Does this only show on these Yealink devices?
Do other clients authenticate properly with EAP-TLS?
If you can, run a port mirror on the switch and a RADIUS capture on the ClearPass to see what is the EAP/RADIUS negotiation going on, and more specific the point where the authentication stops.
Note that some IoT like devices may not support modern cryptography and still use obsolete algorithms like MD5, SHA-1, RC4. From the packet capture you may find out what is being exchanged and from there find what your phone, switch or ClearPass doesn't like.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Sep 08, 2023 12:16 PM
From: ClearRad89
Subject: EAP-TLS timeout issue with Clearpass as radius server
The CA cert has been installed on the phone. I did turn on dot1x debugging on the cisco switch. I see this:
So it looks like the phone tries to start dot1x. It somehow is getting all the way to Clearpass based on the Clearpass logs. But as you can also see, it seems to Dequeue the packet right away as well. I left the logs on for a while and it is always these same messages. Never see the switch responding to the phone's EAPOL packet. So does that seem like a switch config problem, or do you still think it's a cert problem? (Another teammate made the certs and installed them on the phone and Clearpass so I hope those aren't the issue)
Original Message:
Sent: Sep 08, 2023 11:34 AM
From: bd_87
Subject: EAP-TLS timeout issue with Clearpass as radius server
How is the RADIUS cert being trusted by the phone? Have you used some method of installing the CA that signed the RADIUS cert? In my experience, TIMEOUT messages are almost always cert trust related.
Any way you can do a packet capture between the phone and cppm and filter for EAP packets?
------------------------------
ACNSP | ACCP | ACMP | ACEP
Original Message:
Sent: Sep 07, 2023 03:57 PM
From: ClearRad89
Subject: EAP-TLS timeout issue with Clearpass as radius server
Hello,
My colleague and I are testing 802.1x and EAP-TLS with certs being used for authentication for our Yealink VOIP phones. We can see authentication attempts on Clearpass in the Access Tracker, but the login status continually says "TIMEOUT". When I click on an Access Tracker record and go to the "Input" tab under "Radius Request", I see the appropriate IP address of the phone, NAS IP address of the Cisco switch, and even see the port that the phone is connected to. However, obviously something isn't working right.
In the logs for an access tracker record I see these in red near the beginning:
ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid
ERROR RadiusServer.Radius - reqst_clean_list: Packet
However, there are many lines after that in the log. I see these lines in orange about 5 lines above the end of the log
[RequestHandler-1-0x7f5490de6700 r=R00001606-01-64fa23e7 h=101598 c=R00001606-01-64fa23e7] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=
| [RequestHandler-1-0x7f5490de6700 r=R00001606-01-64fa23e7 h=101595 c=R00001606-01-64fa23e7] WARN Core.PETaskRadiusCoAEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg= |
Has anyone seen this issue before with Clearpass, a cisco switch, and a Yealink phone? Any ideas what I should try to check next?