Security

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

Hi All

I work with VG67 and I update this post.

The Clearpass is on Azure.

The PKI is configured with Scepman.

The device were enrolled on Intunes. 

The client connect on AP505 manage by Central.

The SSID is configured for WPA2 Enterprise.

Our customer wants to use EAP-TLS

In fact we found the CP‑49353 and apply the workaround.

We  disable the 3 cipher on the windows side:

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003

RSAE-PSS/SHA256

RSAE-PSS/SHA384

RSAE-PSS/SHA512

So we also have now the error 9002.

On the Clearpass :

And we have this strange message authenticator

And just after this error for the certificate.

I don't know if it is the same problem.

On the client side we have the error on the rad tls process EAP 13 0x54F

We take some whireshark capture and see that The serveur send his certificate and the client didn't answer.

We don't know if it is a bug or a configuration problem ?

The serveur and client certificate seems good.

The CA certificate is install on the Clearpass and the device.

Have you got an idea. Thanks a lot for your help

Original Message:
Sent: Jun 15, 2023 05:37 AM
From: VG67
Subject: ClearPass integration with Azure for Intune devices enrollement TLS Issue

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

Hello ,

Can you give us the configuration of adaptor settings on the machine . Because i suspect there is missing configuration on it .

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

Hi

Yes the CA is present on the client side.

We use SCEPMAN version enterprise for the CA and the Clearpass CSR was signed by the CA.

For the windows client configuration we try to choose the radius certificate without success.

So we decide to leverage the test level and don't check the CA certificate or Radius.

But were is the same error.

From the packet capture we see that after receive the server certificate the client restart the authentication process.

I asked this case to a colleague and he thinks that this information is mandatory on the certificate server:

1.3.6.1.5.5.7.3.2 (id-kp-ClientAuth)

So perhaps SCEPman is not a good choice for the PKI.

This is the configuration on the client side for our last test:

Computer authentication and WPA2 AES

Thanks for your help.

Regards

Hello ,

Can you give us the configuration of adaptor settings on the machine . Because i suspect there is missing configuration on it .

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

Hello As a minimum you have to tick the ROOTCA  . Please read the article from Microsoft

Hi

Yes the CA is present on the client side.

We use SCEPMAN version enterprise for the CA and the Clearpass CSR was signed by the CA.

For the windows client configuration we try to choose the radius certificate without success.

So we decide to leverage the test level and don't check the CA certificate or Radius.

But were is the same error.

From the packet capture we see that after receive the server certificate the client restart the authentication process.

I asked this case to a colleague and he thinks that this information is mandatory on the certificate server:

1.3.6.1.5.5.7.3.2 (id-kp-ClientAuth)

So perhaps SCEPman is not a good choice for the PKI.

This is the configuration on the client side for our last test:

Computer authentication and WPA2 AES

Thanks for your help.

Regards

Hello ,

Can you give us the configuration of adaptor settings on the machine . Because i suspect there is missing configuration on it .

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

Hello As a minimum you have to tick the ROOTCA  . Please read the article from Microsoft

Hi

Yes the CA is present on the client side.

We use SCEPMAN version enterprise for the CA and the Clearpass CSR was signed by the CA.

For the windows client configuration we try to choose the radius certificate without success.

So we decide to leverage the test level and don't check the CA certificate or Radius.

But were is the same error.

From the packet capture we see that after receive the server certificate the client restart the authentication process.

I asked this case to a colleague and he thinks that this information is mandatory on the certificate server:

1.3.6.1.5.5.7.3.2 (id-kp-ClientAuth)

So perhaps SCEPman is not a good choice for the PKI.

This is the configuration on the client side for our last test:

Computer authentication and WPA2 AES

Thanks for your help.

Regards

Hello ,

Can you give us the configuration of adaptor settings on the machine . Because i suspect there is missing configuration on it .

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

Hi team

Frist thanks a lot for your help guys , 

We tried to test with the recommandation above but still not working 

Thanks for helping

Hello As a minimum you have to tick the ROOTCA  . Please read the article from Microsoft

Hi

Yes the CA is present on the client side.

