Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

This thread has been viewed 45 times
  • 1.  Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

    Posted Feb 26, 2024 05:10 AM

    Hi,

    Usually after weekend, some of our workers, have problem with authentication. In Clearpass they are getting errors: 

    After few computer restarts, authentication starts to work. It happens for random users, after a longer break. I changed eap-tls-fragment parametr on switch to 1024 (same value as in clearpass) but it didn't help.

    I'm using 6200F and 2530 Switches.

    Is there a way to resolve this?



  • 2.  RE: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

    Posted Feb 26, 2024 10:24 AM

    This is a client issue.  What is the client?  Is it up date from an OS patching prospective?  Drivers up to date?  Native or 3rd party supplicant?  What is the configured/expected EAP type?  




  • 3.  RE: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

    Posted Mar 04, 2024 06:25 AM

    Client is computer with Windows 10/11. OS and drivers are up to date. Supplicant is native, configured by GPO. EAP type is EAP-TLS. On computer i find an error that Authentication using 802.1x failed, that network stops responding to authentication request.




  • 4.  RE: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

    Posted Mar 06, 2024 07:27 AM

    Can you provide the GPO configuration for the clients?

    Does this issue effect both Windows 10 and 11 machines or just one of the versions?



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

    Posted Mar 06, 2024 08:54 AM

    I checked it, and all of clients which have problems are on Win10.

    For testing, i disable option with veryfing server certificate.




  • 6.  RE: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

    Posted Mar 06, 2024 10:25 AM

    Do you have more than one ClearPass server and do they share the same certificate for Radius or do they have unique certificates?

    If you have more than one server and they have unique certificates the clients will prompt the user to approve the "new" certificate if the authentication is taking place on another server than the last server authenticating the user/device.

    You should enable the option "Do not prompt user to authorize..." to suppress the dialogue to the user.

    There have been some changes in the EAP processing in Windows 11. See this Microsoft article for more information: https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/windows-11-changes



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

    Posted Mar 07, 2024 02:40 AM

    We have only one ClearPass server, with certificate from our internal CA.




  • 8.  RE: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

    EMPLOYEE
    Posted Mar 11, 2024 06:13 AM

    This issue may be hard to solve in a forum. It may be better to work with your Aruba partner or Aruba support to collect the required troubleshooting information.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 9.  RE: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

    Posted Mar 12, 2024 03:52 AM

    I had opened case, but Aruba support also had problems with resolving this problem.

    But, it looks like that disabling option to verify server certificate resolved that problem.

    I know that decreases security level, but it's ok at the moment.




  • 10.  RE: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

    MVP
    Posted Mar 12, 2024 07:09 AM

    In my opinion, if tou are using EAP-TLS certificates there is no reason to cache credentials because the certificate is already stored locally on the client..

    Perhaps unchecking that box could resolve the issue



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 11.  RE: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

    EMPLOYEE
    Posted Mar 12, 2024 07:52 AM

    If disabling the server certificate checking resolves the issue, there is an issue with your server certificate not being trusted by the client. Would be worth to spend some more time on as it basically is making sure the Root CA that issued the EAP Server certificate is in the client and trusted, as well (optional) one of the SANs in the 'connect to these servers'.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------