Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass 802.1x wired Authentication

This thread has been viewed 61 times
  • 1.  ClearPass 802.1x wired Authentication

    Posted Aug 28, 2023 02:27 PM

    Hi Team 

    I am busy with clearPass deployment for a client, I have configured all the necessary configuration which need to be done, but when I am testing the following error occur.

    Please assist.   



  • 2.  RE: ClearPass 802.1x wired Authentication

    Posted Aug 29, 2023 02:44 AM

    Hi

    The error message you get indicates that the client isn't configured correct.

    Verify the following:

    • Does the client use the same authentication method as configured in ClearPass for example EAP-TLS
    • Does the client have the root certificate of the ClearPass Radius certificate issuer installed
    • Does the client specify the expected ClearPass FQDN in the 802.1x profile, does this name exist in the Radius certificate on ClearPass

    Can you post both your settings on the Authentication tab of the 802.1x service and the settings on the client.

    What type of clients do you have and how do you configure the clients? Active Directory GPO, Intune, manually or other MDM solution?



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: ClearPass 802.1x wired Authentication

    Posted Aug 29, 2023 10:18 AM

    Hi Jonas

    Unable to config Microsoft EAP-TEAP authentication on Win11 client. No Microsoft EAP-TEAP, only Microsoft Tunnel EAP (TEAP). Getting following error:

    Is a window 11 client, configured in AD GPO




  • 4.  RE: ClearPass 802.1x wired Authentication

    Posted Aug 29, 2023 10:28 AM

    Hi Jonas

    Also just for you to note on ClearPass we have used a wildcard certificate.




  • 5.  RE: ClearPass 802.1x wired Authentication

    Posted Aug 29, 2023 11:06 AM

    Hi

    In your screenshots you have different authentication methods specified on the client and in ClearPass.

    To be able to utilize TEAP you also need to add this method in the Service in ClearPass. It's at the bottom of the drop-down, a bit hard to see as you need to scroll...

    Regarding the wildcard certificate mentioned in the separate comment, wildcard should not be utilized as Radius EAP certificate. As HTTPS certificate wildcard can be utilized, but some limitations in use cases may apply when trying to use ClearPass Onboard on Apple iOS devices.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 6.  RE: ClearPass 802.1x wired Authentication

    Posted Sep 12, 2023 11:02 AM

    Hi Jonas

    We have added TEAP on the authentication method but we are still get timeout error. 



    ------------------------------
    Marshall Mwandingi
    ACCA,ACCP,ACMA, ACP-CA
    ------------------------------



  • 7.  RE: ClearPass 802.1x wired Authentication

    Posted Sep 12, 2023 11:23 AM

    Hi

    Often the message "Client did not complete EAP transaction" indicates that the client isn't configured correctly. In the TEAP settings you have to configure certificate validation correctly to match the Radius certificate of your ClearPass server.

    Screenshots of the remaining TEAP settings may help in finding the issue.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 8.  RE: ClearPass 802.1x wired Authentication

    Posted Sep 13, 2023 03:02 AM

    Hi Jonas

    The TEAP settings you want to see is for the client or from ClearPass? 



    ------------------------------
    Marshall Mwandingi
    ACCA,ACCP,ACMA, ACP-CA
    ------------------------------



  • 9.  RE: ClearPass 802.1x wired Authentication

    Posted Sep 13, 2023 03:05 AM

    Hi Jonas

    Can you share with me a template with the step on how to configure that, so we can confirm if we have done it correct.



    ------------------------------
    Marshall Mwandingi
    ACCA,ACCP,ACMA, ACP-CA
    ------------------------------



  • 10.  RE: ClearPass 802.1x wired Authentication

    Posted Sep 13, 2023 05:26 AM

    Hi

    I don't have any documentation to provide for the TEAP configuration, but I think you can find good guidiance from the video posted by Herman Robers on the Airheads Broadcasting channel on Youtube, https://youtu.be/nTHQsBgRjb4?t=257

    Pay attention on the certificate validation and CA trust parts



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 11.  RE: ClearPass 802.1x wired Authentication

    EMPLOYEE
    Posted Sep 13, 2023 03:38 PM
      |   view attached

    Here is a sample service configuration with TEAP . File password: aruba123


    Attachment(s)

    zip
    TEAP-Sample-Service.zip   4 KB 1 version