We use SCEPMAN version enterprise for the CA and the Clearpass CSR was signed by the CA.

For the windows client configuration we try to choose the radius certificate without success.

So we decide to leverage the test level and don't check the CA certificate or Radius.

But were is the same error.

From the packet capture we see that after receive the server certificate the client restart the authentication process.

I asked this case to a colleague and he thinks that this information is mandatory on the certificate server:

1.3.6.1.5.5.7.3.2 (id-kp-ClientAuth)

So perhaps SCEPman is not a good choice for the PKI.

This is the configuration on the client side for our last test:

Computer authentication and WPA2 AES

Thanks for your help.

Regards

Hello ,

Can you give us the configuration of adaptor settings on the machine . Because i suspect there is missing configuration on it .

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

The place where you select the trusted root CA looks incorrect.  That should be the CA of the cert for your RADIUS server and not the CA of the client cert.

Hi team

Frist thanks a lot for your help guys , 

We tried to test with the recommandation above but still not working 

Thanks for helping

Hello As a minimum you have to tick the ROOTCA  . Please read the article from Microsoft

Hi

Yes the CA is present on the client side.

We use SCEPMAN version enterprise for the CA and the Clearpass CSR was signed by the CA.

For the windows client configuration we try to choose the radius certificate without success.

So we decide to leverage the test level and don't check the CA certificate or Radius.

But were is the same error.

From the packet capture we see that after receive the server certificate the client restart the authentication process.

I asked this case to a colleague and he thinks that this information is mandatory on the certificate server:

1.3.6.1.5.5.7.3.2 (id-kp-ClientAuth)

So perhaps SCEPman is not a good choice for the PKI.

This is the configuration on the client side for our last test:

Computer authentication and WPA2 AES

Thanks for your help.

Regards

Hello ,

Can you give us the configuration of adaptor settings on the machine . Because i suspect there is missing configuration on it .

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

Hi team

Frist thanks a lot for your help guys , 

We tried to test with the recommandation above but still not working 

Thanks for helping

Hello As a minimum you have to tick the ROOTCA  . Please read the article from Microsoft

Hi

Yes the CA is present on the client side.

We use SCEPMAN version enterprise for the CA and the Clearpass CSR was signed by the CA.

For the windows client configuration we try to choose the radius certificate without success.

So we decide to leverage the test level and don't check the CA certificate or Radius.

But were is the same error.

From the packet capture we see that after receive the server certificate the client restart the authentication process.

I asked this case to a colleague and he thinks that this information is mandatory on the certificate server:

1.3.6.1.5.5.7.3.2 (id-kp-ClientAuth)

So perhaps SCEPman is not a good choice for the PKI.

This is the configuration on the client side for our last test:

Computer authentication and WPA2 AES

Thanks for your help.

Regards

Hello ,

Can you give us the configuration of adaptor settings on the machine . Because i suspect there is missing configuration on it .

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

From the server validation, is is correct that your ClearPass RADIUS Server certificate is issued as well by the SCEPman-Root-CA?

And is the CN or the SAN on that ClearPass RADIUS Server certificate either: azu-clearp-01 or 10.73.32.4?

As mentioned before you can for testing disable the server validation in your client (supplicant) configuration, then enable the validation but leave server name empty, then add the server name validation. Information that you enter into the client validates the RADIUS/EAP server certificate on ClearPass.

Hi team

Frist thanks a lot for your help guys , 

We tried to test with the recommandation above but still not working 

Thanks for helping

Hello As a minimum you have to tick the ROOTCA  . Please read the article from Microsoft

Hi

Yes the CA is present on the client side.

We use SCEPMAN version enterprise for the CA and the Clearpass CSR was signed by the CA.

For the windows client configuration we try to choose the radius certificate without success.

So we decide to leverage the test level and don't check the CA certificate or Radius.

But were is the same error.

From the packet capture we see that after receive the server certificate the client restart the authentication process.

