Security

 View Only
last person joined: 8 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

EAP-TLS timeout issue with Clearpass as radius server

This thread has been viewed 35 times
  • 1.  EAP-TLS timeout issue with Clearpass as radius server

    Posted Sep 08, 2023 10:54 AM

    Hello,

    My colleague and I are testing 802.1x and EAP-TLS with certs being used for authentication for our Yealink VOIP phones. We can see authentication attempts on Clearpass in the Access Tracker, but the login status continually says "TIMEOUT". When I click on an Access Tracker record and go to the "Input" tab under "Radius Request", I see the appropriate IP address of the phone, NAS IP address of the Cisco switch, and even see the port that the phone is connected to. However, obviously something isn't working right.

    In the logs for an access tracker record I see these in red near the beginning:
    ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid 

    ERROR RadiusServer.Radius - reqst_clean_list: Packet

    However, there are many lines after that in the log. I see these lines in orange about 5 lines above the end of the log

    [RequestHandler-1-0x7f5490de6700 r=R00001606-01-64fa23e7 h=101598 c=R00001606-01-64fa23e7] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

    [RequestHandler-1-0x7f5490de6700 r=R00001606-01-64fa23e7 h=101595 c=R00001606-01-64fa23e7] WARN Core.PETaskRadiusCoAEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

    Has anyone seen this issue before with Clearpass, a cisco switch, and a Yealink phone? Any ideas what I should try to check next?



  • 2.  RE: EAP-TLS timeout issue with Clearpass as radius server

    Posted Sep 08, 2023 11:35 AM

    How is the RADIUS cert being trusted by the phone? Have you used some method of installing the CA that signed the RADIUS cert? In my experience, TIMEOUT messages are almost always cert trust related.

    Any way you can do a packet capture between the phone and cppm and filter for EAP packets?



    ------------------------------
    ACNSP | ACCP | ACMP | ACEP
    ------------------------------



  • 3.  RE: EAP-TLS timeout issue with Clearpass as radius server

    Posted Sep 08, 2023 12:17 PM

    The CA cert has been installed on the phone. I did turn on dot1x debugging on the cisco switch. I see this:
    So it looks like the phone tries to start dot1x. It somehow is getting all the way to Clearpass based on the Clearpass logs. But as you can also see, it seems to Dequeue the packet right away as well. I left the logs on for a while and it is always these same messages. Never see the switch responding to the phone's EAPOL packet. So does that seem like a switch config problem, or do you still think it's a cert problem? (Another teammate made the certs and installed them on the phone and Clearpass so I hope those aren't the issue) 




  • 4.  RE: EAP-TLS timeout issue with Clearpass as radius server

    EMPLOYEE
    Posted Sep 11, 2023 12:03 PM

    Does this only show on these Yealink devices?

    Do other clients authenticate properly with EAP-TLS?

    If you can, run a port mirror on the switch and a RADIUS capture on the ClearPass to see what is the EAP/RADIUS negotiation going on, and more specific the point where the authentication stops.

    Note that some IoT like devices may not support modern cryptography and still use obsolete algorithms like MD5, SHA-1, RC4. From the packet capture you may find out what is being exchanged and from there find what your phone, switch or ClearPass doesn't like.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: EAP-TLS timeout issue with Clearpass as radius server

    Posted Sep 18, 2023 01:34 PM

    Thank you for all of the help. I just wanted to confirm that the issue was with the Yealink phone. Just had to work on finding the proper cert combination to put into the phone. Now the configuration is working fine.