Security

Hi,

Usually after weekend, some of our workers, have problem with authentication. In Clearpass they are getting errors: 

After few computer restarts, authentication starts to work. It happens for random users, after a longer break. I changed eap-tls-fragment parametr on switch to 1024 (same value as in clearpass) but it didn't help.

I'm using 6200F and 2530 Switches.

Is there a way to resolve this?

This is a client issue.  What is the client?  Is it up date from an OS patching prospective?  Drivers up to date?  Native or 3rd party supplicant?  What is the configured/expected EAP type?  

Hi,

Usually after weekend, some of our workers, have problem with authentication. In Clearpass they are getting errors: 

After few computer restarts, authentication starts to work. It happens for random users, after a longer break. I changed eap-tls-fragment parametr on switch to 1024 (same value as in clearpass) but it didn't help.

I'm using 6200F and 2530 Switches.

Is there a way to resolve this?

Client is computer with Windows 10/11. OS and drivers are up to date. Supplicant is native, configured by GPO. EAP type is EAP-TLS. On computer i find an error that Authentication using 802.1x failed, that network stops responding to authentication request.

This is a client issue.  What is the client?  Is it up date from an OS patching prospective?  Drivers up to date?  Native or 3rd party supplicant?  What is the configured/expected EAP type?  

Hi,

Usually after weekend, some of our workers, have problem with authentication. In Clearpass they are getting errors: 

After few computer restarts, authentication starts to work. It happens for random users, after a longer break. I changed eap-tls-fragment parametr on switch to 1024 (same value as in clearpass) but it didn't help.

I'm using 6200F and 2530 Switches.

Is there a way to resolve this?

Can you provide the GPO configuration for the clients?

Does this issue effect both Windows 10 and 11 machines or just one of the versions?

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Mar 04, 2024 06:24 AM
From: TomiCloud
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Client is computer with Windows 10/11. OS and drivers are up to date. Supplicant is native, configured by GPO. EAP type is EAP-TLS. On computer i find an error that Authentication using 802.1x failed, that network stops responding to authentication request.

Original Message:
Sent: Feb 26, 2024 10:23 AM
From: ahollifield
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

This is a client issue.  What is the client?  Is it up date from an OS patching prospective?  Drivers up to date?  Native or 3rd party supplicant?  What is the configured/expected EAP type?  

Original Message:
Sent: Feb 26, 2024 05:10 AM
From: TomiCloud
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Hi,

Usually after weekend, some of our workers, have problem with authentication. In Clearpass they are getting errors: 

After few computer restarts, authentication starts to work. It happens for random users, after a longer break. I changed eap-tls-fragment parametr on switch to 1024 (same value as in clearpass) but it didn't help.

I'm using 6200F and 2530 Switches.

Is there a way to resolve this?

I checked it, and all of clients which have problems are on Win10.

For testing, i disable option with veryfing server certificate.

Original Message:
Sent: Mar 06, 2024 07:26 AM
From: jonas.hammarback
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Can you provide the GPO configuration for the clients?

Does this issue effect both Windows 10 and 11 machines or just one of the versions?

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Mar 04, 2024 06:24 AM
From: TomiCloud
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Client is computer with Windows 10/11. OS and drivers are up to date. Supplicant is native, configured by GPO. EAP type is EAP-TLS. On computer i find an error that Authentication using 802.1x failed, that network stops responding to authentication request.

Original Message:
Sent: Feb 26, 2024 10:23 AM
From: ahollifield
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

This is a client issue.  What is the client?  Is it up date from an OS patching prospective?  Drivers up to date?  Native or 3rd party supplicant?  What is the configured/expected EAP type?  

Original Message:
Sent: Feb 26, 2024 05:10 AM
From: TomiCloud
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Hi,

Usually after weekend, some of our workers, have problem with authentication. In Clearpass they are getting errors: 

After few computer restarts, authentication starts to work. It happens for random users, after a longer break. I changed eap-tls-fragment parametr on switch to 1024 (same value as in clearpass) but it didn't help.

I'm using 6200F and 2530 Switches.

Is there a way to resolve this?

Do you have more than one ClearPass server and do they share the same certificate for Radius or do they have unique certificates?

If you have more than one server and they have unique certificates the clients will prompt the user to approve the "new" certificate if the authentication is taking place on another server than the last server authenticating the user/device.

You should enable the option "Do not prompt user to authorize..." to suppress the dialogue to the user.

There have been some changes in the EAP processing in Windows 11. See this Microsoft article for more information: https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/windows-11-changes

I checked it, and all of clients which have problems are on Win10.

For testing, i disable option with veryfing server certificate.

