Security

last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Authentication TimeOut

Jump to Best Answer
  • 1.  Clearpass Authentication TimeOut

    Posted Feb 29, 2016 05:37 AM

    Hello,

     

    following failure message i receive from our radius:

    Client did not complete EAP transaction

     

     

    On live Monitoring Access Tracker i receive 2 Messages, i think this is correct:

    One is for our Device: EAP-PEAP,EAP-TLS <- works !!

    second is for our AD i think and here i get: Client did not complete EAP transaction !!

    Always get a TIMEOUT !!!

     

    An explanation why ??

    I want that the user connect automatically to our Network and to the AD.

     

    Thx

    Salvatore

     



  • 2.  RE: Clearpass Authentication TimeOut

    Posted Feb 29, 2016 05:46 AM

    What OS is this client?  Client timeout is a generic error message.  The #1 reason is the radius server certificate is new or changed and the client did not click on accept, so the radius transaction was not completed.  We would need more details to explain why the error message is happening.



  • 3.  RE: Clearpass Authentication TimeOut

    Posted Feb 29, 2016 05:56 AM

    Hi,

     

    we use Windows 7 clients.

    I tried something, i disconnect the Wifi connection and connect it again and now i receive only EAP-PEAP authentication Method. Why ?

    Where is my EAP-TLS authentification message ??

    I do not change anything in the configuration.

     

    THX

    Salvatore



  • 4.  RE: Clearpass Authentication TimeOut

    Posted Feb 29, 2016 06:00 AM

    How is the client configured?



  • 5.  RE: Clearpass Authentication TimeOut

    Posted Feb 29, 2016 06:15 AM

    Hi,

     

    1. first in the security Settings i have set Microsoft EAP (PEAP).
      1. then Settings: check certificate , authenticationmethod: smartcard or other certificate.
      2. enter configure: use certificate on the Computer , use and check certificate.
    2. advanced settings: authentication method -> Computerauthentication.

    hope you understand my configuration :-)

     

    Under Clearpass Authentication Methods EAP-TLS there is written: Session Timeout 6 hours.

    That meens, if i disconnect and connect in this 6 hours a few times, my Laptop (machine authentication) is not considered. Right ?? Only the AD Authentication will be considered.

     

    Thx.

    Salvatore



  • 6.  RE: Clearpass Authentication TimeOut

    Posted Feb 29, 2016 06:21 AM

    Does the Windows laptop have a client certificate in the computer store?  How was this certificate issued to the client?  Did it ever work?



  • 7.  RE: Clearpass Authentication TimeOut

    Posted Feb 29, 2016 06:32 AM

    Hi,

     

    yes the client have installed the ROOT CA.

    to prehistory: Friday i installed the certificate to clearpass.

    There are 3 Certificates on CLearpass: Root CA , Intermediate CA, and Server CA.

    Thenn i try to connect me a view times but it did not work.

     

    Today i added the Certificates to the Trust List on ClearPass and changed the windows settings and it works. I think.

     

    Thx

    Salvatore



  • 8.  RE: Clearpass Authentication TimeOut

    Posted Feb 29, 2016 06:34 AM

    The Windows 7 client requires a client certificate for authentication which is separate from the RootCA, Intermediate CA and Server CA.  With your settings the client requires a client certificate in the computer store, not the user store.

     

    Use the link here:  https://msdn.microsoft.com/en-us/library/ms788967(v=vs.110).aspx to see how to check for client certificates on your computer.



  • 9.  RE: Clearpass Authentication TimeOut

    Posted Feb 29, 2016 07:13 AM

    Hi,

     

    yes i have i client certificate. There is separate from the RootCA, Intermediate CA and Server CA.

     

    Thx

    Salvatore



  • 10.  RE: Clearpass Authentication TimeOut

    Posted Feb 29, 2016 07:28 AM

    Who issued the client certificate and is it in the computer (machine) store?



  • 11.  RE: Clearpass Authentication TimeOut

    Posted Feb 29, 2016 07:36 AM

    Hi,

     

    certificate path: when i do a doubleclick on my local certificate, i see my (issued by )intermediate Certificate, and this comes from our ROOT CA.

     

    Hope you understand me. My english is not the best.

     

    Thx

    Salvatore



  • 12.  RE: Clearpass Authentication TimeOut

    Posted Feb 29, 2016 07:43 AM

    I understand.  Try configuring your client with "Validate Server Certificate" unchecked and see if your client can authenticate.



  • 13.  RE: Clearpass Authentication TimeOut

    Posted Feb 29, 2016 07:56 AM

    if i uncheck "Validate Server Certificate" i had still connection to the wifi. the client use EAP-PEAP.

    Monitor Live Tracking: Authentication Method: EAP-PEAP,EAP-MSCHAPv2.

     

    When i check "Validate Server Certificate" i receive EAP-PEAP,EAP-TLS.

