My colleague and I are testing 802.1x and EAP-TLS with certs being used for authentication for our Yealink VOIP phones. We can see authentication attempts on Clearpass in the Access Tracker, but the login status continually says "TIMEOUT". When I click on an Access Tracker record and go to the "Input" tab under "Radius Request", I see the appropriate IP address of the phone, NAS IP address of the Cisco switch, and even see the port that the phone is connected to. However, obviously something isn't working right.
In the logs for an access tracker record I see these in red near the beginning:ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid
ERROR RadiusServer.Radius - reqst_clean_list: Packet
However, there are many lines after that in the log. I see these lines in orange about 5 lines above the end of the log
[RequestHandler-1-0x7f5490de6700 r=R00001606-01-64fa23e7 h=101598 c=R00001606-01-64fa23e7] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=
Has anyone seen this issue before with Clearpass, a cisco switch, and a Yealink phone? Any ideas what I should try to check next?
How is the RADIUS cert being trusted by the phone? Have you used some method of installing the CA that signed the RADIUS cert? In my experience, TIMEOUT messages are almost always cert trust related.
Any way you can do a packet capture between the phone and cppm and filter for EAP packets?
The CA cert has been installed on the phone. I did turn on dot1x debugging on the cisco switch. I see this:So it looks like the phone tries to start dot1x. It somehow is getting all the way to Clearpass based on the Clearpass logs. But as you can also see, it seems to Dequeue the packet right away as well. I left the logs on for a while and it is always these same messages. Never see the switch responding to the phone's EAPOL packet. So does that seem like a switch config problem, or do you still think it's a cert problem? (Another teammate made the certs and installed them on the phone and Clearpass so I hope those aren't the issue)
Does this only show on these Yealink devices?
Do other clients authenticate properly with EAP-TLS?
If you can, run a port mirror on the switch and a RADIUS capture on the ClearPass to see what is the EAP/RADIUS negotiation going on, and more specific the point where the authentication stops.
Note that some IoT like devices may not support modern cryptography and still use obsolete algorithms like MD5, SHA-1, RC4. From the packet capture you may find out what is being exchanged and from there find what your phone, switch or ClearPass doesn't like.
Thank you for all of the help. I just wanted to confirm that the issue was with the Yealink phone. Just had to work on finding the proper cert combination to put into the phone. Now the configuration is working fine.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.