Original Message:
Sent: Mar 06, 2024 07:26 AM
From: jonas.hammarback
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Can you provide the GPO configuration for the clients?

Does this issue effect both Windows 10 and 11 machines or just one of the versions?

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Mar 04, 2024 06:24 AM
From: TomiCloud
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Client is computer with Windows 10/11. OS and drivers are up to date. Supplicant is native, configured by GPO. EAP type is EAP-TLS. On computer i find an error that Authentication using 802.1x failed, that network stops responding to authentication request.

Original Message:
Sent: Feb 26, 2024 10:23 AM
From: ahollifield
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

This is a client issue.  What is the client?  Is it up date from an OS patching prospective?  Drivers up to date?  Native or 3rd party supplicant?  What is the configured/expected EAP type?  

Original Message:
Sent: Feb 26, 2024 05:10 AM
From: TomiCloud
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Hi,

Usually after weekend, some of our workers, have problem with authentication. In Clearpass they are getting errors: 

After few computer restarts, authentication starts to work. It happens for random users, after a longer break. I changed eap-tls-fragment parametr on switch to 1024 (same value as in clearpass) but it didn't help.

I'm using 6200F and 2530 Switches.

Is there a way to resolve this?

We have only one ClearPass server, with certificate from our internal CA.

Do you have more than one ClearPass server and do they share the same certificate for Radius or do they have unique certificates?

If you have more than one server and they have unique certificates the clients will prompt the user to approve the "new" certificate if the authentication is taking place on another server than the last server authenticating the user/device.

You should enable the option "Do not prompt user to authorize..." to suppress the dialogue to the user.

There have been some changes in the EAP processing in Windows 11. See this Microsoft article for more information: https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/windows-11-changes

I checked it, and all of clients which have problems are on Win10.

For testing, i disable option with veryfing server certificate.

Original Message:
Sent: Mar 06, 2024 07:26 AM
From: jonas.hammarback
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Can you provide the GPO configuration for the clients?

Does this issue effect both Windows 10 and 11 machines or just one of the versions?

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Mar 04, 2024 06:24 AM
From: TomiCloud
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Client is computer with Windows 10/11. OS and drivers are up to date. Supplicant is native, configured by GPO. EAP type is EAP-TLS. On computer i find an error that Authentication using 802.1x failed, that network stops responding to authentication request.

Original Message:
Sent: Feb 26, 2024 10:23 AM
From: ahollifield
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

This is a client issue.  What is the client?  Is it up date from an OS patching prospective?  Drivers up to date?  Native or 3rd party supplicant?  What is the configured/expected EAP type?  

Original Message:
Sent: Feb 26, 2024 05:10 AM
From: TomiCloud
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Hi,

Usually after weekend, some of our workers, have problem with authentication. In Clearpass they are getting errors: 

After few computer restarts, authentication starts to work. It happens for random users, after a longer break. I changed eap-tls-fragment parametr on switch to 1024 (same value as in clearpass) but it didn't help.

I'm using 6200F and 2530 Switches.

Is there a way to resolve this?

This issue may be hard to solve in a forum. It may be better to work with your Aruba partner or Aruba support to collect the required troubleshooting information.

We have only one ClearPass server, with certificate from our internal CA.

Do you have more than one ClearPass server and do they share the same certificate for Radius or do they have unique certificates?

If you have more than one server and they have unique certificates the clients will prompt the user to approve the "new" certificate if the authentication is taking place on another server than the last server authenticating the user/device.

You should enable the option "Do not prompt user to authorize..." to suppress the dialogue to the user.

There have been some changes in the EAP processing in Windows 11. See this Microsoft article for more information: https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/windows-11-changes

I checked it, and all of clients which have problems are on Win10.

For testing, i disable option with veryfing server certificate.

Original Message:
Sent: Mar 06, 2024 07:26 AM
From: jonas.hammarback
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Can you provide the GPO configuration for the clients?

Does this issue effect both Windows 10 and 11 machines or just one of the versions?

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Mar 04, 2024 06:24 AM
From: TomiCloud
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Client is computer with Windows 10/11. OS and drivers are up to date. Supplicant is native, configured by GPO. EAP type is EAP-TLS. On computer i find an error that Authentication using 802.1x failed, that network stops responding to authentication request.

Original Message:
Sent: Feb 26, 2024 10:23 AM
From: ahollifield
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

This is a client issue.  What is the client?  Is it up date from an OS patching prospective?  Drivers up to date?  Native or 3rd party supplicant?  What is the configured/expected EAP type?  

