Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Machine Authentication Issue - Radius 9002

This thread has been viewed 9 times
  • 1.  Machine Authentication Issue - Radius 9002

    Posted 29 days ago

    Hi

    I had a successful POC with a client where machine auth was working, the same setup when replicated in production is not working. Machine Auth request timeouts with Radius 9002 code  and Client could not complete EAP transaction. 

    I checked the logs where there is no response from NAS on access challenge for 50 sec resulting the dropping of that session. However from the same NAS, user auth is working fine on the same laptop. Since my policy needs to have both machine auth and user auth for specific role assignment. I want the machine auth to work.

    I have searched the forum for all previous discussions on this error code etc. Nothing helpful could be found. In the POC I used a wildcard cert for Radius auth btw, which was switched to internal cert after I faced this issue based on some forum discussion. The new cert is not wildcard. 

    2024-04-21 17:55:00,848 [Th 80 Req 660 SessId R00000049-01-662528c4] INFO RadiusServer.Radius - rlm_eap_mschapv2: Issuing Challenge
    2024-04-21 17:55:00,849 [Th 80 Req 660 SessId R00000049-01-662528c4] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 238:162:A080691FAAD1:AO4AVACOAIGUAgAA/MSh7tm5pJckwKkpmwCi1g==
    2024-04-21 17:55:51,902 [main SessId R00000049-01-662528c4] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R00000049-01-662528c4, state - AO4AVACOAIGUAgAA/MSh7tm5pJckwKkpmwCi1g=
    2024-04-21 17:55:51,902 [main SessId R00000049-01-662528c4] ERROR RadiusServer.Radius - reqst_clean_list: Packet 231:234:131:A080691FAAD1 recv 1713711300.776859 - resp 1713711300.783835
    2024-04-21 17:55:51,902 [main SessId R00000049-01-662528c4] ERROR RadiusServer.Radius - reqst_clean_list: Packet 232:254:88:A080691FAAD1 recv 1713711300.789538 - resp 1713711300.790858
    2024-04-21 17:55:51,902 [main SessId R00000049-01-662528c4] ERROR RadiusServer.Radius - reqst_clean_list: Packet 233:511:1124:A080691FAAD1 recv 1713711300.799473 - resp 1713711300.804508
    2024-04-21 17:55:51,902 [main SessId R00000049-01-662528c4] ERROR RadiusServer.Radius - reqst_clean_list: Packet 234:254:1120:A080691FAAD1 recv 1713711300.812569 - resp 1713711300.813771
    2024-04-21 17:55:51,902 [main SessId R00000049-01-662528c4] ERROR RadiusServer.Radius - reqst_clean_list: Packet 235:254:789:A080691FAAD1 recv 1713711300.822085 - resp 1713711300.823176
    2024-04-21 17:55:51,902 [main SessId R00000049-01-662528c4] ERROR RadiusServer.Radius - reqst_clean_list: Packet 236:384:139:A080691FAAD1 recv 1713711300.832678 - resp 1713711300.834210
    2024-04-21 17:55:51,902 [main SessId R00000049-01-662528c4] ERROR RadiusServer.Radius - reqst_clean_list: Packet 237:254:122:A080691FAAD1 recv 1713711300.842318 - resp 1713711300.843246
    2024-04-21 17:55:51,902 [main SessId R00000049-01-662528c4] ERROR RadiusServer.Radius - reqst_clean_list: Packet 238:307:162:A080691FAAD1 recv 1713711300.847833 - resp 1713711300.849257


  • 2.  RE: Machine Authentication Issue - Radius 9002

    Posted 29 days ago

    Hi

    Based on the description of your problem try to check the 802.1x profiles for the machine authentication and compare it with the working 802.1x profile for the user authentication.

    Most likely you have an issue in the machine authentication profile with the certificate trust or the name in the certificate.

    This certificate causes the clients to not trust the Radius certificate and doesn't continue the authentication.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------