I asked this case to a colleague and he thinks that this information is mandatory on the certificate server:

1.3.6.1.5.5.7.3.2 (id-kp-ClientAuth)

So perhaps SCEPman is not a good choice for the PKI.

This is the configuration on the client side for our last test:

Computer authentication and WPA2 AES

Thanks for your help.

Regards

Hello ,

Can you give us the configuration of adaptor settings on the machine . Because i suspect there is missing configuration on it .

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

Hi

Yes the radius certificate is issued by SCEPman-root-CA.

For the SAN we use the IP Address 10.73.32.4

We also try to disable the server validation without success.

Then this morning we discover a really strange things.

Although we have no problem for the MPSK request or the guest Radius request. All works fine.

With Whireshark we discover that the radius Packets for EAP-TLS (Access-Challenge) from the Clearpass to the Access point don't reach the Access Point. (Only one times for 50 packets)

We think that there was some dropping of fragmented radius packets other the VPN.

Sometimes when the packet reach the access point we have some new error on the access tracker: Error 206, error 205.

Then we are going to look for the VPN configuration.

On the Azure Side it was a standard VPN Gateway.

On the client Side we test it with two different firewall.

Is there a best practice to configure the MTU size on the Azure Clearpass With Site to site VPN ?

Thanks for your help.

Regards

From the server validation, is is correct that your ClearPass RADIUS Server certificate is issued as well by the SCEPman-Root-CA?

And is the CN or the SAN on that ClearPass RADIUS Server certificate either: azu-clearp-01 or 10.73.32.4?

As mentioned before you can for testing disable the server validation in your client (supplicant) configuration, then enable the validation but leave server name empty, then add the server name validation. Information that you enter into the client validates the RADIUS/EAP server certificate on ClearPass.

Hi team

Frist thanks a lot for your help guys , 

We tried to test with the recommandation above but still not working 

Thanks for helping

Hello As a minimum you have to tick the ROOTCA  . Please read the article from Microsoft

Hi

Yes the CA is present on the client side.

We use SCEPMAN version enterprise for the CA and the Clearpass CSR was signed by the CA.

For the windows client configuration we try to choose the radius certificate without success.

So we decide to leverage the test level and don't check the CA certificate or Radius.

But were is the same error.

From the packet capture we see that after receive the server certificate the client restart the authentication process.

I asked this case to a colleague and he thinks that this information is mandatory on the certificate server:

1.3.6.1.5.5.7.3.2 (id-kp-ClientAuth)

So perhaps SCEPman is not a good choice for the PKI.

This is the configuration on the client side for our last test:

Computer authentication and WPA2 AES

Thanks for your help.

Regards

Hello ,

Can you give us the configuration of adaptor settings on the machine . Because i suspect there is missing configuration on it .

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

Hi

Yes the CA is present on the client side.

We use SCEPMAN version enterprise for the CA and the Clearpass CSR was signed by the CA.

For the windows client configuration we try to choose the radius certificate without success.

So we decide to leverage the test level and don't check the CA certificate or Radius.

But were is the same error.

From the packet capture we see that after receive the server certificate the client restart the authentication process.

I asked this case to a colleague and he thinks that this information is mandatory on the certificate server:

1.3.6.1.5.5.7.3.2 (id-kp-ClientAuth)

So perhaps SCEPman is not a good choice for the PKI.

This is the configuration on the client side for our last test:

Computer authentication and WPA2 AES

Thanks for your help.

Regards

Hello ,

Can you give us the configuration of adaptor settings on the machine . Because i suspect there is missing configuration on it .

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

I use SCEPman with EAP-TLS and it works correctly.  

What does the access tracker logs in Clearpass look like when you try to connect?

Hi

Yes the CA is present on the client side.

We use SCEPMAN version enterprise for the CA and the Clearpass CSR was signed by the CA.

For the windows client configuration we try to choose the radius certificate without success.

So we decide to leverage the test level and don't check the CA certificate or Radius.

But were is the same error.

From the packet capture we see that after receive the server certificate the client restart the authentication process.

