Security

 View Only
Back to discussions
Expand all | Collapse all

Problem witch 8021x CPASS

This thread has been viewed 56 times

  • 1.  Problem witch 8021x CPASS

    Posted Jul 03, 2023 08:44 AM
    Hello,
     
    I have a problem with 8021x PEAP MSCHAPv2 or TEAP authentication, i.e the first authentication is successful, the first re-authentication set in the profile to e.g. 6h goes well but the next re-authentication does not pass, the CPASS logs show "Timeout, Client did not complite eap transaction" - the host is disconnected and after 15 minutes the supplicant calls again and the authentication passes correctly .
    Has anyone encountered such a problem?
    Computers with windows 10 - mostly 21h2, HP Comware access switch.
    Regards.


  • 2.  RE: Problem witch 8021x CPASS

    Posted Jul 03, 2023 03:15 PM

    This sounds to me like a supplicant configuration issue?  How are the computers configured?  PEAP?  User?  Machine?  Both?  or Teap?  Machine? User? Both?


    Original Message


  • 3.  RE: Problem witch 8021x CPASS

    Posted Jul 05, 2023 06:24 AM

    Hi,

    Half of the users authenticate EAP PEAP MSCHAPv2 and I check the user, supplicant configured "User and Computer"

    The other half of the users authenticate with EAP TEAP and I check user (MSCHAPv2) and computer (TLS), supplicant configured "User and Computer"

    Regards.


    Original Message


  • 4.  RE: Problem witch 8021x CPASS

    Posted Jul 05, 2023 08:31 AM
    Is credential guard enabled?


    Original Message


  • 5.  RE: Problem witch 8021x CPASS

    Posted Jul 07, 2023 07:39 AM

    Hi,

    When I check with power shell, I see that credential guard is turned on, but as far as I know, this is a problem only with windows 11 and I only have windows 10 clients.

    Regards.


    Original Message


  • 6.  RE: Problem witch 8021x CPASS

    Posted Jul 07, 2023 08:07 AM

    According to this Microsoft article, Credential Guard is also 'applicable to Windows 10'. That article also advises to move away from MSCHAPv2 legacy authentication for VPN and WiFi.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 7.  RE: Problem witch 8021x CPASS

    Posted Jul 07, 2023 08:22 AM
    This impacts windows 10 as well


    Original Message


  • 8.  RE: Problem witch 8021x CPASS

    Posted Aug 04, 2023 04:11 AM
    Hi,
     
    I turned off "Credential Guard" via GPO and there is an improvement but I still see problems with session reauthentication.
    The error "0x70004" appears in the windows 10 system logs.

    Original Message


  • 9.  RE: Problem witch 8021x CPASS

    Posted Aug 07, 2023 04:29 AM

    I would run a packet capture on the EAP traffic to see what happens, and if it's the client or switch that aborts the authentication.

    If your client aborts the authentication (or does not even try because of lack of credentials), open a case with Microsoft.

    If ClearPass stops responding, open a case with Aruba support.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 10.  RE: Problem witch 8021x CPASS

    Posted Jul 04, 2023 12:23 AM
    This looks like a GPO config issue @ the PC (supplicant) side. Pls try doing 'gpupdate /force' from the network where u can reach the AD/domain controller.



    Original Message


  • 11.  RE: Problem witch 8021x CPASS

    Posted Jul 05, 2023 06:29 AM
    hi,
     
    At the first authentication there is no problem and everything works fine, the problem arises when trying to re-authenticate, the logs show "Timeout".
    From the Windows side, the logs show an authentication problem.
    Regards,

    Original Message


Related Content