I would collect logs/captures from a client that works and one that doesn't work, and compare what is the difference. But in most cases, this is something you would do with your partner and/or TAC as there can be a lot of data, which may be rather complex to read.
As you have seen, it looks like the client stops responding at a certain moment. It would be good to see if it looks the same at the client, or if packets may be dropped somewhere. Quite sure once you find the what is wrong, it's something stupid small...
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Aug 19, 2024 06:37 AM
From: Kiame
Subject: Clearpass : wired EAP-TLS : Somes devices timeout with first authentication
Hi,
Unfortunately we tried both solutions without success. The problem is the same :
When we just unplugged and plugged the cable :
Mac authent go to block VLAN but 802.1x succes and take the priority.
In show logs :
Do you have any advice to debug this please ?
Thanks.
Original Message:
Sent: Aug 14, 2024 08:27 AM
From: Kiame
Subject: Clearpass : wired EAP-TLS : Somes devices timeout with first authentication
Hi Herman Robers,
Thanks for your answers.
We will try to isolate some ports and enable "port-access onboarding-method concurrent enable" on it.
In second time, we will try to disable Session resumption.
Just need to wait Monday to confirm the solution.
Original Message:
Sent: Aug 13, 2024 09:42 AM
From: Herman Robers
Subject: Clearpass : wired EAP-TLS : Somes devices timeout with first authentication
Machine authentication with client certificates (EAP-TLS) is expected to work reliably. If the computers are booting up, or coming back from sleep, there may be delays, like when the supplicant is starting. If you see the client falling back to MAC authentication, it may help to configure concurrent onboarding on the switch port to keep the 802.1X process running also after a MAC authentication.
Another option to try is to disable Session resumption in your EAP-TLS Authentication Method.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Aug 13, 2024 04:41 AM
From: Kiame
Subject: Clearpass : wired EAP-TLS : Somes devices timeout with first authentication
Hi Herman Robers,
We use machine authentication.
We have 6300 OS CX switches (JL661A version FL.10.10.1080).
For timers, I don't find any specific configuration, so I think the default timers.
Yes, we have MacAuth fallback, so the PC go to block VLAN (MAC unknown).
Thanks.
Original Message:
Sent: Aug 13, 2024 04:25 AM
From: Herman Robers
Subject: Clearpass : wired EAP-TLS : Somes devices timeout with first authentication
Is that user authentication, or machine authentication?
What types of switches do you have, and what EAP/retry timers, MacAuth fallback?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Aug 12, 2024 04:12 AM
From: Kiame
Subject: Clearpass : wired EAP-TLS : Somes devices timeout with first authentication
Hi,
We have several timeouts with somes devices with wired EAP-TLS authentication. These timeouts appears only the first day of the week when the post is connected to the network.
In logs, we can see that after few Access-Challenge, the client stop to respond and the authentication go to timeout.
We just need to disconnect and reconnect the cable and the authentication works without any problem all the week.During the weekend, the device is turned off.
We are trying to recover as much information as possible on the workstation side but seems different models with different networks cards. These are all Windows 10 laptop.
This is only a small amount of devices (may be 5% of the inventory). All our devices are managed with Intune (CSP for EAP-TLS authentication).
I already found a post with a timeout problem each beginning of the week without solution.
Have you ever had this problem? Do you have some debug ideas?
Thanks