I asked this case to a colleague and he thinks that this information is mandatory on the certificate server:

1.3.6.1.5.5.7.3.2 (id-kp-ClientAuth)

So perhaps SCEPman is not a good choice for the PKI.

This is the configuration on the client side for our last test:

Computer authentication and WPA2 AES

Thanks for your help.

Regards

Hello ,

Can you give us the configuration of adaptor settings on the machine . Because i suspect there is missing configuration on it .

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

Hello

Thanks for your confirmation that you use SCEPMAN for PKI. And it Works Fine.

Dis you do a particular things ?

For us We just generate a CSR and sign it with Scepman CA.

Our Microsoft and IPhone device is enroll with intunes.

The device certificate and the CA certificate is present on the endpoint.

If you want to see I add an access tracker log on this post.

On the client side we take a capture and we have a lot of Request, Identity and Response, Identity

If We look on the 802.1X process we sould see an EAP-Request / Type or it isn't present on the capture.

So on the Clearpass Capture the Radius : Access Challenge is present.

We are try to take capture on the access point.

Is it possible that there is a Radius configuration Problem for EAP on the Access Point (IAP505 managed by Central).

We try radius authentication for MPSK and it works fine.

Then I can expect that the VPN Site to site is good betwenn the AP and the Clearpass on Azure.

We try the authentication 802.1X with a switch and we have the same error.

Thanks for your help.

Regards.

I use SCEPman with EAP-TLS and it works correctly.  

What does the access tracker logs in Clearpass look like when you try to connect?

Hi

Yes the CA is present on the client side.

We use SCEPMAN version enterprise for the CA and the Clearpass CSR was signed by the CA.

For the windows client configuration we try to choose the radius certificate without success.

So we decide to leverage the test level and don't check the CA certificate or Radius.

But were is the same error.

From the packet capture we see that after receive the server certificate the client restart the authentication process.

I asked this case to a colleague and he thinks that this information is mandatory on the certificate server:

1.3.6.1.5.5.7.3.2 (id-kp-ClientAuth)

So perhaps SCEPman is not a good choice for the PKI.

This is the configuration on the client side for our last test:

Computer authentication and WPA2 AES

Thanks for your help.

Regards

Hello ,

Can you give us the configuration of adaptor settings on the machine . Because i suspect there is missing configuration on it .

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

Can you go to:
Administration -> Certificate Store -> Server Certificates -> Make sure RADIUS/EAP is selected as the type

Take a screenshoot of this and post it.  

I use 505s in our environment as well and do not have issues with SCEPman but our RADIUS cert is signed by Godaddy.

Hello

Thanks for your confirmation that you use SCEPMAN for PKI. And it Works Fine.

Dis you do a particular things ?

For us We just generate a CSR and sign it with Scepman CA.

Our Microsoft and IPhone device is enroll with intunes.

The device certificate and the CA certificate is present on the endpoint.

If you want to see I add an access tracker log on this post.

On the client side we take a capture and we have a lot of Request, Identity and Response, Identity

If We look on the 802.1X process we sould see an EAP-Request / Type or it isn't present on the capture.

So on the Clearpass Capture the Radius : Access Challenge is present.

We are try to take capture on the access point.

Is it possible that there is a Radius configuration Problem for EAP on the Access Point (IAP505 managed by Central).

We try radius authentication for MPSK and it works fine.

Then I can expect that the VPN Site to site is good betwenn the AP and the Clearpass on Azure.

We try the authentication 802.1X with a switch and we have the same error.

Thanks for your help.

Regards.

I use SCEPman with EAP-TLS and it works correctly.  

What does the access tracker logs in Clearpass look like when you try to connect?

Hi

Yes the CA is present on the client side.

We use SCEPMAN version enterprise for the CA and the Clearpass CSR was signed by the CA.

For the windows client configuration we try to choose the radius certificate without success.

So we decide to leverage the test level and don't check the CA certificate or Radius.

But were is the same error.

From the packet capture we see that after receive the server certificate the client restart the authentication process.

