Security

last person joined: 21 minutes ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

802.1X with Windows XP and Clearpass via Remote IAP (VPN)

  • 1.  802.1X with Windows XP and Clearpass via Remote IAP (VPN)

    Posted Jan 07, 2016 12:18 PM

    Windows XP clients with valid machine certificates can't authenticate via 802.1x to Clearpass.  Windows 7 clients with the same configuration (that I can tell) can connect and authenticate via 802.1x to Clearpass.  I do not see any logs on Clearpass when the XP clients try to connect to the SSID and with a wireshark capture I see an EAP Failure with Code #4.  Any thoughts or ideas on why the XP clients can't connect/authenticate in this method?



  • 2.  RE: 802.1X with Windows XP and Clearpass via Remote IAP (VPN)

    Posted Jan 07, 2016 12:30 PM

    I would like to add this screenshot from the wireshark capture.  The first group of EAP messages is between the client and the IAP (VPN) and the second is between the same client and our Campus AP.  The campus AP is also WPA2-Enterprise using 802.1x via AD not clearpass.  Looks like there is a key exchange that doesn't happen with the IAP setup.

     

    IAP_Cap.png



  • 3.  RE: 802.1X with Windows XP and Clearpass via Remote IAP (VPN)

    Posted Jan 07, 2016 12:31 PM
    EAP-TLS or PEAP ?
    Using a public or private certificate ?
    Any errors on the IAP logs?


  • 4.  RE: 802.1X with Windows XP and Clearpass via Remote IAP (VPN)

    Posted Jan 07, 2016 12:49 PM
      |   view attached

    Hey Victor long time no talk.  This is Chris Shopp from Carestream!

     

    This is EAP-TLS using the machine certificate issued by our ICA.  Logs are attached and scrubbed, so the x.x.x.x is an actual IP and the username is an actual username.

     

     

     

    Attachment(s)

    txt
    Logs.txt   3K 1 version


  • 5.  RE: 802.1X with Windows XP and Clearpass via Remote IAP (VPN)

    Posted Jan 07, 2016 04:48 PM
    Definitely its been a while man , hope all is well.

    Is the device setup in RAP mode or Instant mode using IPSec ?

    If it is in Instant mode then I would confirm that the pre-shared key matches in both places (IAP and CPPM)

    You can check in the Live MOnitoring > Event viewer if thats case.

    Do you have this working through the campus APs ?



  • 6.  RE: 802.1X with Windows XP and Clearpass via Remote IAP (VPN)

    Posted Jan 07, 2016 09:44 PM

    This is an IAP with IPSEC tunneling to the controller (over the internet)  Pre-shared keys are good to go and Windows 7 machines authenticate with no problem.  We are not using Clearpass to authenticate Campus SSIDs (we are using AD only). 



  • 7.  RE: 802.1X with Windows XP and Clearpass via Remote IAP (VPN)

    Posted Jan 07, 2016 10:20 PM
    Can you check if that machine has a the cert provided by your CA ? Or if the CA issued the machine cert
    Are you pushing a GPO to configure the wireless profile ?


    Sent from Outlook Mobile