Security

 View Only
Expand all | Collapse all

Certificate authentication issues - Clearpass 802.1x - Windows Client

This thread has been viewed 28 times
  • 1.  Certificate authentication issues - Clearpass 802.1x - Windows Client

    Posted Nov 28, 2016 07:51 PM
    I have Clearpass version 6.6.2.86786 (Clearpass 5k) and I am trying to get Certificate authentication working using a Windows 10 Laptop. This is wired 802.1x authentication using a Juniper switch. 
     
    I have a service setup for EAP-TLS with the following settings:
     
    clearpass-eap-tls.png
     
    We have a PKI infrastructure here using OpenCA. I have a certificate setup on the Clearpass server that was issued by the CA. On the Windows 10 laptop, I have the x509 cert installed. The Windows 10 Laptop is setup for Smart Card or other Certificate. Verify the identity of the validating certificate is checked and the Root Cert for our PKI is checked. I have tried that with and without the checks marks. I have also checked "Certificate Issuer" and selected the root certficate. I have also tried that disabled. 
     
    I keep getting the following error in the Access Tracker on Clearpass:
     
    Client did not complete EAP transaction
     
    On the windows side I get the following errors:
     
    Wired 802.1X Authentication failed.
     
    Network Adapter: Intel(R) Ethernet Connection (3) I218-LM
    Interface GUID: {cc5c0465-62ed-42b4-ac10-11b21a475b58}
    Peer Address: 648788A46088
    Local Address: 68F7288D6039
    Connection ID: 0xe
    Identity: NULL
    User:XXXXX
    Domain: AD
    Reason: 0x50005
    Reason Text: Network authentication failed
    The user certificate required for the network can't be found on this computer.
     
    Error Code: 0x80420014
     
    or 
     
    Wired 802.1X Authentication failed.
     
    Network Adapter: Intel(R) Ethernet Connection (3) I218-LM
    Interface GUID: {cc5c0465-62ed-42b4-ac10-11b21a475b58}
    Peer Address: 648788A46088
    Local Address: 68F7288D6039
    Connection ID: 0x5
    Identity: host/XXXXX
    User: -
    Domain: -
    Reason: 0x50005
    Reason Text: Network authentication failed due to a problem with the user account
     
    Error Code: 0x40420110
     
    I am going to try setting up wpa_supplicant on a linux system and seeing if I can successfully test that service that way, but I configured this Windows system thinking this would be easy. Any ideas on what I can do to troubleshoot this and get this working?
     
     


  • 2.  RE: Certificate authentication issues - Clearpass 802.1x - Windows Client

    Posted Nov 29, 2016 03:40 PM

    From the Windows error logs, it appears that Client did not present its certificate as a result of which the EAP authentication timedout in ClearPass. If this is a user certificate, please make sure the client has its certificate installed under Personal folder in the certmgr.msc. We can try the same certificate on any other client to isolate the problem.

     

    So understand this further, enable debug for RADIUS service(Administration --> Server Manager --> Log configuration --> Select RADIUS service and set the log level to DEBUG). Attempt again with different clients and attach the access tracker logs.

     

     



  • 3.  RE: Certificate authentication issues - Clearpass 802.1x - Windows Client

    Posted Nov 29, 2016 05:30 PM
      |   view attached

    I use the same certificate to access certain internal sites and it is in the Personal folder. I'll test it from another Windows system and I'll try a co-worker's system to test with their certificate. I tried from an Ubuntu VM last night but had a lot of issues. 

     

    Thank you for the directions to turn on the debug for the radius server. I attached the logs. 

     

    Attachment(s)



  • 4.  RE: Certificate authentication issues - Clearpass 802.1x - Windows Client

    Posted Nov 29, 2016 05:38 PM

    Is the Windows supplicant configured for User, Computer or User+Computer authentication?



  • 5.  RE: Certificate authentication issues - Clearpass 802.1x - Windows Client

    Posted Nov 30, 2016 05:40 PM

    I have tried all three, but most of the time when I test, it is "user or computer authentication". 



  • 6.  RE: Certificate authentication issues - Clearpass 802.1x - Windows Client

    Posted Nov 30, 2016 05:44 PM
    Is there a user certificate in the user store and a machine certificate in the computer store?


  • 7.  RE: Certificate authentication issues - Clearpass 802.1x - Windows Client

    Posted Nov 30, 2016 05:49 PM

    There is a user cert in the user store from the same CA that Clearpass's certificate is using. There is a machine cert in the local computer store, but it is a self signed cert it looks like since the "issued by" is the same name as the machine. Do I need a machine cert from the same CA as well? I thought I could get by with just the user cert. 



  • 8.  RE: Certificate authentication issues - Clearpass 802.1x - Windows Client

    Posted Nov 30, 2016 05:51 PM
    Are you using ADCS?