     

    My goal is that all employees when their comes to work, all Devices automatically connect to the WiFi via Certificate.

     

    I tried to remove the EAP-PEAP on clearpass authentication Method, but unfortunately i had no connection to WiFi.

     

    Thx

    Salvatore



  • 14.  RE: Clearpass Authentication TimeOut

    Posted Mar 02, 2016 04:25 AM

    Good morning,

     

    new situation: now my authentication with my certificate works.

    Settings Clearpass: Authentication Method = EAP-TLS

    Windows 7 client: Microsoft smartcard or other Certification

     

    When i keep it so this settings, my Client will automatically connect to the WiFi.

    But i receive a new failure message on access Tracker: Client does not support configured EAP methods

     

    Our client must simultaneously build up an authentication to the AD.

    If i add in the authentication Method: EAP-PEAP. Everything works fine too, but then i have 2 new Problems:

    1. i receive an Timeout message: Client did not complete EAP transaction
    2. big problem: now no matter wich settings i have on my client, he always gets an connection.

    and that should not happen. He must verify first if my client have an valid certificate and then in the second step authenticate with my AD.

     

    Someone have any idea ??

    Maybe i have forgett to configure something on clearpass ?

     

    Thx

    Salvatore



  • 15.  RE: Clearpass Authentication TimeOut

    Posted Mar 02, 2016 06:07 AM
    A couple suggestions:

    - Are you using Microsoft CA as your Root CA to generate the unique certs ? If so , are you using machine and user cert or just machine ?
    - also if you are not using a third party cert in ClearPass make sure you import it into certificates store or send through a GPO to your wireless clients
    - Make sure that Microsoft Root CA has been added to the cert trusted list in ClearPass
    - The wireless profile for the SSID needs to be set to use Smartcard or certificate manually , if you are only using Computer cert then just enable Computer auth instead user or computer
    - in ClearPass then you need to allow EAP-TLS as a authentication method and use AD as authentication source


  • 16.  RE: Clearpass Authentication TimeOut

    Posted Mar 02, 2016 06:23 AM

    Hi,

     

    we have a corporate certificate.

     

    1. machine certificate on the clients
    2. certificate installed on clearpass
    3. and added to the trustet list.

    If i configured as you described, EAP_TLS and source is AD it works. But then i receive following error messages: Radius -> EAP: Client doesn't support configured EAP methods

     

    Clients settings: I have set Smartcard or certificate manually and i  only use computer auth.

     

    thx

    Salvatore

     



  • 17.  RE: Clearpass Authentication TimeOut

    Posted Mar 02, 2016 06:25 AM
    Have you tried updating the drivers or another machine?

    Sent from Outlook for iPhone


  • 18.  RE: Clearpass Authentication TimeOut

    Posted Mar 02, 2016 07:25 AM

    Hi,

     

    yes i have 2 or 3 Laptops to tests the WiFi connection. Network adapter driver have the latest update.

    But another question:

    • is there any settings to do for authentication sequence ?
    • like if a client certificate exists and is valid (EAP_TLS) then
      • authenticate with AD
    • if not you reject.

    Or which settings must be set on Clearpass ? Can i do this with enforcement ?

     

    Thx

    Salvatore



  • 19.  RE: Clearpass Authentication TimeOut
    Best Answer

    Posted Mar 04, 2016 09:12 AM

    Hi,

    everythings works now. I must uncheck under Configuration -> Services -> Authentication -> Authentication Methods = EAP_TLS -> uncheck = Authentication required.

     

    Now i got certificate access without EAP Timeouts.

     

    Thx for help.

     

     



  • 20.  RE: Clearpass Authentication TimeOut

    Posted Jun 05, 2018 01:34 AM

    Hi, all we are also getting EAP timeouts.  What was the fix for this issue?



  • 21.  RE: Clearpass Authentication TimeOut

    Posted Jun 05, 2018 05:04 AM

    There are a number of reasons for EAP timeouts.  Do you have any more information like what devices are involved and what the error messages are?



  • 22.  RE: Clearpass Authentication TimeOut

    Posted Jul 06, 2018 04:21 PM

    I am currently having this issue with Mobile devices like iPhones or Android.  Users will stay on wireless for a while then can't get on the internert.  I look at Clearpass and see timeout.  How they are fixing it is shutting off wireless on their phones and turning back on.  



  • 23.  RE: Clearpass Authentication TimeOut

    Posted Jul 06, 2018 04:23 PM
    Authentication method?


  • 24.  RE: Clearpass Authentication TimeOut

    Posted Jul 06, 2018 04:24 PM

    802.1x



  • 25.  RE: Clearpass Authentication TimeOut

    Posted Jul 06, 2018 04:27 PM
    EAP method? EAP server certificate details?


  • 26.  RE: Clearpass Authentication TimeOut

    Posted Jul 06, 2018 04:32 PM

    Eap-Peap

    with a Radius Server Certificate from our local Cert Server



  • 27.  RE: Clearpass Authentication TimeOut

    Posted Jul 06, 2018 04:38 PM
    Have the client’s supplicants been properly configured to trust the EAP server certificate?