I asked this case to a colleague and he thinks that this information is mandatory on the certificate server:

1.3.6.1.5.5.7.3.2 (id-kp-ClientAuth)

So perhaps SCEPman is not a good choice for the PKI.

This is the configuration on the client side for our last test:

Computer authentication and WPA2 AES

Thanks for your help.

Regards

Hello ,

Can you give us the configuration of adaptor settings on the machine . Because i suspect there is missing configuration on it .

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

Hi All

Greet. We change the Radius Flow to RADSEC and it works fine now.

Thank you very much for your advice.

Our problem was due to radius fragment packet and not the certificate.

And after we need to change the attribute filter to %{Certificate:Subject-AltName-URI}

So it works fine, but we have a little warning on the logs due to the attribute filter:

We are looking on it. Do you have an idea ? We use the Intune Extensions v6.0.3

Very thanks for your help.

Can you go to:
Administration -> Certificate Store -> Server Certificates -> Make sure RADIUS/EAP is selected as the type

Take a screenshoot of this and post it.  

I use 505s in our environment as well and do not have issues with SCEPman but our RADIUS cert is signed by Godaddy.

Hello

Thanks for your confirmation that you use SCEPMAN for PKI. And it Works Fine.

Dis you do a particular things ?

For us We just generate a CSR and sign it with Scepman CA.

Our Microsoft and IPhone device is enroll with intunes.

The device certificate and the CA certificate is present on the endpoint.

If you want to see I add an access tracker log on this post.

On the client side we take a capture and we have a lot of Request, Identity and Response, Identity

If We look on the 802.1X process we sould see an EAP-Request / Type or it isn't present on the capture.

So on the Clearpass Capture the Radius : Access Challenge is present.

We are try to take capture on the access point.

Is it possible that there is a Radius configuration Problem for EAP on the Access Point (IAP505 managed by Central).

We try radius authentication for MPSK and it works fine.

Then I can expect that the VPN Site to site is good betwenn the AP and the Clearpass on Azure.

We try the authentication 802.1X with a switch and we have the same error.

Thanks for your help.

Regards.

I use SCEPman with EAP-TLS and it works correctly.  

What does the access tracker logs in Clearpass look like when you try to connect?

Hi

Yes the CA is present on the client side.

We use SCEPMAN version enterprise for the CA and the Clearpass CSR was signed by the CA.

For the windows client configuration we try to choose the radius certificate without success.

So we decide to leverage the test level and don't check the CA certificate or Radius.

But were is the same error.

From the packet capture we see that after receive the server certificate the client restart the authentication process.

I asked this case to a colleague and he thinks that this information is mandatory on the certificate server:

1.3.6.1.5.5.7.3.2 (id-kp-ClientAuth)

So perhaps SCEPman is not a good choice for the PKI.

This is the configuration on the client side for our last test:

Computer authentication and WPA2 AES

Thanks for your help.

Regards

Hello ,

Can you give us the configuration of adaptor settings on the machine . Because i suspect there is missing configuration on it .

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

You should create the filter based on the Subject-CN, and the CN should contain the Intune Device Id CN={{DeviceID}}

That is not the default for Intune SCEP requests, so needs to be changed. I don't think you can use a SAN for the lookup.

Hi All

Greet. We change the Radius Flow to RADSEC and it works fine now.

Thank you very much for your advice.

Our problem was due to radius fragment packet and not the certificate.

And after we need to change the attribute filter to %{Certificate:Subject-AltName-URI}

So it works fine, but we have a little warning on the logs due to the attribute filter:

We are looking on it. Do you have an idea ? We use the Intune Extensions v6.0.3

Very thanks for your help.

Can you go to:
Administration -> Certificate Store -> Server Certificates -> Make sure RADIUS/EAP is selected as the type

Take a screenshoot of this and post it.  

I use 505s in our environment as well and do not have issues with SCEPman but our RADIUS cert is signed by Godaddy.

Hello

Thanks for your confirmation that you use SCEPMAN for PKI. And it Works Fine.

Dis you do a particular things ?

For us We just generate a CSR and sign it with Scepman CA.

Our Microsoft and IPhone device is enroll with intunes.

