Security

 View Only
last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Client Able to Authenticate EAP-TLS over wireless but not Wired. But EAP-PEAP works. "Client did not complete transaction"

This thread has been viewed 29 times
  • 1.  Client Able to Authenticate EAP-TLS over wireless but not Wired. But EAP-PEAP works. "Client did not complete transaction"

    Posted Feb 20, 2024 03:32 AM

    Scratching my head. 

    AOS-CX 6300M Set up with Clearpass as Radius Servers.  Wired Service and Wireless Set up Identical. Client Machine Will authenticate EAP-TLS over Wireless but Timesout on Wired.

    Client Packet Capture is below. 

    I feel confident in the certs because Wireless is working. 

    Updated NIC Drivers. Clearpass states the "Client did not complete transaction" AOSCX switch states reason is server timeout. Client also says server timeout. 

    The Packet capture I think is telling me that a TLS has started. I am not certain what the "Nearest-non-TPMR-bridge" destination is. Its like the switch isn't recieving the response packets to send to Radius server. 

    Thanks ahead of time for some thoughts. 



  • 2.  RE: Client Able to Authenticate EAP-TLS over wireless but not Wired. But EAP-PEAP works. "Client did not complete transaction"

    Posted Feb 20, 2024 04:32 AM

    Hi

    Have you configured the correct shared secret for the switch and also in ClearPass? Check the Event log if you have any messages related to the switch IP and shared secret missmatch.

    If ClearPass doesn't have the switch, or subnet, added and correct shared secret the requests will be dropped without any answer.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Client Able to Authenticate EAP-TLS over wireless but not Wired. But EAP-PEAP works. "Client did not complete transaction"

    Posted Feb 20, 2024 07:45 AM

    Thank you for the response. I do have the switch added as a device group. I am able to EAP-PEAP authenticate without an issue. It is just EAP-TLS that I see timeouts in the access tracker. 




  • 4.  RE: Client Able to Authenticate EAP-TLS over wireless but not Wired. But EAP-PEAP works. "Client did not complete transaction"

    Posted Feb 20, 2024 05:10 PM

    1- it could be trust server certificate on the Client   if you export both interface wifi and Lan profile  can you se if it deferent  Thumbprint (regrade trust)

    ******** using powershell

    netsh lan export profile folder=c:\temp\                       

    netsh wlan export profile name="your ssid name" folder=c:\

    can you giv more information  regard (your role mapping and enforcement policy and     where the client  trying to authenticate through onp  AD or Azure    




  • 5.  RE: Client Able to Authenticate EAP-TLS over wireless but not Wired. But EAP-PEAP works. "Client did not complete transaction"
    Best Answer

    Posted Feb 20, 2024 06:05 PM

    Thank you for the ideas. 

    We have found a solution today. 

    In the global configuration commands 

    aaa authentication port-access dot1x authenticator

    eap-tls-fragment towards-server 1024

    Adding the EAP-TLS Fragment towards-server 1024 command reduced the size of the TLS Packets so they wouldn't get dropped Elsewhere in the network. Authentications are working as intended now!