    If you want to authenticate the machine, you'll need a machine cert in the computer store.


  • 9.  RE: Certificate authentication issues - Clearpass 802.1x - Windows Client

    Posted Nov 30, 2016 05:56 PM

    No. Using OpenCA and the certs are manually added. We currently use the user cert to connect via WiFi directly onto the Aruba Controller. Eventually we want to move wireless to Clearpass as well.  I am starting with Wired NAC first. 



  • 10.  RE: Certificate authentication issues - Clearpass 802.1x - Windows Client

    Posted Nov 30, 2016 07:22 PM

    Can you try setting the supplicant to user only and then manually configuring the supplicant for EAP-TLS including the cert selection options to reference the CA?



  • 11.  RE: Certificate authentication issues - Clearpass 802.1x - Windows Client

    Posted Nov 30, 2016 08:20 PM

    I just tried it with user auth only and configuring the Certificate Selection to use the CA. I do not get anything in Access Tracker when I do that.

     

    When I switch back to user or computer authentication, I get log entries in Access Tracker again.

     

    I was issued a machine certificate from OpenCA and I added that as well. I get the same error messages in the event viewer and clearpass using user or computer authentication.

     



  • 12.  RE: Certificate authentication issues - Clearpass 802.1x - Windows Client

    Posted Dec 01, 2016 11:44 AM

    Username from the logs is host/Mike Smith. If the attached logs are taken from a user authentication failure attempt, then username does not sound right. 

     

    Incase of user authentication, certificate is issued to user object sAMAaccountname or for UPN. Incase of computer authentication, certificate is issued to host/<hostname of the machine object> . It could be because of this conflict that client does not present the certificate when you select user authentication only in its SSID profile.

     

    Please reissue the user certificate for sAMAaccount name and update the results with logs.

     



  • 13.  RE: Certificate authentication issues - Clearpass 802.1x - Windows Client

    Posted Dec 01, 2016 11:55 AM

    Another question is: Are you trying to authorize validity against Active Directory or just test basic certificate validity (expiration, etc)?



  • 14.  RE: Certificate authentication issues - Clearpass 802.1x - Windows Client

    Posted Dec 01, 2016 12:09 PM

    I am just trying to test basic certificate validity. 



  • 15.  RE: Certificate authentication issues - Clearpass 802.1x - Windows Client

    Posted Dec 05, 2016 12:27 PM

    I spent a lot of last week diagnosing this. Most of my issues were due to the Juniper EX4200 switch. The switch is from another team and they have one to two thousand lines of apply group settings and I went through and deleted all of that. EAP-PEAP and EAP-TTLS with MSCHAPv2 with Windows works now. I still can't get EAP-TLS to work with Windows. EAP-TLS, EAP-TTLS, and EAP-PEAP works with Linux. I ran packet captures and had all logs set to the debugging level to try and figure out what was going on. This issue did not reveal itself directly in the logs or packet captures. The switch was somehow altering the response from clearpass, and when it got to the client machines (Windows and Linux), they ignored the response and EAP failed. 

     

    I am still not sure why EAP-TLS fails on the windows machine, but I don't think we are going to go that way anyways. Thanks for your help cappalli and VinceF. 



  • 16.  RE: Certificate authentication issues - Clearpass 802.1x - Windows Client

    Posted Dec 01, 2016 12:08 PM

    To be clearer, this is what I get in the Windows 10 event viewer when I do user authentication only:

     

    Wired 802.1X Authentication failed.

    Network Adapter: Intel(R) Ethernet Connection (3) I218-LM
    Interface GUID: {cc5c0465-62ed-42b4-ac10-11b21a475b58}
    Peer Address: 648788A46088
    Local Address: 68F7288D6039
    Connection ID: 0xe
    Identity: NULL
    User:XXXXX
    Domain: AD
    Reason: 0x50005
    Reason Text: Network authentication failed
    The user certificate required for the network can't be found on this computer.


    Error Code: 0x80420014

     

    The above Windows error does not create a log entry in Access Tracker in Clearpass.

     

    This is what I get when I get when I do machine authentication only.

    Wired 802.1X Authentication failed.

    Network Adapter: Intel(R) Ethernet Connection (3) I218-LM
    Interface GUID: {cc5c0465-62ed-42b4-ac10-11b21a475b58}
    Peer Address: 648788A46088
    Local Address: 68F7288D6039
    Connection ID: 0x5
    Identity: host/XXXXX
    User: -
    Domain: -
    Reason: 0x50005
    Reason Text: Network authentication failed due to a problem with the user account

     

    When I get the above error in Windows 10, I get an error in Access Tracker. The same error in the log I attached to this thread. 

     

    The certs everyone uses to connect to WiFi is the same certificate I am using. I'd like to use the same certificates. If it isn't possible, then I'll have to do something else.