The device certificate and the CA certificate is present on the endpoint.

If you want to see I add an access tracker log on this post.

On the client side we take a capture and we have a lot of Request, Identity and Response, Identity

If We look on the 802.1X process we sould see an EAP-Request / Type or it isn't present on the capture.

So on the Clearpass Capture the Radius : Access Challenge is present.

We are try to take capture on the access point.

Is it possible that there is a Radius configuration Problem for EAP on the Access Point (IAP505 managed by Central).

We try radius authentication for MPSK and it works fine.

Then I can expect that the VPN Site to site is good betwenn the AP and the Clearpass on Azure.

We try the authentication 802.1X with a switch and we have the same error.

Thanks for your help.

Regards.

I use SCEPman with EAP-TLS and it works correctly.  

What does the access tracker logs in Clearpass look like when you try to connect?

Hi

Yes the CA is present on the client side.

We use SCEPMAN version enterprise for the CA and the Clearpass CSR was signed by the CA.

For the windows client configuration we try to choose the radius certificate without success.

So we decide to leverage the test level and don't check the CA certificate or Radius.

But were is the same error.

From the packet capture we see that after receive the server certificate the client restart the authentication process.

I asked this case to a colleague and he thinks that this information is mandatory on the certificate server:

1.3.6.1.5.5.7.3.2 (id-kp-ClientAuth)

So perhaps SCEPman is not a good choice for the PKI.

This is the configuration on the client side for our last test:

Computer authentication and WPA2 AES

Thanks for your help.

Regards

Hello ,

Can you give us the configuration of adaptor settings on the machine . Because i suspect there is missing configuration on it .

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

Is this correct setting if you have subject-cn intune deviceId on certificate ?

You should create the filter based on the Subject-CN, and the CN should contain the Intune Device Id CN={{DeviceID}}

That is not the default for Intune SCEP requests, so needs to be changed. I don't think you can use a SAN for the lookup.

Hi All

Greet. We change the Radius Flow to RADSEC and it works fine now.

Thank you very much for your advice.

Our problem was due to radius fragment packet and not the certificate.

And after we need to change the attribute filter to %{Certificate:Subject-AltName-URI}

So it works fine, but we have a little warning on the logs due to the attribute filter:

We are looking on it. Do you have an idea ? We use the Intune Extensions v6.0.3

Very thanks for your help.

Can you go to:
Administration -> Certificate Store -> Server Certificates -> Make sure RADIUS/EAP is selected as the type

Take a screenshoot of this and post it.  

I use 505s in our environment as well and do not have issues with SCEPman but our RADIUS cert is signed by Godaddy.

Hello

Thanks for your confirmation that you use SCEPMAN for PKI. And it Works Fine.

Dis you do a particular things ?

For us We just generate a CSR and sign it with Scepman CA.

Our Microsoft and IPhone device is enroll with intunes.

The device certificate and the CA certificate is present on the endpoint.

If you want to see I add an access tracker log on this post.

On the client side we take a capture and we have a lot of Request, Identity and Response, Identity

If We look on the 802.1X process we sould see an EAP-Request / Type or it isn't present on the capture.

So on the Clearpass Capture the Radius : Access Challenge is present.

We are try to take capture on the access point.

Is it possible that there is a Radius configuration Problem for EAP on the Access Point (IAP505 managed by Central).

We try radius authentication for MPSK and it works fine.

Then I can expect that the VPN Site to site is good betwenn the AP and the Clearpass on Azure.

We try the authentication 802.1X with a switch and we have the same error.

Thanks for your help.

Regards.

I use SCEPman with EAP-TLS and it works correctly.  

What does the access tracker logs in Clearpass look like when you try to connect?

Hi

Yes the CA is present on the client side.

We use SCEPMAN version enterprise for the CA and the Clearpass CSR was signed by the CA.

For the windows client configuration we try to choose the radius certificate without success.

So we decide to leverage the test level and don't check the CA certificate or Radius.

But were is the same error.

From the packet capture we see that after receive the server certificate the client restart the authentication process.