Original Message:
Sent: Feb 26, 2024 05:10 AM
From: TomiCloud
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Hi,

Usually after weekend, some of our workers, have problem with authentication. In Clearpass they are getting errors: 

After few computer restarts, authentication starts to work. It happens for random users, after a longer break. I changed eap-tls-fragment parametr on switch to 1024 (same value as in clearpass) but it didn't help.

I'm using 6200F and 2530 Switches.

Is there a way to resolve this?

I had opened case, but Aruba support also had problems with resolving this problem.

But, it looks like that disabling option to verify server certificate resolved that problem.

I know that decreases security level, but it's ok at the moment.

This issue may be hard to solve in a forum. It may be better to work with your Aruba partner or Aruba support to collect the required troubleshooting information.

We have only one ClearPass server, with certificate from our internal CA.

Do you have more than one ClearPass server and do they share the same certificate for Radius or do they have unique certificates?

If you have more than one server and they have unique certificates the clients will prompt the user to approve the "new" certificate if the authentication is taking place on another server than the last server authenticating the user/device.

You should enable the option "Do not prompt user to authorize..." to suppress the dialogue to the user.

There have been some changes in the EAP processing in Windows 11. See this Microsoft article for more information: https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/windows-11-changes

I checked it, and all of clients which have problems are on Win10.

For testing, i disable option with veryfing server certificate.

Original Message:
Sent: Mar 06, 2024 07:26 AM
From: jonas.hammarback
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Can you provide the GPO configuration for the clients?

Does this issue effect both Windows 10 and 11 machines or just one of the versions?

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Mar 04, 2024 06:24 AM
From: TomiCloud
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Client is computer with Windows 10/11. OS and drivers are up to date. Supplicant is native, configured by GPO. EAP type is EAP-TLS. On computer i find an error that Authentication using 802.1x failed, that network stops responding to authentication request.

Original Message:
Sent: Feb 26, 2024 10:23 AM
From: ahollifield
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

This is a client issue.  What is the client?  Is it up date from an OS patching prospective?  Drivers up to date?  Native or 3rd party supplicant?  What is the configured/expected EAP type?  

Original Message:
Sent: Feb 26, 2024 05:10 AM
From: TomiCloud
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Hi,

Usually after weekend, some of our workers, have problem with authentication. In Clearpass they are getting errors: 

After few computer restarts, authentication starts to work. It happens for random users, after a longer break. I changed eap-tls-fragment parametr on switch to 1024 (same value as in clearpass) but it didn't help.

I'm using 6200F and 2530 Switches.

Is there a way to resolve this?

I had opened case, but Aruba support also had problems with resolving this problem.

But, it looks like that disabling option to verify server certificate resolved that problem.

I know that decreases security level, but it's ok at the moment.

This issue may be hard to solve in a forum. It may be better to work with your Aruba partner or Aruba support to collect the required troubleshooting information.

We have only one ClearPass server, with certificate from our internal CA.

Do you have more than one ClearPass server and do they share the same certificate for Radius or do they have unique certificates?

If you have more than one server and they have unique certificates the clients will prompt the user to approve the "new" certificate if the authentication is taking place on another server than the last server authenticating the user/device.

You should enable the option "Do not prompt user to authorize..." to suppress the dialogue to the user.

There have been some changes in the EAP processing in Windows 11. See this Microsoft article for more information: https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/windows-11-changes

I checked it, and all of clients which have problems are on Win10.

For testing, i disable option with veryfing server certificate.

Original Message:
Sent: Mar 06, 2024 07:26 AM
From: jonas.hammarback
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Can you provide the GPO configuration for the clients?

Does this issue effect both Windows 10 and 11 machines or just one of the versions?

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Mar 04, 2024 06:24 AM
From: TomiCloud
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Client is computer with Windows 10/11. OS and drivers are up to date. Supplicant is native, configured by GPO. EAP type is EAP-TLS. On computer i find an error that Authentication using 802.1x failed, that network stops responding to authentication request.

Original Message:
Sent: Feb 26, 2024 10:23 AM
From: ahollifield
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

This is a client issue.  What is the client?  Is it up date from an OS patching prospective?  Drivers up to date?  Native or 3rd party supplicant?  What is the configured/expected EAP type?  

Original Message:
Sent: Feb 26, 2024 05:10 AM
From: TomiCloud
Subject: Clearpass - Error 9002 Last EAP Packet Processing Time = 0 ms

Hi,

Usually after weekend, some of our workers, have problem with authentication. In Clearpass they are getting errors: 

After few computer restarts, authentication starts to work. It happens for random users, after a longer break. I changed eap-tls-fragment parametr on switch to 1024 (same value as in clearpass) but it didn't help.

I'm using 6200F and 2530 Switches.

Is there a way to resolve this?