  • 28.  RE: Clearpass Authentication TimeOut

    Posted Jul 06, 2018 04:39 PM

    I can speak on the iphones since I am on one.  When I connect to the Wireless first time I am asked to trust the Cert which I select Trust.  Is that what you are talking about?



  • 29.  RE: Clearpass Authentication TimeOut

    Posted Jul 06, 2018 04:42 PM
    That’s not really properly configured, but yes, it should work. Do you have the same EAP server certificate on all nodes in the cluster?


  • 30.  RE: Clearpass Authentication TimeOut

    Posted Jul 06, 2018 04:45 PM

    Yes we do.  I am sure there are other ways of pushing the cert out to phones but sadly that is the way we do it.



  • 31.  RE: Clearpass Authentication TimeOut

    Posted Jul 06, 2018 05:02 PM

    Arubawifi.JPG



  • 32.  RE: Clearpass Authentication TimeOut

    Posted Oct 03, 2018 08:57 AM

    We are also having the same error, a ton of it.    We had to increase our "interval between WPA/WPA2 Key Messages" from 1000 to 3000ms that cut down a ton of timeouts, but that's a band-aid and not solving the root cause, I have been working with TAC for 3-4 weeks on this and were not any closer. 

     

    did you get any resolutions?   



  • 33.  RE: Clearpass Authentication TimeOut

    Posted Oct 03, 2018 11:02 AM

    Same here, let me know if you get any resolution from TAC.

     

    Thanks,

     

    AP



  • 34.  RE: Clearpass Authentication TimeOut

    Posted Oct 05, 2018 08:17 AM

    the latest patch includes some Active Directory tree searching enhancements.  we just upgraded to 6.7.6, checking today and next week if that takes care of the issue.  



  • 35.  RE: Clearpass Authentication TimeOut

    Posted Oct 19, 2018 04:25 PM

    Any luck with this issue guys, did you have any success after upgrading to 6.7.6 ?



  • 36.  RE: Clearpass Authentication TimeOut

    Posted Nov 07, 2018 09:52 PM

    have you guys found a way to solve it yet? i'm running 6.7.7 with lots of timeouts.



  • 37.  RE: Clearpass Authentication TimeOut

    Posted Jul 02, 2020 05:47 PM

    Where were these timers that you adjusted? Any other discoveries on this issue?



  • 38.  RE: Clearpass Authentication TimeOut

    Posted Jul 03, 2020 12:39 PM

    Are you seeing any auth timeouts in access tracker, if YES then we need to check access tracker logs to find if it is failed due to delay in auth process from auth server or no response from client itself for CPPM access challenge.

     

     



  • 39.  RE: Clearpass Authentication TimeOut

    Posted Jul 06, 2020 04:18 PM
    Ok, yes, seeing the timeouts in the access tracker and the client is not getting prompted to trust. Therefore the client is not allowed on the network.

    Thanks,

    Jake

    GameStop | Jake Briggs | Network Engineer | 817-722-7621 | jacobbriggs@gamestop.com | powertotheplayers


  • 40.  RE: Clearpass Authentication TimeOut

    Posted Jul 06, 2020 05:21 PM
      |   view attached
     

    Time Message

    2020-07-03 04:31:27,039[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R07e74a6e-02-5efefabb, state - AJ0A9QBiAFRpR7wkhIm2wYsBikLNvg+JNWahNg=
    2020-07-03 04:31:27,039[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 186:276:88:54-99-63-6E-A8-63 recv 1593768635.740301 - resp 1593768635.747602
    2020-07-03 04:31:27,039[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 187:442:1124:54-99-63-6E-A8-63 recv 1593768635.820131 - resp 1593768635.825175
    2020-07-03 04:31:27,039[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 188:287:1120:54-99-63-6E-A8-63 recv 1593768635.872398 - resp 1593768635.873006
    2020-07-03 04:31:27,039[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 189:287:1120:54-99-63-6E-A8-63 recv 1593768635.918090 - resp 1593768635.918799
    2020-07-03 04:31:27,039[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 190:287:1120:54-99-63-6E-A8-63 recv 1593768635.964035 - resp 1593768635.964579
    2020-07-03 04:31:27,039[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 191:287:1120:54-99-63-6E-A8-63 recv 1593768636.8184 - resp 1593768636.8786
    2020-07-03 04:31:27,039[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 192:287:1120:54-99-63-6E-A8-63 recv 1593768636.54485 - resp 1593768636.54940
    2020-07-03 04:31:27,039[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 193:287:1120:54-99-63-6E-A8-63 recv 1593768636.100298 - resp 1593768636.100676
    2020-07-03 04:31:27,040[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 194:287:300:54-99-63-6E-A8-63 recv 1593768636.146052 - resp 1593768636.146472