I asked this case to a colleague and he thinks that this information is mandatory on the certificate server:

1.3.6.1.5.5.7.3.2 (id-kp-ClientAuth)

So perhaps SCEPman is not a good choice for the PKI.

This is the configuration on the client side for our last test:

Computer authentication and WPA2 AES

Thanks for your help.

Regards

Hello ,

Can you give us the configuration of adaptor settings on the machine . Because i suspect there is missing configuration on it .

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

Hi All

Greet. We change the Radius Flow to RADSEC and it works fine now.

Thank you very much for your advice.

Our problem was due to radius fragment packet and not the certificate.

And after we need to change the attribute filter to %{Certificate:Subject-AltName-URI}

So it works fine, but we have a little warning on the logs due to the attribute filter:

We are looking on it. Do you have an idea ? We use the Intune Extensions v6.0.3

Very thanks for your help.

Can you go to:
Administration -> Certificate Store -> Server Certificates -> Make sure RADIUS/EAP is selected as the type

Take a screenshoot of this and post it.  

I use 505s in our environment as well and do not have issues with SCEPman but our RADIUS cert is signed by Godaddy.

Hello

Thanks for your confirmation that you use SCEPMAN for PKI. And it Works Fine.

Dis you do a particular things ?

For us We just generate a CSR and sign it with Scepman CA.

Our Microsoft and IPhone device is enroll with intunes.

The device certificate and the CA certificate is present on the endpoint.

If you want to see I add an access tracker log on this post.

On the client side we take a capture and we have a lot of Request, Identity and Response, Identity

If We look on the 802.1X process we sould see an EAP-Request / Type or it isn't present on the capture.

So on the Clearpass Capture the Radius : Access Challenge is present.

We are try to take capture on the access point.

Is it possible that there is a Radius configuration Problem for EAP on the Access Point (IAP505 managed by Central).

We try radius authentication for MPSK and it works fine.

Then I can expect that the VPN Site to site is good betwenn the AP and the Clearpass on Azure.

We try the authentication 802.1X with a switch and we have the same error.

Thanks for your help.

Regards.

I use SCEPman with EAP-TLS and it works correctly.  

What does the access tracker logs in Clearpass look like when you try to connect?

Hi

Yes the CA is present on the client side.

We use SCEPMAN version enterprise for the CA and the Clearpass CSR was signed by the CA.

For the windows client configuration we try to choose the radius certificate without success.

So we decide to leverage the test level and don't check the CA certificate or Radius.

But were is the same error.

From the packet capture we see that after receive the server certificate the client restart the authentication process.

I asked this case to a colleague and he thinks that this information is mandatory on the certificate server:

1.3.6.1.5.5.7.3.2 (id-kp-ClientAuth)

So perhaps SCEPman is not a good choice for the PKI.

This is the configuration on the client side for our last test:

Computer authentication and WPA2 AES

Thanks for your help.

Regards

Hello ,

Can you give us the configuration of adaptor settings on the machine . Because i suspect there is missing configuration on it .

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

Any updates on this?

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help

Any updates on this?

Hi All

We are doing a POC ( Proof of concept ) for a customer.

The customer is using Central for managing IAP APs505

And we have deployed a Clearpass in Azure with INtune , Intune Extension is working fine and we are getting end point

But when trying authenticate a client to the SSID with the Clearpass in TLS it seems that the Wifi Client is not accpeting the certificates from Clearpass Server

In access Tracker the Issue is :

Alerts -
 Error Code: 9002
 Error Category: RADIUS protocol
 Error Message: Request timed out
 Alerts for this Request -
   RADIUS: Last EAP Packet Processing Time = 0 ms
   RADIUS: Client did not complete EAP transaction

In Pcap file from Clearpass it 's like APs -> CLearpass are always challenging the Radius authentication 

We are using the Filter below and using the Certificat:Subjec-CN

We are thinking that the issue is due to the PKI , but we didn't find any precision concerning the way of what to put in the CSR 

Does anyone has already perform it and could give their feed back ?

Many Thanks for your help