following failure message i receive from our radius:
Client did not complete EAP transaction
On live Monitoring Access Tracker i receive 2 Messages, i think this is correct:
One is for our Device: EAP-PEAP,EAP-TLS <- works !!
second is for our AD i think and here i get: Client did not complete EAP transaction !!
Always get a TIMEOUT !!!
An explanation why ??
I want that the user connect automatically to our Network and to the AD.
What OS is this client? Client timeout is a generic error message. The #1 reason is the radius server certificate is new or changed and the client did not click on accept, so the radius transaction was not completed. We would need more details to explain why the error message is happening.
we use Windows 7 clients.
I tried something, i disconnect the Wifi connection and connect it again and now i receive only EAP-PEAP authentication Method. Why ?
Where is my EAP-TLS authentification message ??
I do not change anything in the configuration.
How is the client configured?
hope you understand my configuration :-)
Under Clearpass Authentication Methods EAP-TLS there is written: Session Timeout 6 hours.
That meens, if i disconnect and connect in this 6 hours a few times, my Laptop (machine authentication) is not considered. Right ?? Only the AD Authentication will be considered.
Does the Windows laptop have a client certificate in the computer store? How was this certificate issued to the client? Did it ever work?
yes the client have installed the ROOT CA.
to prehistory: Friday i installed the certificate to clearpass.
There are 3 Certificates on CLearpass: Root CA , Intermediate CA, and Server CA.
Thenn i try to connect me a view times but it did not work.
Today i added the Certificates to the Trust List on ClearPass and changed the windows settings and it works. I think.
The Windows 7 client requires a client certificate for authentication which is separate from the RootCA, Intermediate CA and Server CA. With your settings the client requires a client certificate in the computer store, not the user store.
Use the link here: https://msdn.microsoft.com/en-us/library/ms788967(v=vs.110).aspx to see how to check for client certificates on your computer.
yes i have i client certificate. There is separate from the RootCA, Intermediate CA and Server CA.
Who issued the client certificate and is it in the computer (machine) store?
certificate path: when i do a doubleclick on my local certificate, i see my (issued by )intermediate Certificate, and this comes from our ROOT CA.
Hope you understand me. My english is not the best.
I understand. Try configuring your client with "Validate Server Certificate" unchecked and see if your client can authenticate.
if i uncheck "Validate Server Certificate" i had still connection to the wifi. the client use EAP-PEAP.
Monitor Live Tracking: Authentication Method: EAP-PEAP,EAP-MSCHAPv2.
When i check "Validate Server Certificate" i receive EAP-PEAP,EAP-TLS.
My goal is that all employees when their comes to work, all Devices automatically connect to the WiFi via Certificate.
I tried to remove the EAP-PEAP on clearpass authentication Method, but unfortunately i had no connection to WiFi.
new situation: now my authentication with my certificate works.
Settings Clearpass: Authentication Method = EAP-TLS
Windows 7 client: Microsoft smartcard or other Certification
When i keep it so this settings, my Client will automatically connect to the WiFi.
But i receive a new failure message on access Tracker: Client does not support configured EAP methods
Our client must simultaneously build up an authentication to the AD.
If i add in the authentication Method: EAP-PEAP. Everything works fine too, but then i have 2 new Problems:
and that should not happen. He must verify first if my client have an valid certificate and then in the second step authenticate with my AD.
Someone have any idea ??
Maybe i have forgett to configure something on clearpass ?
we have a corporate certificate.
If i configured as you described, EAP_TLS and source is AD it works. But then i receive following error messages: Radius -> EAP: Client doesn't support configured EAP methods
Clients settings: I have set Smartcard or certificate manually and i only use computer auth.
yes i have 2 or 3 Laptops to tests the WiFi connection. Network adapter driver have the latest update.
But another question:
Or which settings must be set on Clearpass ? Can i do this with enforcement ?
everythings works now. I must uncheck under Configuration -> Services -> Authentication -> Authentication Methods = EAP_TLS -> uncheck = Authentication required.
Now i got certificate access without EAP Timeouts.
Thx for help.
Hi, all we are also getting EAP timeouts. What was the fix for this issue?
There are a number of reasons for EAP timeouts. Do you have any more information like what devices are involved and what the error messages are?
I am currently having this issue with Mobile devices like iPhones or Android. Users will stay on wireless for a while then can't get on the internert. I look at Clearpass and see timeout. How they are fixing it is shutting off wireless on their phones and turning back on.
with a Radius Server Certificate from our local Cert Server
I can speak on the iphones since I am on one. When I connect to the Wireless first time I am asked to trust the Cert which I select Trust. Is that what you are talking about?
Yes we do. I am sure there are other ways of pushing the cert out to phones but sadly that is the way we do it.
We are also having the same error, a ton of it. We had to increase our "interval between WPA/WPA2 Key Messages" from 1000 to 3000ms that cut down a ton of timeouts, but that's a band-aid and not solving the root cause, I have been working with TAC for 3-4 weeks on this and were not any closer.
did you get any resolutions?
Same here, let me know if you get any resolution from TAC.
the latest patch includes some Active Directory tree searching enhancements. we just upgraded to 6.7.6, checking today and next week if that takes care of the issue.
Any luck with this issue guys, did you have any success after upgrading to 6.7.6 ?
have you guys found a way to solve it yet? i'm running 6.7.7 with lots of timeouts.
Where were these timers that you adjusted? Any other discoveries on this issue?
Are you seeing any auth timeouts in access tracker, if YES then we need to check access tracker logs to find if it is failed due to delay in auth process from auth server or no response from client itself for CPPM access challenge.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.