MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Original Message:
Sent: Apr 02, 2024 06:21 AM
From: mmedoadm
Subject: AP EAP-TLS using TPM certs authentication fail
Here you Go!
Original Message:
Sent: Apr 01, 2024 12:03 PM
From: jonas.hammarback
Subject: AP EAP-TLS using TPM certs authentication fail
Hi
In the first log you attached the request hit service MEDO-AP Wired Aruba Access Point DYN VLAN 802.1X, bit in the new log with DEBUG enabled, this service is not hit by the requests. It looks like it's another type of client in these requests as the service is {ArubaOS SW} Wired Desktop DYN VLAN 802.1X.
Export a log when one of the access points tries to autenticate.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Apr 01, 2024 11:37 AM
From: mmedoadm
Subject: AP EAP-TLS using TPM certs authentication fail
ClearPass 6.11.8
I've tried to disable PSS RSA but did not resolve the issue.
I'm attaching a debug log from clearpass for your reference!
Original Message:
Sent: Apr 01, 2024 06:52 AM
From: jonas.hammarback
Subject: AP EAP-TLS using TPM certs authentication fail
I can just find one line with a TLS error in the ClearPass log, and it wasn't very specific.
Try to enable Debug for both Radius and Policy sevices, and see if you can get more information in ClearPass.
What version of ClearPass do you run?
Have you tried to disable PSS RSA, under the Radius server settings? It's possible to disable from ClearPass 6.11.4 or .5. (I'm a bit unsure of the exact version the function was introduced.
My hypothesishere is that the combination of certificates in TPM, 8.12 and maybe older access points with a TPM chip with the PSS RSA bug could be the issue.
If that's not the case I don't have any more ideas at the moment.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Apr 01, 2024 04:13 AM
From: mmedoadm
Subject: AP EAP-TLS using TPM certs authentication fail
Hi ,
Does other 802.1x authentication work as expected on the same switch?
Yes WIndows 10/11 working just fine on the same switch!
"Can you share the logs both from the accesspoints"
Which logs are you after ?I can only see the bellow from the AP console :
802.1X: EAP-TLS using TPM certs authentication failure or sapd does not get msg from wpa_supplicant
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication APdot1X timeout/failure bypass
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication APdot1X timeout/failure bypass
802.1X: EAP-TLS using TPM certs authentication timeout/failure
Clearpass log will follow as attachement.
I have opened a TAC but still could not point me to the correct direction.
Original Message:
Sent: Mar 31, 2024 01:57 PM
From: jonas.hammarback
Subject: AP EAP-TLS using TPM certs authentication fail
Hi
I just realized i missunderstood you issue. You have the AP's performing 802.1x with the built in TPM certificate, correct?
In ClearPass, verify that the AP certificate is trusted and also that you can see the certificate information in Access Tracker under the Input tab and section Computed attributes.
I have not read the 8.12 release notes, are there any known issues mentioned with this version and 802.1x authentication with the TPM certificate.
Does other 802.1x authentication work as expected on the same switch?
Can you share the logs both from the accesspoints, ClearPass and the switch?
It could be a good idea to contact TAC for troubleshooting.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Mar 31, 2024 07:45 AM
From: mmedoadm
Subject: AP EAP-TLS using TPM certs authentication fail
Yes the error relates to all AP clients ...
Could you elaborate more on :
"One option could be if the traffic is fragmented for some reason with 8.12 and not the earlier version"
How i will check if the traffic is fragmented ?
Is there something on the AP side that i could check from the console?
Original Message:
Sent: Mar 30, 2024 07:19 AM
From: jonas.hammarback
Subject: AP EAP-TLS using TPM certs authentication fail
Hi
EAP is handled between the client and ClearPass. The controller doesn't have an active role in that phase. Thus it's a bit strange if the problem are related to the update of the controller.
Does this error affect all clients?
One option could be if the traffic is fragmented for some reason with 8.12 and not the earlier version.
Do you have a more specific error message?
Good to know is that in some older TPM chips there is a big related to the PSS RSA algoritm introduced in TLS 1.3. TLS 1.3 is enabled from ClearPass 6.11, but the PSS RSA algorithm can be disabled under the Radius service settings if clients have this issue, or by disable the algorithm on the client side.
I wrote a blog post about this issue:
https://aranya.se/en/windows-clients-affected-by-problems-with-tpm-chip-after-clearpass-6-11/
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Mar 30, 2024 12:10 AM
From: mmedoadm
Subject: AP EAP-TLS using TPM certs authentication fail
Hi ALL,
After upgrading the MC to 8.12.0 the AP started throwing :
802.1X: EAP-TLS using TPM certs authentication fail
Clearpass on the other hand :
Client did not complete EAP transaction
Is there something that i could check from the AP console and identify the source of the issue?