modify the network settings configuration inside the Onboard Workspace and Manually configure certificate trust settings and then uncheck Validate the server certificate option.

     

    Network Settings Changes edit.png

     

    Hope the Aruba back end engineering team would have fixed this on an upcoming CPPM patch release.

     

     

    Thanks.



  • 28.  RE: Windows 8.1 Onboard Support

    Posted Jan 06, 2014 03:58 AM

    Thank you for the update.

    I'm not sure there is a lot that engineering can do if un-checking the validate server cert is what fixed it. That means the client isn't trusting the cert that CPPM is presenting so the issue seems to lie on the client side. I will talk with engineering and post an update.



  • 29.  RE: Windows 8.1 Onboard Support

    Posted Jan 02, 2014 07:28 AM
    I have tested this in multiple working site that had onboarded devices already and worked with no issues, if you want to be in a safe side export the existing sever certificate then generate a new signing request using sha1 1024 and sign it from the onboard CA if u r using it. then apply it to the server and check, if any issue just upload/import the old server certificate.


  • 30.  RE: Windows 8.1 Onboard Support

    Posted Jan 02, 2014 07:31 AM
    the clients certificates are getting generated and signed from the CA which we are not doing any change on it.

    And this bug is a windows 8.1 bug but not confirmed yet, check the event logs from the client machine you will find that the SSL service is getting crashed then another log showing that the windows machine couldn't verify the server certificate.. this only happens with windows 8.1 machines.


  • 31.  RE: Windows 8.1 Onboard Support

    Posted Jan 06, 2014 04:10 AM
    Yes the error in the event logs in the windoes machine shows that the machine couldn't validate the server certificate but why other systems can do that with no issues ???. and removing the check proves that windows cannot validate that server certificate even though the CA is getting pushed to the machine on the onbaording steps and I have verified it is there !! Also why this is not showing using 1024 key ? am having lots of doubts about this being a clearpass bug, I think it is a windows bug.

    And as I remember doing manual trust caused an issue with Andorid devices (faced that in 1 site) and I got a recommendation from Aruba to change it yo auto and it worked after that so test with android as well before making it as a workaround :)


  • 32.  RE: Windows 8.1 Onboard Support

    Posted Jan 06, 2014 11:47 PM

    Just a quick update.....

     

    Engineering is investigating it and if you are running into this issue please contact TAC for a work around and I will post an update later this week.



  • 33.  RE: Windows 8.1 Onboard Support

    Posted Feb 24, 2014 07:50 AM

    Hello Troy,

     

    Any updates on this one as I'm running into the same issue ?

     

    Many thanks in adavnce,

     

    Jan



  • 34.  RE: Windows 8.1 Onboard Support
    Best Answer

    Posted Feb 24, 2014 12:05 PM

    If you are using a CPPM that is running any version before 6.3 you will need to make sure the Root CA you choose supports OID to the certificate (id-kp-eapOverLAN) for the CPPM server cert.

     

    In 6.3 the radius cert can be signed by CPGuest and the OID support is built in.

     

    Windows decided to change the certificate requirements as of 8.1.



  • 35.  RE: Windows 8.1 Onboard Support

    Posted Feb 25, 2014 02:47 AM

    Many thanks for the quick reply !

     

    Here is what I got back from the support team:

     

    "After onboarding a windows 8.1 device, it silently failing to connect SSID using (EAP-MSCHAPV2). We also replicated the issue in house and found the same. When configuring the client manually with certificate trust settings, client able to connect to SSID. When we remove the option do not validate server certificate (network settings in Onboarding), the windows 8.1 client is able to connect.

     

    This defect is resolved in 6.3.1, which is expected to be available by 03/14/14 (tentative)."

     

    Best regards,

     

    Jan



  • 36.  RE: Windows 8.1 Onboard Support

    Posted Jul 01, 2014 04:23 PM

    Is there any update with this?

     

    I've generated a CSR for 2048 SHA-1 and signed it with OnBoard. 

     

    I'm still getting Windows 8.1 timeouts in CPPM 6.3.3.x. Any thoughts on this? 



  • 37.  RE: Windows 8.1 Onboard Support

    Posted Jul 01, 2014 07:02 PM
    Please open a TAC case. I have it running fine at multiple sites. It might be an issue on the wireless, wired or CPPM. The only way to find out is if you debug and look through the logs.


  • 38.  RE: Windows 8.1 Onboard Support

    Posted Jul 02, 2014 09:23 AM

    Thanks Troy - i'll contact TAC. Do you know of a way to double check that the SSL cert I generated has the id-kp-eapOverLAN extended key usage?

     

     



  • 39.  RE: Windows 8.1 Onboard Support

    Posted Jul 02, 2014 09:28 AM
    If you go to cp guest side to onboard wordspace and click start here it will tell on the page if your cert supports ID-KP-EAPOVERLAN


  • 40.  RE: Windows 8.1 Onboard Support

    Posted Jul 02, 2014 03:56 PM

    id-kp.png



  • 41.  RE: Windows 8.1 Onboard Support

    Posted Jul 03, 2014 04:24 PM

    Troy - I do NOT get the warning about extended key usage so my cert should be good. The devices is Win 8.1 Pro. 

     

    In working with TAC, they had me uncheck "valid server certificate" under the manual trust settings in OnBoard. This did not help and I still get EAP timeouts.  

     

    My cert is 2048 sha1 signed by OnBoard. Could you share the cert type you used in your working lab?

     

    BTW - Windows 8.0 onboards and connects just fine. I know that doesn't really help. 



  • 42.  RE: Windows 8.1 Onboard Support

    Posted Sep 11, 2014 05:51 AM

    We are running cleapass version 6.4.0, and still have this problem with windows 8.1 clients.

    The only solution we have found so far is to patch the clients with windows 8.1 update 1 from windows update. After the patch is installed the wifi connection suddenly works perfect.

     

    We have not been able to find the root cause of the problem. Anyone else?