From the logs you can see that ClearPass keeps sending 'Access-Challenges' to your client but is not getting responses. What would help is to run a capture (Wireshark) on the client and see if these Access-Challenges arrive at the client and if the client responds. If the Access-Challenge is arriving at the client (in a EAPoL packet), and there is no response seen, the issue most likely is in the client. If the client responds, but does not arrive on ClearPass, it's most likely in the switch, network or VM settings.
As you mention it is not specific clients, or specific switches, I would have a look at the ethernet driver in your clients. Some (mainly enterprise images) windows versions come with ancient drivers, and upgrading solves these types of issues. What also may help is to check the energy-saving settings for your wired network card and disable those, at least during the troubleshooting. In my experience that also is driver version dependent, so it can be that some driver versions work fine but others don't so make sure you resolved your issues before you enable power-saving again.
What also should be verified is that you have jumbo frames enabled on the full path between your switch and ClearPass (including the vSwitch if you are running on ESXi).
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: Mar 01, 2021 04:30 AM
From: Henk-Jan Dennenberg
Subject: Clearpass error 9002 on one of our 2 AD's and only wired.
We are a school with 1 domain and a sub domain.
All our staff accounts and windows devices are authenticating on our domain and all our students en student windows devices are authenticating on our sub domain.
On our sub domain works everyting alright.
On our domain for our staff works all authentication, so user authentication 802.1X through wireless works, our machine authentication 802.1X through wireless works, but we do get a lot of 9002 error (TIME OUT) when devices are wired connected en try a machine authentication.
We have tried different solutions. We used different Domain controllers as primary. We have updated all our Domain controllers to Windows Server 2019. We tried different service accounts. We have updated the switches to the newest firmware (all switches are 2930F). We have updated the NIC driver on the pc to the newest driver provided by HP and also with the newest Realtek driver. There is no consistency, the exact same model pc on the same switch, one has a the problem and the other not.
I hope somone can help, our network supplier and also Aruba TACS had also looked at the problem but they cannot find what the problem is and they couldn't provide a solution. Our supplier is still looking for a solution.
LOG also added as an attachment
------------------------------
Henk-Jan Dennenberg
------------------------------